proxmox 7.2 and opnsense nat on 8006

S

sanryu

New Member
Jul 26, 2022
3
0
1
Hello,
I have a proxmox installation with a vm inside that acts as a firewall. OPNSESE.
The traffic arriving from outside comes nat from vm-opnsense over the entire network.
For all the vm inside the hypervisor I have no problem, I can correctly nat any port.

If from the LAN I try to reach the proxmox hypervisor via ssh or web 8006, I can easily.
I can't get the 8006 from outside. I think I'm missing something about the proxmox network theory.
I tried disabling the proxmox firewall or adding a rule on the specific port but nothing.
What I did not understand ?

could anyone help me?
 
Hello,

you have to forward external traffic with

destination <external ip of your opnsense> and destination port tcp:8006 on external interface
to
<ip of your proxmox host> port tcp:8006

Then you should be able to access your proxmox host via https://<external ip>:8006 - mind the 's' in https.

Kind regards,
Benedikt
 
don't know if i get you right. If you use the same (public) ip for the proxmox server as the firewall, you might need selective nat.

So to send any tcp traffic arriving on the proxmox public ip to the vm-firewall at 10.99.99.1 except port ssh/22 and webgui/8006 to proxmox
put this in /etc/network/interfaces on the external bridge section (eg. vmbr0) :

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --match multiport ! --dport 22,8006 -j DNAT --to 10.99.99.1
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --match multiport ! --dport 22,8006 -j DNAT --to 10.99.99.1

where vmbr0 is my external/outside proxmox interface. the firewall is 10.99.99.1 on a transit lan (vmbr1) with the proxmox ip being 10.99.99.2

default gateway on the firewall is 10.99.99.2

optional : on the firewall transit lan (eg vmbr1) add this

post-up iptables -t nat -A POSTROUTING -s '10.99.99.1/32' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.99.99.1/32' -o vmbr0 -j MASQUERADE

So any traffic allowed from behind the firewall ip address to outside, will be hide-nated behind the public proxmox ip on vmbr0.

Hope i didn't missed your point completely.
 
B.Otto said:
Hello,

you have to forward external traffic with

destination <external ip of your opnsense> and destination port tcp:8006 on external interface
to
<ip of your proxmox host> port tcp:8006

Then you should be able to access your proxmox host via https://<external ip>:8006 - mind the 's' in https.

Kind regards,
Benedikt
Click to expand...
thank you so much for your answer.
No that does not work for me.
it works with any other port on the network, on the vm, but not on proxmox.
I am sure that I arrive at the firewall correctly because I can see it from the opnsese logs.
If I use the same rule to nat on ssh of any vm whatever.
If I do it on proxmox ssh no.
 
pny said:
don't know if i get you right. If you use the same (public) ip for the proxmox server as the firewall, you might need selective nat.

So to send any tcp traffic arriving on the proxmox public ip to the vm-firewall at 10.99.99.1 except port ssh/22 and webgui/8006 to proxmox
put this in /etc/network/interfaces on the external bridge section (eg. vmbr0) :

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --match multiport ! --dport 22,8006 -j DNAT --to 10.99.99.1
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --match multiport ! --dport 22,8006 -j DNAT --to 10.99.99.1

where vmbr0 is my external/outside proxmox interface. the firewall is 10.99.99.1 on a transit lan (vmbr1) with the proxmox ip being 10.99.99.2

default gateway on the firewall is 10.99.99.2

optional : on the firewall transit lan (eg vmbr1) add this

post-up iptables -t nat -A POSTROUTING -s '10.99.99.1/32' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.99.99.1/32' -o vmbr0 -j MASQUERADE

So any traffic allowed from behind the firewall ip address to outside, will be hide-nated behind the public proxmox ip on vmbr0.

Hope i didn't missed your point completely.
Click to expand...
i tried with this setup but still it doesn't work.
I arrive at the router of my provider which inevitably makes a nat sun an ip of LAN the 192.168.1.254 that of the firewall (OPNSENSE).
from there I would like to reach the 8006, but it is as if from the firewall to pve I could not reach.
 

Attachments

  • Screenshot from 2022-07-27 22-03-29.png
    Screenshot from 2022-07-27 22-03-29.png
    80 KB · Views: 15
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom