Leveling up knowledge - Proxmox FW

M

m3m

New Member
Feb 21, 2023
4
0
1
So I have been learning proxmox for the past 6 months and have decided to learn how the FW works. Read through the basic manual and watched a few tutorials online. Everything seemed easy to configure but I have run into a problem that is frustrating me to no end.

So to start at the beginning, using a Dream Machine SE as fw/gw, three proxmox nodes, two virtual pi-holes for DNS(UDM points to). FW at the VM level is off, FW at the host level is on as well as the DC level. Now when the FW at the DC level is enabled, enabling the host FW, all DNS activity stops. I can ping ips but can not ping hostnames nor ping internet urls. So started down the rabbit hole trying to figure out at what level does a DNS rule need to be BUT no matter where it is added the rule does not work correctly. Am I going at this all wrong? I thought I understood how the hierarchy of FW worked with each other but I am missing something.

The whole goal is to lock down access to the webgui and ssh so only my desktop and laptop have access, then control the VM access with the VM's internal FW. I understand that when enabling the FW at the DC level I will have to add additionl rules for other things like VNC, SPICE, rpcbind, corosync and so on. But want to figure out the DNS problem first. Where did I go wrong?
 
It would certainly be helpful if you could share those rule of yours. Probably there's an issue with them
 
My apologies for such a slow response. Life likes to get in the way some times.

The FW is currently disabled(pve-firewall compile shows empty) but here is a screen shot of the cluster FW rules and one of the nodes FW rules I was testing. Tested opening DNS wide open.

Cluster-FW
1677712390013.png

Node1-FW - All other nodes have the same rules in place.
1677712436098.png

Now really trying to understand the concept of how this works. If I can get the DNS worked out I can work on locking down access.
 
What's your default out policy (datacenter->firewall->options)?
If you're unsure about the firewall, I would recommend you start by disabling all rules and enabling them one by one, until it stops working : )

I don't quite understand what your nodes should be able to access.
If all nodes use the same rules, you can put them in the cluster FW. A rule in the Cluster FW is the same as setting that rule in every node.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom