FW block rule still allowing traffic to Proxmox host

I

imothep77

New Member
Jan 16, 2023
9
1
3
Hi all,

I've been struggling with the below for the whole day.
Didn't find any related topic here, so here I am -

I have 2 Proxmox physical machines, on each one of them, I have an OpnSense VM (both Opns run in HA).
All 4 machines live in the same "management" VLAN, let's say 10.0.10.0/24.
I have defined the following rules on the MGMT interface (VLAN 10):
  1. allow any IPv4 - TCP/UDP traffic from MGMT net to OPNsense VIP on port 53 (DNS)
  2. allow any IPv4 traffic to non RFC1918+bogon networks (allow all machines on the MGMT net to access the Internet)
  3. allow any IPv4 traffic from ManagementPCs (alias) to any
  4. block IPv4+IPv6 traffic from any to any (I guess this one is not necessary, but I like to be explicit)
Now from a ManagementPC, I get the exact behaviour I want, basically, I have access to anything.
However, still on the MGMT interface, when connecting from my laptop (which receives an IP that is not listed in the Management PCs alias), I have a weird behavior related to rule 4:
  • I can ping/access the internet both 8.8.8.8 and google.com - this is expected through rules 1 and 2
  • I cannot ping any of my OpnSense VMs nor any of my other VMs for that matter - this is expected through rule 4 as I'm not a Management PC
  • BUT I still CAN ping and actually log into the web GUI of both my Proxmox hosts. Not expected.
    I'm actually trying to restrict access to my Servers web interfaces/SSH/etc, to only my Management PCs which again, my laptop is not yet.
I'm sure one of the geniuses right here can help me sort this out.

Until then, thanks for the great support and fruitful discussions here.
 
I'm not the genius you're looking for but I'm guessing that you're expecting rule #4 to block the unexpected interaction? Could it be part of the DNS port 53 rule? have you tried to deny port 53 access from your laptop IP in a temp rule?
 
Thank you for your reply.
And yes, I'm expecting rule #4 to be denying anything that is not allowed.
I tried the temporary deny rule on all ports - although the port I'm trying to reach (or get denied on) is tcp 8006 - same result
 
I finally run VLANS for my smart devices and IP cameras and came up against the same problem connecting a computer to either VLAN.
Followed YouTube how to videos, copied the same Aliases LAN to Block then open UDP/TCP 53, and listed in the right order

I found Truenas would be blocked on the network but Proxmox and Plex are still accessible, even though OPNsense had all subnets blocked.
After hours and hours of playing around I found you need to block the whole 0/24 network again by firewall rules like this.

Action Block
Interface VLAN X
Direction IN
Protocol ANY
Source VLAN X
Destination, Single Host or Network, then add 192.xxx.xxx.0 /24
or whatever the LAN you want to block.

I added this to top of the list and works fine. I can't access anything on that network from the IP camera Vlan and my phone still see the cameras on a Cell Network.

Save and test
 
Last edited:
Brisie said:
I finally run VLANS for my smart devices and IP cameras and came up against the same problem connecting a computer to either VLAN.
Followed YouTube how to videos, copied the same Aliases LAN to Block then open UDP/TCP 53, and listed in the right order

I found Truenas would be blocked on the network but Proxmox and Plex are still accessible, even though OPNsense had all subnets blocked.
After hours and hours of playing around I found you need to block the whole 0/24 network again by firewall rules like this.

Action Block
Interface VLAN X
Direction IN
Protocol ANY
Source VLAN X
Destination, Single Host or Network, then add 192.xxx.xxx.0 /24
or whatever the LAN you want to block.

I added this to top of the list and works fine. I can't access anything on that network from the IP camera Vlan and my phone still see the cameras on a Cell Network.

Save and test
Click to expand...
After further testing I'm not sure why if this rule isn't at the top, it won't work. I put it bellow open ports for the cams to work and for some reason it can get access to Plex and Proxmox , but as long as the rule is on top, I can't access either
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom