Hello.
I am currently in the process of getting Proxmox up and running to host a VM server to replace my ancient Atom based file/plex/deluge/nextcloud server.
I have proxmox up and running ok and a few bits and pieces set up on the VM to host my new server, but I'm having a few issues related to the firewall that I think are related to what PVE is doing over and above what appears in the Dataceneter firewall settings.
To begin with, I enabled the firewall on my host and in the VM (as well as on its network interface) and finally (after ssh-ing into the host in case things went pear shaped) in the datacenter.
Initially, nothing really seemed to have changed.
I can still web browse to the UI (which I DON'T think should be possible, more on that in a minute) and can still ssh in to the host with a new session.
I then discovered that it had changed something. I can no longer ssh to the VM, nor can I ping either the VM or the host.
No problem, I thought. I can add my desktop PC to the firewall to allow it access to everything, but I've just hit a brick wall.
My Proxmox machine is currently on a different subnet (behind a Mikrotik Map which is connected to my main wifi, I don't have a hard wired connection though will be running in cabling soon)
It's just set up as a straight bridge on the access point, and communications are absolutely fine with the PVE firewall disabled so I don't think that particular setup has anything to do with the issues I'm having. The reason I've done it that way instead of just assigning PVE to the same subnet is so I can make sure I can enable access for whatever remote IPs I want before everything is live.
The issue I'm facing is that when I try to enable a firewall rule for my desktop pc, it doesn't seem to have any effect.
As I said above, strangely, I can still browse to the web ui and ssh in to the host, despite my desktop being on a 10.10.10.0/23 subnet while the PVE host is on 10.10.20.0/24 subnet, but I can't ping or ssh to the VM, nor can I ping the host.
I also wanted to disable access to the web ui for everything except the specific machines I was going to use, but dropping or rejecting port 8006 even at the bottom of a list that has an accept rul for 10.10.10.15 (my desktop) just completely blocks the web ui for everything.
I have also attempted to block access to a different specific IP address (namely my phone) again as a test but even this has no effect. Even with my phone's IP address blocked with a reject rule, I can still browse to the web ui.
I'm no networking expert, but I've been using IP Tables for years (usually set up via Mikrotik's routeros) and have never had to delve too much into it as it generally just works, but there's obviously something I'm doing wrong here.
Here is my /etc/firewall/cluster.fw file.
As you can see, there's not much in there. Essentially I first want to enable free access for my desktop PC before I start locking things down so I'm sure I'll be able to fix things if something doesn't work.
I am currently in the process of getting Proxmox up and running to host a VM server to replace my ancient Atom based file/plex/deluge/nextcloud server.
I have proxmox up and running ok and a few bits and pieces set up on the VM to host my new server, but I'm having a few issues related to the firewall that I think are related to what PVE is doing over and above what appears in the Dataceneter firewall settings.
To begin with, I enabled the firewall on my host and in the VM (as well as on its network interface) and finally (after ssh-ing into the host in case things went pear shaped) in the datacenter.
Initially, nothing really seemed to have changed.
I can still web browse to the UI (which I DON'T think should be possible, more on that in a minute) and can still ssh in to the host with a new session.
I then discovered that it had changed something. I can no longer ssh to the VM, nor can I ping either the VM or the host.
No problem, I thought. I can add my desktop PC to the firewall to allow it access to everything, but I've just hit a brick wall.
My Proxmox machine is currently on a different subnet (behind a Mikrotik Map which is connected to my main wifi, I don't have a hard wired connection though will be running in cabling soon)
It's just set up as a straight bridge on the access point, and communications are absolutely fine with the PVE firewall disabled so I don't think that particular setup has anything to do with the issues I'm having. The reason I've done it that way instead of just assigning PVE to the same subnet is so I can make sure I can enable access for whatever remote IPs I want before everything is live.
The issue I'm facing is that when I try to enable a firewall rule for my desktop pc, it doesn't seem to have any effect.
As I said above, strangely, I can still browse to the web ui and ssh in to the host, despite my desktop being on a 10.10.10.0/23 subnet while the PVE host is on 10.10.20.0/24 subnet, but I can't ping or ssh to the VM, nor can I ping the host.
I also wanted to disable access to the web ui for everything except the specific machines I was going to use, but dropping or rejecting port 8006 even at the bottom of a list that has an accept rul for 10.10.10.15 (my desktop) just completely blocks the web ui for everything.
I have also attempted to block access to a different specific IP address (namely my phone) again as a test but even this has no effect. Even with my phone's IP address blocked with a reject rule, I can still browse to the web ui.
I'm no networking expert, but I've been using IP Tables for years (usually set up via Mikrotik's routeros) and have never had to delve too much into it as it generally just works, but there's obviously something I'm doing wrong here.
Here is my /etc/firewall/cluster.fw file.
As you can see, there's not much in there. Essentially I first want to enable free access for my desktop PC before I start locking things down so I'm sure I'll be able to fix things if something doesn't work.
[OPTIONS]
enable: 0
policy_in: REJECT
[IPSET local-net] # Local
10.10.10.0/23
[IPSET remote-vpn-net] # Remote
10.8.0.0/24
[RULES]
IN REJECT -source 10.10.10.45 -log nolog
IN ACCEPT -source 10.10.10.15 -log nolog
|IN DROP -p udp -dport 8006 -log nolog
|IN DROP -p tcp -dport 8006 -log nolog