Multiple Port for Spice Protocol-possible?

wahmed · Aug 21, 2013

I have a 4 node cluster. I have setup few VM with SPICE on Node 1. I opened port 3128 on firewall and forwarded to Node 1 so remote SPICE is possible. I now have mode those VM to node 2 to give node 1 some room to breath. Now remote access is not possible through SPICE unless i forward 3128 port on firewall to Node 2. Is it possible to enter multiple port numbers somewhere so i can setup multiple rules on firewall so remote users can access their VM through SPICE no matter which Node i migrate to ?
Thanks!

dietmar · Aug 21, 2013

symmcom said:
Now remote access is not possible through SPICE unless i forward 3128 port on firewall to Node 2.

That is not really the case (should still work when you connect to node 1).

wahmed · Aug 21, 2013

I have 2 Firewall rules setup:
1. Forward to 192.168.10.1 port 3128 : Node 1
2. Forward to 192.168.10.2 port 3128 : Node 2

If i have both enabled or just #1 enabled, I can only access the VMs on Node 1. If i disable #1 rule, then i can only access all VMs on Node 2. Seems like my firewall passing the port to whatever first enabled rules being hit and ignoring rest.

I was thinking if the following rules possible by setting extra ports in Proxmox Spice Config:
1. Forward to 192.168.10.1 port 3128 : Node 1
2. Forward to 192.168.10.2 port 3129 : Node 2

Could it be my Firewall's limitation? I am using pfSense as the firewall.

spirit · Aug 21, 2013

symmcom said:
I have 2 Firewall rules setup:
1. Forward to 192.168.10.1 port 3128 : Node 1
2. Forward to 192.168.10.2 port 3128 : Node 2

If i have both enabled or just #1 enabled, I can only access the VMs on Node 1. If i disable #1 rule, then i can only access all VMs on Node 2. Seems like my firewall passing the port to whatever first enabled rules being hit and ignoring rest.

I was thinking if the following rules possible by setting extra ports in Proxmox Spice Config:
1. Forward to 192.168.10.1 port 3128 : Node 1
2. Forward to 192.168.10.2 port 3129 : Node 2

Could it be my Firewall's limitation? I am using pfSense as the firewall.

The network flow is:

client---->node1 (3128)------->node2(3128)------>vm spice port (localhost:xxxxx)

client always connect to 3128 to the current node where the spiceticket is generated.
if the vm is on a remote node, proxy forward to remote proxy on port 3128.
then the final proxy connect to the vm spice port on localhost:60xxxx

so you only need to open port 3128 from outside.

Search

Search

Multiple Port for Spice Protocol-possible?

wahmed

Famous Member

dietmar

Proxmox Staff Member

wahmed

Famous Member

spirit

Distinguished Member

We value your privacy