Hi, your precious help and knowledges are needed !
I have a bare metal server at Hetzner. After dedicated a new ip to a Windows VM (separate mac adress and dhcp activated) to build a Windows farm servers, it is actually impossible to access the proxy server inside the VM, from outside, and also impossible to connect to Internet from the VM). This issue is happening only when the Datacenter firewall and host firewall are activated. If I unactivate them and restarting the proxmox, no problem. Of course, this problem seems to be relative to (bad/lack of) firewall rules
On this server I also have a NPM reverse proxy running fine for the others VM/containers on the same brige vmbr1.
Here is my proxmox network config :
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
iface eno1 inet manual
iface eno2 inet manual
iface enx02b70b977f97 inet manual
auto vmbr0
iface vmbr0 inet static
address XX.XX.XX.XXX/26
gateway XX.XX.XX.XXX
bridge-ports eno1
bridge-stp off
bridge-fd 0
#WAN
iface vmbr0 inet6 static
address 2a01:4f9:3081:4244::2/64
gateway fe80::1
auto vmbr1
iface vmbr1 inet static
address ZZ.ZZ.50.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up iptables -t nat -A POSTROUTING -s 'ZZ.ZZ.50.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 'ZZ.ZZ.50.0/24' -o vmbr0 -j MASQUERADE
#LAN
iface vmbr1 inet6 static
address 2a01:4f9:3081:4244:1::1/80
#APP1
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to ZZ.ZZ.50.100:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to ZZ.ZZ.50.100:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to ZZ.ZZ.50.100:443
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to ZZ.ZZ.50.100:443
#APP2
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 5060 -j DNAT --to ZZ.ZZ.50.105:5060
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 5060 -j DNAT --to ZZ.ZZ.50.105:5060
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp -m multiport --dport 17100:18100 -j DNAT --to ZZ.ZZ.50.105
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp -m multiport --dport 17100:18100 -j DNAT --to ZZ.ZZ.50.105
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
And my Windows VM network config, obtained in dchp after adding hetzner mac address, is of course using the same gateway XX.XX.XX.XXX from vmbr0.
Everything is ok, except when activating Datacenter firewall and host firewall.
I also have a second network card set with vmbr1 to deliver local services (RDP).
1/ What i do not understand : in this config, this Windows VM has to be seen as a separate installation layer2, as directly connected to Hetzner DHCP server... so why the fact to start the DC firewall impact that VM?
2/ In these conditions, how to also nat ports 80, 443, and some others to this VM as there is no specific brige relative to this VM in my network bridged config ?
3/ If any suggestion to run this VM behind a DC firewall activated, please feel free to explain me. I'm starting.
Thanks for your efforts!
I have a bare metal server at Hetzner. After dedicated a new ip to a Windows VM (separate mac adress and dhcp activated) to build a Windows farm servers, it is actually impossible to access the proxy server inside the VM, from outside, and also impossible to connect to Internet from the VM). This issue is happening only when the Datacenter firewall and host firewall are activated. If I unactivate them and restarting the proxmox, no problem. Of course, this problem seems to be relative to (bad/lack of) firewall rules
On this server I also have a NPM reverse proxy running fine for the others VM/containers on the same brige vmbr1.
Here is my proxmox network config :
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
iface eno1 inet manual
iface eno2 inet manual
iface enx02b70b977f97 inet manual
auto vmbr0
iface vmbr0 inet static
address XX.XX.XX.XXX/26
gateway XX.XX.XX.XXX
bridge-ports eno1
bridge-stp off
bridge-fd 0
#WAN
iface vmbr0 inet6 static
address 2a01:4f9:3081:4244::2/64
gateway fe80::1
auto vmbr1
iface vmbr1 inet static
address ZZ.ZZ.50.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
post-up iptables -t nat -A POSTROUTING -s 'ZZ.ZZ.50.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 'ZZ.ZZ.50.0/24' -o vmbr0 -j MASQUERADE
#LAN
iface vmbr1 inet6 static
address 2a01:4f9:3081:4244:1::1/80
#APP1
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to ZZ.ZZ.50.100:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to ZZ.ZZ.50.100:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to ZZ.ZZ.50.100:443
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to ZZ.ZZ.50.100:443
#APP2
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 5060 -j DNAT --to ZZ.ZZ.50.105:5060
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 5060 -j DNAT --to ZZ.ZZ.50.105:5060
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp -m multiport --dport 17100:18100 -j DNAT --to ZZ.ZZ.50.105
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp -m multiport --dport 17100:18100 -j DNAT --to ZZ.ZZ.50.105
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
And my Windows VM network config, obtained in dchp after adding hetzner mac address, is of course using the same gateway XX.XX.XX.XXX from vmbr0.
Everything is ok, except when activating Datacenter firewall and host firewall.
I also have a second network card set with vmbr1 to deliver local services (RDP).
1/ What i do not understand : in this config, this Windows VM has to be seen as a separate installation layer2, as directly connected to Hetzner DHCP server... so why the fact to start the DC firewall impact that VM?
2/ In these conditions, how to also nat ports 80, 443, and some others to this VM as there is no specific brige relative to this VM in my network bridged config ?
3/ If any suggestion to run this VM behind a DC firewall activated, please feel free to explain me. I'm starting.
Thanks for your efforts!
Last edited: