[TUTORIAL] Proxmox Web UI Inaccessible Across VLANs

[ekimih]

I’m working on a home lab setup where I have my Proxmox server on a separate VLAN from my main home network. The Proxmox box used to live on a different network and worked perfectly fine there, but I’ve since moved it into a segmented VLAN behind a Cisco router.

Now, I’m trying to access the Proxmox Web UI from my main home network (which is behind a UDM Pro), but I’m running into issues — I can ping the Proxmox server and trace routes work, but the Web UI port just doesn’t respond. I’ve made a bunch of changes, including removing NAT and confirming routing is in place, but the UI still doesn’t load unless I’m directly inside the Proxmox VLAN.

My goal is to access the Proxmox Web UI from other VLANs or subnets within my network without needing SNAT or jumping through extra hoops. Everything else seems to route fine, but the Web interface won’t load.

Looking for any insight or things I might be overlooking. I’ll share technical details if needed.

• Devices behind UDM Pro can ping and trace route to Proxmox at 10.10.10.10, but port 8006 times out.
• TCP SYNs reach Proxmox (confirmed via tcpdump), but Proxmox never replies.
• UDM Pro is not dropping the packets (checked iptables & logs).
• Firewall on Proxmox is disabled; iptables shows policies are ACCEPT.

 

[Vlodek]

Hello,

Please show me the network configuration on PVE

cat /etc/network/interfaces

Vlodek

 

[ekimih]

I apologize for the delay. Here is the output of /etc/network/nterfaces



# network interface settings; autogenerated
# Please do NOT modify this file directly, unless # you know what you're doing.
#
# If you want to manage parts of the network
# configuration manually. please utilize the
# 'source' or 'source-directory' # directives to
# do It so. PVE will preserve these directives,
# but will NOT read its network configuration
# from sourced files, so do not attempt to move # any of the PVE managed interfaces into
# external files!


auto lo
iface lo inet loopback

iface enp3s0 inet manual..

auto vmbr0
iface vmbr0 inet static
address 10.10.10.10/24
gateway 10.10.10.1
bridge-ports enp3s0
bridge-stp off
bridge-fd 0

Just as a note. I can no ping and trace route in both directions. Everything is seeing each other. The issue that persists is that I cannnot access the WEB UI unless I am located on VLAN of the Cisco network. Please let me know if there are any other configurations you need.

 

[ekimih]

Hello,

Please show me the network configuration on PVE

cat /etc/network/interfaces

Vlodek

Hello,

Hello,

Please show me the network configuration on PVE

cat /etc/network/interfaces

Vlodek

I apologize for the delay. Here is the output of /etc/network/nterfaces



# network interface settings; autogenerated
# Please do NOT modify this file directly, unless # you know what you're doing.
#
# If you want to manage parts of the network
# configuration manually. please utilize the
# 'source' or 'source-directory' # directives to
# do It so. PVE will preserve these directives,
# but will NOT read its network configuration
# from sourced files, so do not attempt to move # any of the PVE managed interfaces into
# external files!


auto lo
iface lo inet loopback

iface enp3s0 inet manual..

auto vmbr0
iface vmbr0 inet static
address 10.10.10.10/24
gateway 10.10.10.1
bridge-ports enp3s0
bridge-stp off
bridge-fd 0

Just as a note. I can no ping and trace route in both directions. Everything is seeing each other. The issue that persists is that I cannnot access the WEB UI unless I am located on VLAN of the Cisco network. Please let me know if there are any other configurations you need.

 

[Vlodek]

Hello.

If you can, draw me a diagram of the network containing
Cisco, UDM Pro, PVE and a working station
with assigned IP addresses and VLANs.

Vlodek

 

[ekimih]

Since I have last posted, I have made some modifications to my network in hopes that it would fix my problem. I added a OPNsense in between the UDM Pro and Cisco 2800.

However, I was wrong. I am still having the same issue issues I have been having. But this time, I think have narrowed it down to an issue on the UDM Pro. I feel like I am sending the request and on the return, the UDM Pro sees it as unsolicited, so it drops the traffic.

I do not think it is asymmetric routing or NATing issues because I can see the traffic on the UDM Pro using tcpdump -nvi br5 host 10.10.10.10 or host 10.69.5.108 and port 8006

While running tcpdump -nvi vmbr0 host 10.69.5.108 and port 8006 on the Proxmox CLI.

Simultaneously, I was also running:
tcpdump -nvi em1 host 10.69.5.108 # em1 = LAN
tcpdump -nvi em0 host 10.69.5.108 # em0 = WAN
On the OPNsense CLI.


But still, the Proxmox Web UI will not open unless my device is located on the Cisco lab side in the same subnet/VLAN (10.10.10.0/24). The packets send and are captured on all devices and “0 dropped by kernel”.

 

[ekimih]

Hello.

If you can, draw me a diagram of the network containing
Cisco, UDM Pro, PVE and a working station
with assigned IP addresses and VLANs.

Vlodek

I am very sorry for wasting your time. I figured out that I was double NATing through both layers, my Cisco 2800 and the OPNsense. However, I now am only NATing through the OPNsense.

Now I am able to reach devices on my Cisco lab from my home network. Now I am running into an issue with no Internet access beyond the 2800. I think this one may be a LAN or WAN firewall rule that I need to address. Thank you again.