Change WebGUI interface

[Dr.A.Colian]

Hey guys,

I've searched quite a while, but haven't found anything on that quite specific topic, so hopefully you can enlighten me.

It seems, the WebGUI of Proxmox is only accesible via vmbr0. Is there any way to change that? I have 4 LAN Ports at the Server. One is supposed to be for WAN/Internet (vmbr0), one for the LAN (vmbr1), one for my WIFI APs (vmbr2), and one for my servers and network stuff (vmbr3).

Right now, the WebGUI runs on vmbr0 and gets its IP from my Fritz!Box (192.168.50.X), which is not really my preferred constellation. I'd like to have it on vmbr3 / (IP 192.168.30.X / VLAN 300). Any chance I can reconfigure? Everytime I tried to set the IP Adress of a different vmbr, proxmox is no longer reachable, or my whole setup is "gone".

On PVE a pfSense VM is running connecting all the VLANs and providing DHCP servers.

Any ideas, what to do?

Thanks in advance.

 

[Dunuin]

The webUI will run on all bridges you give a IP. If you want it to be on vmbr1, you can remove the IP from vmbr0 and add it to vmbr1 instead. You can also give different bridges an IP so the webUI is accessiable from different networks. But keep in mind that a host shouldn't use two IPs of the same subnet. So in case you want to give your PVE host multiple IPs they should all be using different subnets, so you need a way more complex network layout.
If you need a IP on a bridge bot don't want that the webUI is accessible on that IP you could create a datacenter level or node level firewall rule to block the SSH port and port 8006 for that IP.

The output of a cat /etc/network/interfaces would be helpful.

 

[Dr.A.Colian]

Hey Dunuin,

I just want the PVE webgui to be reached from vmbr3 with IP 192.168.30.7 and VLAN 300. I guess, the problem comes with the VLAN. I can give the IP in Range 30.X, but there is no VLAN 300 tag. As all other devices communicated on VLAN 300, but the vmbr3-webgui "doesn't know" about the VLAN, it won't be able to talk to the rest of my network. vmbr0 is actual without VLAN otherwise the webgui is also not accesible.

Here the contents of /etc/network/interfaces

auto lo
iface lo inet loopback

iface enp39s0 inet manual

iface enp38s0 inet manual

auto enp36s0f0
iface enp36s0f0 inet manual

iface enxb200ea78b885 inet manual

auto enp36s0f1
iface enp36s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.50.20/24
        gateway 192.168.50.10
        bridge-ports enp39s0
        bridge-stp off
        bridge-fd 0
#WAN

auto vmbr1
iface vmbr1 inet manual
        bridge-ports enp36s0f1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#LAN

auto vmbr2
iface vmbr2 inet manual
        bridge-ports enp38s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#WLAN

auto vmbr3
iface vmbr3 inet manual
        bridge-ports enp36s0f0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#Server

Best regards

 

[Dunuin]

Try something like:

auto lo
iface lo inet loopback

iface enp39s0 inet manual

iface enp38s0 inet manual

auto enp36s0f0
iface enp36s0f0 inet manual

iface enxb200ea78b885 inet manual

auto enp36s0f1
iface enp36s0f1 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports enp39s0
        bridge-stp off
        bridge-fd 0
#WAN

auto vmbr1
iface vmbr1 inet manual
        bridge-ports enp36s0f1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#LAN

auto vmbr2
iface vmbr2 inet manual
        bridge-ports enp38s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#WLAN

auto vmbr3
iface vmbr3 inet manual
        bridge-ports enp36s0f0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#Server

auto vmbr3.300
iface vmbr3.300 inet static
        address 192.168.30.X/24
        gateway 192.168.30.YourPfsenseIP
#VLAN interface VLAN300 for PVE

That way PVE should listen from VLAN 300 over vmbr3 on IP 192.168.30.X and use your pfsense as the gateway.
In case you don't want PVe to use the pfsense as the gateway and continue to use the fritzbox as the gateway you could keep the gateway and IP on vmbr0 and just block the ports using the PVE node/datacenter firewall.

But make sure to not lock you out and have access to the physical console to fix stuff.

 

[Dr.A.Colian]

Try something like:

auto lo
auto vmbr3.300
iface vmbr3.300 inet static
        address 192.168.30.X/24
        gateway 192.168.30.YourPfsenseIP

Thanks alot - that was my missing idea. Just did it, and it worked great. Sometimes you just have to ask in order to understand.

Now, I'm happy.

 

[Dunuin]

Don't forget to remove the IP and gateway from vmbr0 so you don't got two gateways and your management stuff isn't on the WAN subnet.
And don't forget to edit the /etc/resolv.conf to point to your 192.168.30.YourPfsenseIP as the DNS server in case you previously used your Fritzbox for that.

 

[Dr.A.Colian]

Don't forget to remove the IP and gateway from vmbr0 so you don't got two gateways and your management stuff isn't on the WAN subnet.
And don't forget to edit the /etc/resolv.conf to point to your 192.168.30.YourPfsenseIP as the DNS server in case you previously used your Fritzbox for that.

Did that already, but thanks for the reminder.