Change proxmox WebUI access from WAN to LAN

B

Bohem

New Member
Apr 18, 2024
4
0
1
Hello,
I'm a long-time observer, and today I'm the one posting :)

I currently have several Proxmox cluster instances running on OVH Cloud (BareMetal) using the OVH auto-install for Proxmox 8.

My issue is that with this installation, I access the Proxmox WebUI (so the complete cluster) using the public IP provided by OVH.

I've tried to configure the WebUI to be accessible only on a LAN IP and not accessible from the WAN, but I haven't been successful in setting this up (resulting in multiple reinstallation attempts due to locking myself out of test environnement).

Since some of my Proxmox nodes are in production, reinstalling them is not an option.

How can I block access from the WAN while setting up access on a LAN IP?

Additionally, is there a way to completely block PAM root account from connecting to the WebUI?


Thank you in advance.
(If anyone can assist and prefers to communicate in French, I would appreciate responses in French.)
 
Last edited:
enable firewall at datacenter level.
default rules will block access to webgui except from same subnet.
a then allowing fixed ipv4 as allowed sources as failsafe access if LAN isn't accessible.

edit: cluster is already on LAN side isn't it ?

(écrire dans sa langue ferai gagner du temps et éviterai bien de problème de compréhension, mais l'audience en patirai )
 
Last edited:
Hello,
Do you have examples of rules that I should create? I'm not familiar with Proxmox Firewall, and I don't want to lock myself out since this configuration also needs to be deployed in a production environment.
Would this rule disable Proxmox from accessing the internet for updates, etc.?
 
Hi,
maybe you could manage PVE with a vpn as wiregard, for example?

1/ Just install the wireguard script on your PVE : https://github.com/angristan/wireguard-install
2/ Generate a new vpn client config
3/ Install the windows/linux wireguard client on your pc
4/ Copy the vpn config from your server to your vpn client and verify you can reach the gui under your vpn
5/ create somme rules at DC level gui and directly in /etc/pve/firewall/cluster.fw, (COPY THEM IN HOST FW ANYWAY... If not you will loose the management of your proxmox), as /etc/pve/firewall/cluster.fw :

[OPTIONS]

enable: 1

[RULES]

IN ACCEPT -i vmbr0 -p tcp -dport 22 -log nolog # ssh (you can change this tcp port, this the port you set up when installing ssh on your server)
IN ACCEPT -i vmbr0 -p udp -dport 61002 -log nolog # wireguard (you can change this udp port, this the port you set up when installing wireguard on your server)
IN ACCEPT -i vmbr0 -p tcp -dport 8006 -log nolog # proxmox_gui
OUT ACCEPT -p tcp -dport 25 -log nolog # sendmail

After creating these minimum rules , start the 2 firewalls, connect with your vpn and modify this rule, and add 10.XX.XX.0/24 as the internal source adress of your wireguard vpn IN THE 2 FIREWALLS. So replace :

IN ACCEPT -i vmbr0 -p tcp -dport 8006 -log nolog # proxmox_gui
by
IN ACCEPT -i vmbr0 -source 10.XX.XX.0/24 -p tcp -dport 8006 -log nolog # proxmox_gui (do not forget to register the modif)

6/ Create all the rules you need to manage some ports directly inside the vpn ( as for docker, webmin, and so on...)
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom