[SOLVED] GUI only on LAN, but Proxmox able to reach internet

F

FStefanni

New Member
Jul 14, 2024
5
0
1
Hi,

I am trying to reach the following configuration:
  • Proxmox able to reach internet through the WAN (vmbr0) (I have a ISP modem) on a NIC (enp10s0), but without exposing the GUI or SSH (for better security)
  • An internal LAN (vmbr1) on another NIC (enp5s0), on which Proxmox exposes the SSH and GUI
I have tried various configs, but nothing worked.
I am able to expose Proxmox on the LAN, and the VM's in the lan and the computer attached to enp5s0 are able to reach internet.
But I am unable to hide Proxmox on WAN, or if I remove it from WAN, it no more reaches internet.

I also tried to expose Proxmox on WAN, and then block access by using its firewall, but I failed (maybe I missed something...)

Any hint please?

Regards
 

Attachments

  • screen.png
    screen.png
    32.2 KB · Views: 3
Judging by the screenshot and the labels, you are going to install an OPNsense-VM on this server, so why not use that same OPNsense-VM to give proxmox internet?

Remove the IP and default-gateway from vmbr0.
Configure Opnsense on a VM with vmbr0 and vmbr1 (check the MAC-addresses so you assign the right port to LAN and WAN) with the LAN-IP of 192.168.2.1
On vmbr1 set the default gateway to 192.168.2.1 (and keep the 192.168.2.2/24 as the IP)
Done, not reachable on vmbr0 directly, can reach the internet as long as the OPNSense-VM is running properly, OPNSense can reach the internet through the vmbr0
 
  • Like
Reactions: FStefanni
Hi,

thank you for the reply.
Yes you are correct, I have already configured OPNSense, and it works perfectly with VM's and the PC attached to enp3s0 (vmbr1).

And yes, I was missing (I did not think to) to set the default gateway on vmbr1!
So your solution works fine. For me it is good enough to reach internet throw OPNSense only.

I wonder if there is also a solution for reaching internet directly, to avoid relying on OPNSense...

Thank you.
 
There is, yes, which is basically what you were already trying (but somewhere went wrong), with setting up an IP and default-gateway on the vmbr0 side and then using the proxmox-firewall to block things going to that IP except if asked for.
Do note though that proxmox and the OPNSense can't share the same IP on the wan-side, so you'd have to have 2 or more IP's available on your modem to assign to proxmox and opnsense seperately.

If you want to give it another go though, a few tips:
Make sure to not set up 2 default gateways (it should probably block you anyway, but just in case)
First create a rule to always allows 8006 in general before you turn the firewall on (know that you need to turn it on on both node/server and cluster-level (even if you don't have a cluster), and by default node/server is on and cluster is off, and to use the firewall on a VM-port you also need to turn it on there as well.)
Only after that start trying to get port 22 (SSH) and the ICMP-Protocol blocked on one IP but not on the other, before you turn off the "always allow 8006" rule, just to save yourself some hassle.
 
Hi,

thank you for the tips.
I am trying another shot with the firewall.
These is my config in the images.

It still does not works... I do not understand why...

Regards
 

Attachments

  • screen2.png
    screen2.png
    17 KB · Views: 2
  • screen3.png
    screen3.png
    18.3 KB · Views: 2
And you went to <Datacenter> (1) (note, datacenter, the very very top option in the left list, not the server that is just below it) -> Firewall (2) -> Options (3) -> Turn the firewall (5) on there and turned the input-policy (4) to accept too, to not lock yourself out with having just that one rule in there?
By default (with Input-policy set to to drop), it blocks all incomming traffic already, so no rule needed for that, what you DO need a rule for so for you to be still be able to reach the server itself.
 

Attachments

  • firewall.png
    firewall.png
    39.2 KB · Views: 5
Last edited:
Hi,

yeah that was the issue! I did not see that flag.
So I have to be very careful if i turn it on.
Maybe I will try.
Actually, since there is a "hidden" rule allowing ssh and dashboard access, maybe we cannot override them (to block on wan).

So at the moment, I will probably go with the OPNSense workaround (I am not sure enough to not cut me out LOL!).

Thank you for your help.
Regards
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back