Proxmox server dropping connections from VPN outside local subnet

tonofpudding

Member
Feb 23, 2021
5
0
6
34
Boston, MA, USA
I'm running Proxmox on a server in my homelab, on the 192.168.6.0/24 subnet, which is where all my other "real" computers are. (The VMs/Containers get assigned addresses in the 192.168.8.0/24 subnet, but that's not super relevant right now).

All is good, I can access the server from my other computers on the local network just fine.

I also have port forwarding set up on my ubiquiti gateway, so I can access the web interface remotely. This isn't ideal from a security standpoint, so I've been wanting to move away from port forwarding to using a VPN.

I have the Ubiquiti set up as a Wireguard VPN gateway, and devices connected to the VPN get assigned to the 192.168.9.0/24 subnet.
These devices can't access the Proxmox server at all. Not the web interface, not SSH, it doesn't even respond to pings, just drops the packets.
It seems to be only accepting connections from its local .6 subnet, and ignoring the .9 VPN subnet.

But all the firewall settings are turned off, and the network settings don't seem to mention anything about what size subnet to listen on at all. I'm not using any of the higher-level proxmox datacenter SDN features at all.

Where might I be going wrong here? The fact that it even drops ping packets feels like it's something fairly low level in the networking stack, but I can't figure out what.

My /etc/network/interfaces is pretty straightforward, there doesn't seem to be anything that would cause this behaviour:

Bash:
auto lo
iface lo inet loopback

iface enp1s0f0 inet manual

iface enp1s0f1 inet manual

iface enp3s0f0u14u2c2 inet manual

iface enx0ade1fbbcaf9 inet manual

iface enx1abe3bbb5f6a inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.6.77/16
    gateway 192.168.6.1
    bridge-ports enp1s0f0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr0.8
iface vmbr0.8 inet static
    address 192.168.8.6/24
#Docker Containers

The Wireguard VPN gateway seems to be working correctly otherwise, machines on the .9 VPN subnet can talk to any other device on the main .6 or even the VMs .8 subnet just fine. It's only the proxmox server that seems to be rejecting them.

The even more confusing part is that it accepts port-forwarded traffic from the public internet just fine. And at one point I tried using Tailscale, and whatever black magic networking it does worked for remote access as well. (I made sure to disable it afterwards, to ensure it wasn't interfering with the gateway wireguard connections). It's only connections from the local network but outside its subnet/VLAN that it doesn't seem to like.
 
Last edited:
hi, your subnetmask /16 in 192.168.6.77/16 is too big - it includes the .9 vpn-network
 
If your ubiquiti gateway is 192.168.6.1 then the 192.168.9.0/24 is located over there - so you need a route for it - for example default route via 192.168.6.1. but if your proxmox has /16 as subnet, the packets back to 192.168.9.0/24 will never enter default route, because vmbr0 "thinks" the 192.168.9.0/24 is on it's own subnet, so no gateway is needed to reach the net.

you can lower subnet mask to /24 on vmbr0 or you can make an extra route for 192.168.9.0/24 via 192.168.6.1 - I guess then it will work...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!