Hello communiity,
Im not sure if this problem is related to pve or rather to opnsense but I assume the issue is a routing problem on the pve host.
I git a dedicated server from Hetzner, an additional /56 IPv6 subnet, and am trying to setup proxmox and an opnsense firewall as a VM on it.
I have trouble with the network config. The environement uses only IPv6. I setup the hosts network interfaces in routed mode as described in this
guide.
Everything works accept that opening the firewall for incoming (tcp and icmp) traffic to hosts in OPNsense LAN nets does not work.
My subnets are:
OPNsense WAN address:
The `/etc/network/interfaces` file of the pve host is:
The gateway for OPNsense WAN interface is
VMs having the vmbr1 or 2 interfaces attached get ipv6 addresses via router advertisement and can reach the internet.
I set up an IPsec tunnel from the OPNsense on the proxmox host to a OPNsense in my home network and it works. Well it uses udp (esp).
I tried to reach host behind the OPNsense via udp which also works.
Open Ports on the WAN interface works: I can reach the WebUI opening 443/tcp.
What not works is icmpv6 and tcp from outside to hosts in OPNsense' MGMT and DMZ networks.
I setup firewall rules on the OPNsense' WAN interface such that a host in the DMZ network can be rached via icmp and 80/tcp.
But it doesn't work. A
A tcpdump on the pve host while doing the port scan shows:
which says the cksum is incorrect? So I assume this is a routing problem on the proxmox host? The traffic reaches the VM but routes the traffic to the wrong
IP?
In addition the OPNsense logs show that the traffic is blocked going out of the DMZ interface:
I tried any rules from and to the host but nothing helped.
Hope somebody can help.
Im not sure if this problem is related to pve or rather to opnsense but I assume the issue is a routing problem on the pve host.
I git a dedicated server from Hetzner, an additional /56 IPv6 subnet, and am trying to setup proxmox and an opnsense firewall as a VM on it.
I have trouble with the network config. The environement uses only IPv6. I setup the hosts network interfaces in routed mode as described in this
guide.
Everything works accept that opening the firewall for incoming (tcp and icmp) traffic to hosts in OPNsense LAN nets does not work.
My subnets are:
Code:
- 2a01:dead:beef:1ecb::/64
- 2a01:dead:beef:bc00::/56OPNsense WAN address:
2a01:dead:beef:bccc::1The `/etc/network/interfaces` file of the pve host is:
Code:
# IPv6 subnet: 2a01:dead:beef:1ecb::/64
# IPv6 subnet: 2a01:dead:beef:bc00::/56
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto enp0s31f6
iface enp0s31f6 inet6 static
address 2a01:dead:beef:1ecb::2/128
address 2a01:dead:beef:bccc::2/128
gateway fe80::1
post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
auto vmbr0
iface vmbr0 inet6 static
address 2a01:dead:beef:bccc::3/64
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-mcsnoop 0
up ip route add 2a01:dead:beef:bc00::/56 via 2a01:dead:beef:bccc::1 dev vmbr0
#WAN
auto vmbr1
iface vmbr1 inet6 manual
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-mcsnoop 0
#MGMT(1)
auto vmbr2
iface vmbr2 inet6 manual
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-mcsnoop 0
#DMZ(60)The gateway for OPNsense WAN interface is
2a01:dead:beef:bccc::3VMs having the vmbr1 or 2 interfaces attached get ipv6 addresses via router advertisement and can reach the internet.
I set up an IPsec tunnel from the OPNsense on the proxmox host to a OPNsense in my home network and it works. Well it uses udp (esp).
I tried to reach host behind the OPNsense via udp which also works.
Open Ports on the WAN interface works: I can reach the WebUI opening 443/tcp.
What not works is icmpv6 and tcp from outside to hosts in OPNsense' MGMT and DMZ networks.
I setup firewall rules on the OPNsense' WAN interface such that a host in the DMZ network can be rached via icmp and 80/tcp.
But it doesn't work. A
nmap -6 -p 80 2a01:dead:beef:bc06:be24:11ff:fede:ca28 shows:
Code:
Host is up.
PORT STATE SERVICE
80/tcp filtered httpA tcpdump on the pve host while doing the port scan shows:
Code:
root@pve:~# tcpdump -i vmbr2 -nn -s0 -v port 80
tcpdump: listening on vmbr2, link-type EN10MB (Ethernet), snapshot length 262144 bytes
23:48:58.497449 IP6 (flowlabel 0x80000, hlim 52, next-header TCP (6) payload length: 44) 2001:dead:beef:c902:d4dd:b8f2:b30f:b29c.61312 > 2a01:dead:beef:bc06:be24:11ff:fede:ca28.80: Flags [SEW], cksum 0x5669 (correct), seq 2289302794, win 65535, options [mss 1432,nop,wscale 6,nop,nop,TS val 1462454681 ecr 0,sackOK,eol], length 0
23:48:58.497625 IP6 (flowlabel 0x01440, hlim 64, next-header TCP (6) payload length: 40) 2a01:dead:beef:bc06:be24:11ff:fede:ca28.80 > 2001:dead:beef:c902:d4dd:b8f2:b30f:b29c.61312: Flags [S.E], cksum 0xca24 (incorrect -> 0x0995), seq 3728896784, ack 2289302795, win 65232, options [mss 1220,sackOK,TS val 4052557161 ecr 1462454681,nop,wscale 7], length 0which says the cksum is incorrect? So I assume this is a routing problem on the proxmox host? The traffic reaches the VM but routes the traffic to the wrong
IP?
In addition the OPNsense logs show that the traffic is blocked going out of the DMZ interface:
Code:
<134>1 2025-09-22T22:53:34+02:00 gw.lan filterlog 10488 - [meta sequenceId="62"] 135,,,1f8ca48f0e7be14111e6b0a1fd7e41a0,vtnet2,match,block,in,6,0x00,0xe9f82,64,tcp,6,40,2a01:dead:beef:bc06:be24:11ff:fede:ca28,2001:dead:beef:c902:d4dd:b8f2:b30f:b29c,80,61359,0,SAE,2413773689,403407864,65232,,mss;sackOK;TS;nop;wscaleI tried any rules from and to the host but nothing helped.
Hope somebody can help.
Last edited: