Multi Proxmox, Zentyal as VM on PVE1, but an able to ping PVE2 from a client (no GUI access)

Trilec

New Member
Jan 1, 2021
4
0
1
Munchen
Hi All,
Was finding this difficult to trace cause but hopfully this might help others

proxmox (PVE1@ 192.168.1.2/24) (working fine for several months)
VM Zentyal 6.3 VM (192.168.1.1/24)
VM CenOS etc
...

Client (PC@ 192.168.1.116/32 DHCP via Zentyal, Zentyal wont allow /24 not sure why that is)
...
Now installing additional Proxmox (PVE2) server to host further research VM's
Installation went fine.. (The new proxmox (PVE2) report its ready on the https://192.168.1.29:8006)

proxmox (PVE2@ 192.168.1.29/32)
issues:

I can ping Zentyal (192.168.1.1/32) from proxmox (PVE2@ 192.168.1.29/32)
I can ping proxmox (192.168.1.29/32) from zentyal (192.168.1.1/24)

I can not ping proxmox (192.168.1.29/32) from client (192.168.1.116/32)
I can not ping proxmox (192.168.1.29/32) from proxmox (192.168.1.2/24) (mask issue?)

the logs in Zentyal firewall module reports ACCESS was dropped

2020-12-31 20:15:57 eth1 eth1 192.168.1.29 192.168.1.116 TCP 8006 51359 DROP
also
2020-12-31 20:15:57 eth1 192.168.1.1 192.168.1.116 TCP 8006 51359 DROP

all the firewall rules allow an open network (ie. ALLOW,ANY,ANY,ANY)
as I don't see where the issue is, ive reinstalled proxmox with a different Ipaddress as static 192.168.1.7/24 (note the mask is not 32)
and reserved the address in Zentyal.

I can now ping from the client (192.168.1.116/32) to (192.168.1.7/24)

I can now ping from PVE1 to PVE2

Hopefully this is the correct method for this type of setup, but help understanding this would be appreciated
 
Last edited:

Denny

Active Member
Jul 28, 2016
86
18
28
57
Did you actually set the netmask for the proxmox machines to /32 ie 255.255.255.255?
That creates a network of 1. All outbound traffic from 192.168.1.116 would then be sent to the gateway address which you haven't included here.

Going off that assumption I suggest instead setting all netmasks to /24 (255.255.255.0) and changing your dhcp range in Zentyal to exclude the ranges used by your servers and network equipment since you would want to set those statically. Specifically make your proxmox machines statically addressed.

I've always defined all connections rather than using a blanket Allow All and I've been using Zentyal since the 3.X days. Remember It is a first-match type system. Put your allows before your denies. If you need to add new services to the firewall, they are defined under "Network --> Services" within Zentyal.
 

Trilec

New Member
Jan 1, 2021
4
0
1
Munchen
thanks Denny,
the first PVE1 was static set to /24 the other was DHCP from zentyal at /32 (you cant define /24,says invalid)
Indeed changing the PVE2 to /24 static and only reserving in Zentyal did the trick.
agree on the firewall, just testing at the moment, Office 360 , teams , SSH and web opens already lots ...lol
 

Denny

Active Member
Jul 28, 2016
86
18
28
57
Zentyal has a very convoluted way of defining reservations. First you define an object under network and then under dhcp advanced options you can add static reservations for that object. Confusing to say the least.

I have long since moved my dhcp functions over the pfsense. It was a natural evolution when I created my proxmox cluster. Setting up a pfsense HA pair allows me to take a proxmox host down for maintenance without interrupting my network.
 

apoc

Renowned Member
Oct 13, 2017
987
144
63
+1 for pfsense ;)

Aside that technically a /32 notification isn't wrong. It specifies the IP itself and no range/subnet.
It is important that the netmask is correct which typically is /24 / 255.255.255.0
Even PFsense uses the /32 annotations in some places.
 

Denny

Active Member
Jul 28, 2016
86
18
28
57
@tburger I briefly worked for Netgate. They are a nice bunch of people. Very solid engineers. It was a good experience overall for me.
 
  • Like
Reactions: apoc

Trilec

New Member
Jan 1, 2021
4
0
1
Munchen
Thanks I'm slowly coming to this conclusion as well, albeit Opensense (almost Pfsense) .( if only these offered active directory ,,sigh)
As its "home office" the server is in the lounge and ended up hacking my own housing using larger and quite fans so Im not divorced.
I VM as much as possible (im using a super-micro atom 8 core board) but looking to get more processing/watt (AMD MB??) to get better VM PCs..
I already had VM OpenSense but was hoping Zentyal to give a solid firewall just to simplify the whole darn maintenance
 

Denny

Active Member
Jul 28, 2016
86
18
28
57
Zentyal does not provide HA. They started down that path a few versions ago before backing away from it. For me Zentyal still manages email and authentication services (AD). I am actively shopping for replacements as Zentyal no longer really fits my needs. I am taking a very hard look at going the rancher/kubernetes route on my proxmox cluster.
 

Trilec

New Member
Jan 1, 2021
4
0
1
Munchen
Zentyal authentication services (AD) management works ok and appears clean and easy to use.
Always hoped a plugin for AD via openSense would magically appear. Ive looked at a few (ADs ) but all seem not quite there or no longer supported.
Have not looked at rancher, or for that matter a kubernete wrapper? seems a controller for dockers? similar to proxmox?
 
Last edited:

Denny

Active Member
Jul 28, 2016
86
18
28
57
Rancher is a GUI to manage a kubernetes cluster. Kubernetes is an orchestration tool for containers. It seems to be a winning combination for managing container loads.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!