LXC (VPN) unreachable over a different VLAN

M

marcelock

New Member
Mar 30, 2023
5
0
1
43
Brazil
I'm not an experienced user, I managed to install, configure and maintain my server thanks to this forum and hundreds of hours of videos on YouTube. Thanks for that!
But now there's a wall in front of my knowledge and none of the research I've done in the last few days has helped me... probably something stupid that I'm missing. Let's go.

I have an LXC container configured as a VPN which has been working well for years, I use this container as a gateway for others that need to go through a VPN, like qbit, etc.

My problem started when I migrated from a domestic Huawei router to a TP-Link Omada, where I separated my network into two VLANs, one for the Proxmox and one for the rest of the house.
- Proxmox got 192.168.3.X
- The home network 192.168.10.X
Since then I have not been able to access, for example, the container with the qbit from my PC 192.168.10.4 > 192.168.3.102.

I believe the problem is in the LXC VPN configuration, since the other containers and VMs on the 192.168.3.X network are accessible through 192.168.10.X.
Only those behind the VPN and the VPN itself have a problem.

What I've already tried.

Edit the IP TABLE, used in VPN configuration, to include:

ORIGINAL SETUP Which worked fine when there were no VLANs
Bash: 
# Make sure that you can communicate within your own network
iptables -A INPUT -s 192.168.3.0/24 -d 192.168.3.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.3.0/24 -d 192.168.3.0/24 -j ACCEPT

CONFIGURATION INSERTED TO TRY TO RESOLVE THE PROBLEM
Bash: 
# Make sure that you can communicate within your own network
iptables -A INPUT -s 192.168.10.0/24 -d 192.168.10.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.10.0/24 -d 192.168.10.0/24 -j ACCEPT

# Allow traffic from network 192.168.3.0/24 to network 192.168.10.0/24
iptables -A FORWARD -s 192.168.3.0/24 -d 192.168.10.0/24 -j ACCEPT

# Allow traffic from network 192.168.10.0/24 to network 192.168.3.0/24
iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.3.0/24 -j ACCEPT

Did not work.
What am I missing?
Thanks!
 
Last edited:
The complete iptable that worked before having two VLANs:

Bash: 
#!/bin/bash
# Flush
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X


# Block All
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP


# allow Localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# Make sure you can communicate with any DHCP server
iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
iptables -A INPUT -s 255.255.255.255 -j ACCEPT


# Make sure that you can communicate within your own network
iptables -A INPUT -s 192.168.3.0/24 -d 192.168.3.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.3.0/24 -d 192.168.3.0/24 -j ACCEPT


# Allow established sessions to receive traffic:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Allow TUN
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
iptables -A OUTPUT -o tun+ -j ACCEPT


# allow VPN connection
iptables -I OUTPUT 1 -p udp --destination-port 1198 -m comment --comment "Allow VPN connection" -j ACCEPT


# Block All
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP


# Log all dropped packages, debug only.


iptables -N logging
iptables -A INPUT -j logging
iptables -A OUTPUT -j logging
iptables -A logging -m limit --limit 2/min -j LOG --log-prefix "IPTables general: " --log-level 7
iptables -A logging -j DROP


echo "saving"
iptables-save > /etc/iptables.rules
echo "done"
#echo 'openVPN - Rules successfully applied, we start "watch" to verify IPtables in realtime (you can cancel it as usual CTRL + c)'
#sleep 3
#watch -n 0 "sudo iptables -nvL"
 
Nuno said:
I have the same problem. Were you able to solve the problem?
Click to expand...
No! I've tried everything I could find on the web... nothing works! So I just put everything on the same Vlan again, at least until I have more time to learn how to properly do it.
 
Why does proxmox blocks ports from outside the local lan? I can't access the guests from the internet. Plex is not available outside my local lan on the same subnet. do I have to setup a tunnel to have access?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom