Port forward to VMs

Exor

New Member
Jun 13, 2020
17
0
1
37
Hello everyone. I have everything set up with no issue except port forwarding to VMs.

Proxmox and VMs use DHCP from my router along with every devices in the house.

Router: 192.168.1.1
Proxmox: 192.168.1.90
VM: 192.168.1.162
Firewall is set to No.

I port forward to Proxmox successfully. I can access to it externally. I run a MC server in the VM and set port to 25565. I went into the router and port forward 192.168.1.162 with port 25565. It is not accessible from external with WAN IP + 25565.

I thought if VMs are bridged, they don't need NAT since they receive DHCP from router and in same subnet? I went to "ipchicken.com" inside VM and shows the same public IP as every devices in the house including Proxmox.

I have tried multiple methods I can find but can't seem to get port forward to work in VMs. I spent hours and hours to find a solution. I don't know what else to look or fix. lol

Here is my /etc/network/interfaces

Code:
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.90
        netmask 255.255.255.0
        gateway 192.168.1.1
        bridge_ports eno1
        bridge_stp off
        bridge_fd 0

iface enp3s0f1 inet manual
 
hi,


can you ping the router from the VM and vice versa?

have you enabled ipv4 forwarding in sysctl on the PVE host?
 
can you ping the router from the VM and vice versa?
Yes VM is able to ping router and vice versa.

have you enabled ipv4 forwarding in sysctl on the PVE host?
I have no idea about this. I had to google after you mentioned it and this is what I found. I wanted to confirm if this is the one you are asking about?
Code:
sysctl -w net.ipv4.ip_forward=1
 
ipv4 forwarding has nothing todo with it. its needed if you want your proxmox to act as router, which in your case isnt needed. (router as term, not as all in one application like router, firewall, dhcp, dns, etc. which is often misleading used)

I would assume your vm running the mc server is faulty. is it windows or linux ?

In case of windows disable the firewall and try again. If it works enable it again and create a port rule to allow port 25565. For linux please install netstat via "apt install net-tools" and then run "netstat -pln" and post the output here. For windows also post the output of "netstat -ab" (using admin cmd)

Its 99% a firewall issue. Or the mc server is not listening on 0.0.0.0
 
It's on Linux and here is what you requested.

Code:
root@silvernode:~# netstat -pln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      570/sshd           
tcp        0      0 192.168.1.162:25565     0.0.0.0:*               LISTEN      8537/java           
tcp6       0      0 :::22                   :::*                    LISTEN      570/sshd           
udp        0      0 0.0.0.0:68              0.0.0.0:*                           401/dhclient       
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     STREAM     LISTENING     14211    467/Xorg             /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     13249    583/ssh-agent        /tmp/ssh-U1stn8MI9OB7/agent.582
unix  2      [ ACC ]     STREAM     LISTENING     17646    748/ssh-agent        /tmp/ssh-cPmij4bUJYH7/agent.719
unix  2      [ ACC ]     STREAM     LISTENING     16980    758/xfce4-session    /tmp/.ICE-unix/758
unix  2      [ ACC ]     STREAM     LISTENING     14210    467/Xorg             @/tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     10028    1/init               /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     15926    443/systemd          /run/user/0/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     10049    1/init               /run/systemd/fsck.progress
unix  2      [ ACC ]     STREAM     LISTENING     16979    758/xfce4-session    @/tmp/.ICE-unix/758
unix  2      [ ACC ]     STREAM     LISTENING     10059    1/init               /run/systemd/journal/stdout
unix  2      [ ACC ]     SEQPACKET  LISTENING     10085    1/init               /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     12673    1/init               /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     15357    782/dbus-daemon      @/tmp/dbus-NLL5YcQxTe
unix  2      [ ACC ]     STREAM     LISTENING     12973    443/systemd          /run/user/0/gnupg/S.gpg-agent.ssh
unix  2      [ ACC ]     STREAM     LISTENING     12976    443/systemd          /run/user/0/bus
unix  2      [ ACC ]     STREAM     LISTENING     12978    443/systemd          /run/user/0/gnupg/S.gpg-agent
unix  2      [ ACC ]     STREAM     LISTENING     12982    443/systemd          /run/user/0/gnupg/S.gpg-agent.browser
unix  2      [ ACC ]     STREAM     LISTENING     12984    443/systemd          /run/user/0/gnupg/S.gpg-agent.extra
unix  2      [ ACC ]     STREAM     LISTENING     12986    443/systemd          /run/user/0/gnupg/S.dirmngr
unix  2      [ ACC ]     STREAM     LISTENING     48348    4248/SCREEN          /run/screen/S-root/4248.Omni
 
Did you try connectin to it directly in lan with ip 192.168.1.162 ?

Try changing server-ip of server properties to 0.0.0.0

It should also work with the lan ip but better to bind to every interface.

Also please post output of "iptables -L" and "iptables -t nat -L"
 
Last edited:
Did you try connectin to it directly in lan with ip 192.168.1.162 ?
I am currently at work but I will let you know as soon as I check this out.

Try changing server-ip of server properties to 0.0.0.0
I have replaced it to 0.0.0.0.

Also please post output of "iptables -L" and "iptables -t nat -L"
Code:
root@silvernode:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@silvernode:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source
 
Ok firewall is not blocking, should work with 0.0.0.0, just double check with netstat.
 
Ok firewall is not blocking, should work with 0.0.0.0, just double check with netstat.
Okay I managed to test connect using LAN and it worked. It's still inaccessible from external. "Open Port Check Tool" still show the port as closed. My friend is still unable to access to it.

Code:
root@silvernode:~# netstat -pln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      570/sshd           
tcp        0      0 0.0.0.0:25565           0.0.0.0:*               LISTEN      9864/java           
tcp6       0      0 :::22                   :::*                    LISTEN      570/sshd           
udp        0      0 0.0.0.0:68              0.0.0.0:*                           401/dhclient       
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     STREAM     LISTENING     14211    467/Xorg             /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     13249    583/ssh-agent        /tmp/ssh-U1stn8MI9OB7/agent.582
unix  2      [ ACC ]     STREAM     LISTENING     17646    748/ssh-agent        /tmp/ssh-cPmij4bUJYH7/agent.719
unix  2      [ ACC ]     STREAM     LISTENING     16980    758/xfce4-session    /tmp/.ICE-unix/758
unix  2      [ ACC ]     STREAM     LISTENING     14210    467/Xorg             @/tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     10028    1/init               /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     15926    443/systemd          /run/user/0/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     10049    1/init               /run/systemd/fsck.progress
unix  2      [ ACC ]     STREAM     LISTENING     16979    758/xfce4-session    @/tmp/.ICE-unix/758
unix  2      [ ACC ]     STREAM     LISTENING     10059    1/init               /run/systemd/journal/stdout
unix  2      [ ACC ]     SEQPACKET  LISTENING     10085    1/init               /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     12673    1/init               /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     15357    782/dbus-daemon      @/tmp/dbus-NLL5YcQxTe
unix  2      [ ACC ]     STREAM     LISTENING     12973    443/systemd          /run/user/0/gnupg/S.gpg-agent.ssh
unix  2      [ ACC ]     STREAM     LISTENING     12976    443/systemd          /run/user/0/bus
unix  2      [ ACC ]     STREAM     LISTENING     12978    443/systemd          /run/user/0/gnupg/S.gpg-agent
unix  2      [ ACC ]     STREAM     LISTENING     12982    443/systemd          /run/user/0/gnupg/S.gpg-agent.browser
unix  2      [ ACC ]     STREAM     LISTENING     12984    443/systemd          /run/user/0/gnupg/S.gpg-agent.extra
unix  2      [ ACC ]     STREAM     LISTENING     12986    443/systemd          /run/user/0/gnupg/S.dirmngr
unix  2      [ ACC ]     STREAM     LISTENING     48348    4248/SCREEN          /run/screen/S-root/4248.Omni
 
hmm thats odd, can you delete the port forward and recreate it, maybe the host changed / there are two or more with the same name to select ?

Otherwise everything looks good, maybe your isp is blocking port 25565 which doesnt make much sense.
 
hmm thats odd, can you delete the port forward and recreate it, maybe the host changed / there are two or more with the same name to select ?

Otherwise everything looks good, maybe your isp is blocking port 25565 which doesnt make much sense.
After remove and readd the port forward for 25565 and it worked. It is now accessible externally. Thank you so much for the help! I have no idea why this fixed the issue but all info I readded is the same.

Next issue I am having is getting VNC set up. I am still confused on this one. It seems that Proxmox has its own VNC for each VM. Should I still install a vncserver in VM? I have tried installing vncserver and set port to :1 (5901) but that didn't work both LAN and WAN. I have done "change vnc 0.0.0.0:1" in monitor tab.
 
I would not open up everything externally, your proxmox being open is already a very high risk. I hope you have some counter measures against brute force attacks, like fail2ban. Your host will be the target of thousands of bots in no time. Make sure the password of every user is good and enable 2fa if possible.

Also as your promox is probably self signed a mitm attack would be pretty easy on you, you would not notice and just accept the security warning.

The best you can do is setup a vpn for important things like proxmox, vnc etc.

Also search for "reverse proxy", it allows to run multiple web servers on port 80 externally. With that you could also secure your proxmox gui. But you will need it later anyway if you want to host multiple websites.

VNC as well is often not encrypted or self signed. So very insecure if not configured correctly.

Using proxmox built in vnc, or a vnc server on a vm would not make a big difference performance wise. The latter would get you more features like clipboard sharing, file drag&drop etc.

Thats just some hints so you get a better overview, in your case i would not recommend to open proxmox and vnc, so im not going to help you with it either. Everyone starts somewhere but please before you open up every port possible, get some more knowledge in server hosting. Otherwise you will be hacked in no time. And nowadays that often means your whole system being encrypted by ransomware.
 
  • Like
Reactions: bobmc

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!