Lost OPNSense Gateway when I turn on Proxmox Firewall

IWIOS · Nov 1, 2022

Hello,

I have an issue between proxmox and OPNSense.
I have a server with 1 port with public IP
I have installe and configure an OPNSense as a virtual machine

I have configure proxmox to route all traffic from public ip to my internal opnsense IP

Without proxmox firewall enable, all work, but when I enable proxmox firewall, my opnsense wan gateway was down.

Someone can help me to uindersatnd what's going wrong?

IWIOS · Nov 2, 2022

This is the return of iptables -L after enable proxmox FW :

Code:

Chain PREROUTING (policy ACCEPT 6262 packets, 415K bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1       67  3484 ACCEPT     tcp  --  *      *       0.0.0.0/0            IP_PUB         tcp dpt:8006
2        1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            IP_PUB         tcp dpt:22
3      846 35435 DNAT       all  --  *      *       0.0.0.0/0            IP_PUB         to:IP_WAN_OPNSENSE

Chain INPUT (policy ACCEPT 67 packets, 3484 bytes)
num   pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 557 packets, 36008 bytes)
num   pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 5082 packets, 307K bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1      533 37395 SNAT       all  --  *      *       IP_WAN_OPNSENSE        0.0.0.0/0            to:IP_PUB random
root@prx2:~# iptables -L -n -v --line-numbers
Chain INPUT (policy ACCEPT 13 packets, 676 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1    47525   15M PVEFW-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy ACCEPT 2602 packets, 172K bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1     155K  113M PVEFW-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 94 packets, 6124 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1    48140   21M PVEFW-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0          

Chain PVEFW-Drop (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1      363 39383 PVEFW-DropBroadcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4
3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
5        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 135,445
6        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:137:139
7        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:137 dpts:1024:65535
8       12   624 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 135,139,445
9        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1900
10      52  6554 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02
11       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53
12     239 13185            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8 */

Chain PVEFW-DropBroadcast (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1       60 19020 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
3        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
4        0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.0/4        
5      303 20363            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */

Chain PVEFW-FORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
2     126K  111M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
3     9133  634K PVEFW-FWBR-IN  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
4    10055  703K PVEFW-FWBR-OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
5    28910 2011K            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */

Chain PVEFW-FWBR-IN (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1     9133  634K PVEFW-smurfs  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW
2     9133  634K            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0 */

Chain PVEFW-FWBR-OUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1    10055  703K            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk */

Chain PVEFW-HOST-IN (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1      560  143K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
3     1070  394K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4       13   676 PVEFW-smurfs  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW
5        0     0 RETURN     2    --  *      *       0.0.0.0/0            0.0.0.0/0          
6        0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
7       13   676 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-ip_admin-v4 src tcp dpt:8006
8        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-ip_admin-v4 src tcp dpt:22
9        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpt:8006
10       0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
11       0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpt:3128
12       0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpt:22
13       0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpts:60000:60050
14       0     0 PVEFW-Drop  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
15       0     0 NFLOG      all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 nflog-prefix  ":0:7:PVEFW-HOST-IN: policy DROP: "
16       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
17       0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:d57CethE1LtOCvOThQuWHC53G+E */

Chain PVEFW-HOST-OUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1      560  143K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0          
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
3      975  481K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4        0     0 RETURN     2    --  *      *       0.0.0.0/0            0.0.0.0/0          
5        0     0 NFLOG      all  --  *      *       IP_WAN_OPNSENSE        0.0.0.0/0            limit: avg 1/sec burst 5 nflog-prefix  ":0:7:PVEFW-HOST-OUT: ACCEPT: "
6        0     0 RETURN     all  --  *      *       IP_WAN_OPNSENSE        0.0.0.0/0          
7        0     0 NFLOG      all  --  *      *       IP_WAN_OPNSENSE        0.0.0.0/0            limit: avg 1/sec burst 5 nflog-prefix  ":0:7:PVEFW-HOST-OUT: ACCEPT: "
8        0     0 RETURN     all  --  *      *       IP_WAN_OPNSENSE        0.0.0.0/0          
9        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            Network_PUB/24        tcp dpt:8006
10       0     0 RETURN     tcp  --  *      *       0.0.0.0/0            Network_PUB/24        tcp dpt:22
11       0     0 RETURN     tcp  --  *      *       0.0.0.0/0            Network_PUB/24        tcp dpts:5900:5999
12       0     0 RETURN     tcp  --  *      *       0.0.0.0/0            Network_PUB/24        tcp dpt:3128
13      94  6124 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
14       0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:ooiWi8Wr0WriK4zTdqaDNel7O1g */

Chain PVEFW-INPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1     1643  538K PVEFW-HOST-IN  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
2       13   676            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */

Chain PVEFW-OUTPUT (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1     1629  631K PVEFW-HOST-OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
2       94  6124            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */

Chain PVEFW-Reject (0 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 PVEFW-DropBroadcast  all  --  *      *       0.0.0.0/0            0.0.0.0/0          
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4
3        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
5        0     0 PVEFW-reject  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 135,445
6        0     0 PVEFW-reject  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpts:137:139
7        0     0 PVEFW-reject  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:137 dpts:1024:65535
8        0     0 PVEFW-reject  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 135,139,445
9        0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1900
10       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02
11       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53
12       0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:h3DyALVslgH5hutETfixGP08w7c */

Chain PVEFW-SET-ACCEPT-MARK (0 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK or 0x80000000
2        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */

Chain PVEFW-logflags (5 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
2        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */

Chain PVEFW-reject (4 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
2        0     0 DROP       all  --  *      *       224.0.0.0/4          0.0.0.0/0          
3        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
4        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
5        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
6        0     0 REJECT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-unreachable
7        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
8        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */

Chain PVEFW-smurflog (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0          
2        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */

Chain PVEFW-smurfs (2 references)
num   pkts bytes target     prot opt in     out     source               destination        
1      100 31700 RETURN     all  --  *      *       0.0.0.0              0.0.0.0/0          
2        0     0 PVEFW-smurflog  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  ADDRTYPE match src-type BROADCAST
3        0     0 PVEFW-smurflog  all  --  *      *       224.0.0.0/4          0.0.0.0/0           [goto]
4     9774  657K            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */

Chain PVEFW-tcpflags (0 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 PVEFW-logflags  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x3F/0x29
2        0     0 PVEFW-logflags  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x3F/0x00
3        0     0 PVEFW-logflags  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x06/0x06
4        0     0 PVEFW-logflags  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x03/0x03
5        0     0 PVEFW-logflags  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp spt:0 flags:0x17/0x02
6        0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */

IWIOS · Nov 8, 2022

Hello,
No one have an idea ?

Or my explication are not very clear to understand my problem?

spirit · Nov 16, 2022

can you send the rules with "iptables-save" ?

IWIOS · Nov 16, 2022


# Generated by iptables-save v1.8.7 on Wed Nov 16 15:33:41 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [9:4897]
:OUTPUT ACCEPT [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:f2b-proxmox - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 443,80,8006 -j f2b-proxmox
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0"
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p icmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-group_admin-v4 src -m tcp --dport 53967 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-group_admin-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:L3upXh12zB2ObjTktEVbLf1etNY"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -d IP_Public_Network/24 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d IP_Public_Network/24 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d IP_Public_Network/24 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d IP_Public_Network/24 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:PdyglMhwIqhtRHVVlquhIeKYiV4"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A f2b-proxmox -j RETURN
-A f2b-sshd -j RETURN
COMMIT
# Completed on Wed Nov 16 15:33:41 2022
# Generated by iptables-save v1.8.7 on Wed Nov 16 15:33:41 2022
*raw
:PREROUTING ACCEPT [549005112:578417213943]
:OUTPUT ACCEPT [79355346:897077329509]
COMMIT
# Completed on Wed Nov 16 15:33:41 2022
# Generated by iptables-save v1.8.7 on Wed Nov 16 15:33:41 2022
*nat
:PREROUTING ACCEPT [2199805:177783615]
:INPUT ACCEPT [45180:2386274]
:OUTPUT ACCEPT [3290643:207684539]
:POSTROUTING ACCEPT [4837295:273547662]
-A PREROUTING -d IP_PUB/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A PREROUTING -d IP_PUB/32 -p tcp -m tcp --dport 8006 -j ACCEPT
-A PREROUTING -d IP_PUB/32 -j DNAT --to-destination IP_Int_OPNSENSE
-A POSTROUTING -s Ip_Int_OPNSENSE/32 -j SNAT --to-source IP_PUB --random
COMMIT
# Completed on Wed Nov 16 15:33:41 2022

spirit · Nov 17, 2022

is the firewall checkbox enable on the pfsense vm nic interface ? if yes, maybe can you try to uncheck it. (
It should avoid to have the need of different conntrack zone)

IWIOS · Nov 17, 2022

The firewall is enable at the Datacenter level

IWIOS · Nov 17, 2022

# Generated by iptables-save v1.8.7 on Thu Nov 17 14:51:23 2022
*filter
:INPUT ACCEPT [22:6251]
:FORWARD ACCEPT [2:56]
:OUTPUT ACCEPT [19:3871]
:f2b-proxmox - [0:0]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 443,80,8006 -j f2b-proxmox
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A f2b-proxmox -j RETURN
-A f2b-sshd -j RETURN
COMMIT
# Completed on Thu Nov 17 14:51:23 2022
# Generated by iptables-save v1.8.7 on Thu Nov 17 14:51:23 2022
*raw
:pREROUTING ACCEPT [558251202:578945109802]
:OUTPUT ACCEPT [81420849:988486209601]
COMMIT
# Completed on Thu Nov 17 14:51:23 2022
# Generated by iptables-save v1.8.7 on Thu Nov 17 14:51:23 2022
*nat
:pREROUTING ACCEPT [2318000:185291422]
:INPUT ACCEPT [45197:2387294]
:OUTPUT ACCEPT [3308540:208821475]
:pOSTROUTING ACCEPT [4957641:278919184]
-A PREROUTING -d IP_PUB/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A PREROUTING -d IP_PUB/32 -p tcp -m tcp --dport 8006 -j ACCEPT
-A PREROUTING -d IP_PUB/32 -j DNAT --to-destination IP_INT_OPNSENSE
-A POSTROUTING -s IP_INT_OPNSENSE/32 -j SNAT --to-source IP_PUB --random
COMMIT
# Completed on Thu Nov 17 14:51:23 2022

Search

Search

Lost OPNSense Gateway when I turn on Proxmox Firewall

IWIOS

Member

Attachments

IWIOS

Member

IWIOS

Member

spirit

Distinguished Member

IWIOS

Member

spirit

Distinguished Member

IWIOS

Member

IWIOS

Member