Multiple Port for Spice Protocol-possible?

wahmed

wahmed

Famous Member
Proxmox Subscriber
Oct 28, 2012
1,118
46
113
Calgary, Canada
www.symmcom.com
I have a 4 node cluster. I have setup few VM with SPICE on Node 1. I opened port 3128 on firewall and forwarded to Node 1 so remote SPICE is possible. I now have mode those VM to node 2 to give node 1 some room to breath. Now remote access is not possible through SPICE unless i forward 3128 port on firewall to Node 2. Is it possible to enter multiple port numbers somewhere so i can setup multiple rules on firewall so remote users can access their VM through SPICE no matter which Node i migrate to ?
Thanks!
 
I have 2 Firewall rules setup:
1. Forward to 192.168.10.1 port 3128 : Node 1
2. Forward to 192.168.10.2 port 3128 : Node 2

If i have both enabled or just #1 enabled, I can only access the VMs on Node 1. If i disable #1 rule, then i can only access all VMs on Node 2. Seems like my firewall passing the port to whatever first enabled rules being hit and ignoring rest.

I was thinking if the following rules possible by setting extra ports in Proxmox Spice Config:
1. Forward to 192.168.10.1 port 3128 : Node 1
2. Forward to 192.168.10.2 port 3129 : Node 2

Could it be my Firewall's limitation? I am using pfSense as the firewall.
 
symmcom said:
I have 2 Firewall rules setup:
1. Forward to 192.168.10.1 port 3128 : Node 1
2. Forward to 192.168.10.2 port 3128 : Node 2

If i have both enabled or just #1 enabled, I can only access the VMs on Node 1. If i disable #1 rule, then i can only access all VMs on Node 2. Seems like my firewall passing the port to whatever first enabled rules being hit and ignoring rest.

I was thinking if the following rules possible by setting extra ports in Proxmox Spice Config:
1. Forward to 192.168.10.1 port 3128 : Node 1
2. Forward to 192.168.10.2 port 3129 : Node 2

Could it be my Firewall's limitation? I am using pfSense as the firewall.
Click to expand...


The network flow is:

client---->node1 (3128)------->node2(3128)------>vm spice port (localhost:xxxxx)


client always connect to 3128 to the current node where the spiceticket is generated.
if the vm is on a remote node, proxy forward to remote proxy on port 3128.
then the final proxy connect to the vm spice port on localhost:60xxxx

so you only need to open port 3128 from outside.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back