[SOLVED] Proxmox Windows VM Outgoing Network

[eletix]

Hi, I'm new around here and trying to learn Proxmox.
I installed Proxmox on Linux. Everything is very good. In it, I installed Windows Server 2022, as a VM.
Normally all ports are closed when I activate the firewall.
I open the necessary ports for 8006 and RDP, no problem.
The problem also starts with not being able to access any website in Windows.
In short, there is no internet output from the Windows VM system.
What can be done for this? A different firewall? Or are there rule types for this in Proxmox?
Thanks.

 

[shanreich]

Which language version of Windows did you install? There are some issues with non-english versions and networking.
Also you need VirtIO-drivers in case you haven't installed them [1].

Additionally for further debugging, please post your VM config (qm config <vmid>)

[1] https://pve.proxmox.com/wiki/Windows_VirtIO_Drivers

 

[eletix]

I use it in Turkish language. I have done all the installations related to VirtIO. As I have already said, when I do not activate the Firewall (pve-firewall stop), there is no problem. I can access the internet through the Windows VM. When I activate the Firewall, Chrome or applications cannot access the Internet. In addition, it says that the Internet is available in the Windows Network Adapter section.

 

[shanreich]

Can you then post your firewall configuration for the Datacenter and the VM in question?

 

[eletix]

Can you then post your firewall configuration for the Datacenter and the VM in question?

Hi,



I just configured it so that I can access the RDP and Proxmox panel and there are no issues. Only Windows 2022 no internet output available.



By the way, I have the group definition and these rules (top image) apply on all systems. On both VM and datacenter side. I'm new so I don't know much about commands. If there is any different information you want, if you send it along with the command, I will send it immediately.



Thank you in advance for your help.

 

[shanreich]

Can you show the default OUT policy? I don't know how it is named in turkish but it should be found under Firewall > Options and then in the list there is a point Output Policy. Additionally in this Options Panel you can set the loglevel for the firewall. It would be interesting to set it to debug and then try to access a website, then look in the Log submenu what connections the firewall is blocking.

 

[eletix]

Here is where my problem starts. Even if I create such a rule from the firewall, Windows cannot go out. Am I doing the firewall rules correctly?

 

[shanreich]

Can you enable the firewall rule logging? Sorry - I edited my post and added that part, maybe you did not see it?

 

[eletix]

Hi,

Thank you very much for your help I am very grateful to you.
Windows Output Policy;


And datacenter output policy;



My drop log:

5.xxx.xxx.xxx my windows server ip

100 6 tap100i0-IN 28/Oct/2022:17:59:49 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=103.164.3.212 DST=5.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=64782 PROTO=TCP SPT=44265 DPT=7600 SEQ=2968219156 ACK=0 WINDOW=1024 SYN 
100 6 tap100i0-IN 28/Oct/2022:17:59:49 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=110.93.230.109 DST=5.xxx.xxx.xxx LEN=52 TOS=0x02 PREC=0x00 TTL=111 ID=18027 DF PROTO=TCP SPT=56526 DPT=3389 SEQ=1920102892 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:17:59:52 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=110.93.230.109 DST=5.xxx.xxx.xxx LEN=52 TOS=0x02 PREC=0x00 TTL=111 ID=19091 DF PROTO=TCP SPT=56526 DPT=3389 SEQ=1920102892 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:17:59:58 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=110.93.230.109 DST=5.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=19094 DF PROTO=TCP SPT=56526 DPT=3389 SEQ=1920102892 ACK=0 WINDOW=65535 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:02 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=12424 DF PROTO=TCP SPT=60279 DPT=3389 SEQ=1387063482 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:05 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=704 DF PROTO=TCP SPT=60279 DPT=3389 SEQ=1387063482 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:11 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=43 ID=11140 DF PROTO=TCP SPT=60279 DPT=3389 SEQ=1387063482 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:11 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=45.148.121.63 DST=5.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=33560 PROTO=TCP SPT=48612 DPT=12056 SEQ=1113334442 ACK=0 WINDOW=1024 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:23 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=789 DF PROTO=TCP SPT=49324 DPT=3389 SEQ=3467766047 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:23 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=110.93.230.109 DST=5.xxx.xxx.xxx LEN=52 TOS=0x02 PREC=0x00 TTL=111 ID=8006 DF PROTO=TCP SPT=64224 DPT=3389 SEQ=2350235112 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:26 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=21892 DF PROTO=TCP SPT=49324 DPT=3389 SEQ=3467766047 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:26 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=110.93.230.109 DST=5.xxx.xxx.xxx LEN=52 TOS=0x02 PREC=0x00 TTL=111 ID=9071 DF PROTO=TCP SPT=64224 DPT=3389 SEQ=2350235112 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:31 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=45.148.121.63 DST=5.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=46507 PROTO=TCP SPT=48612 DPT=12648 SEQ=3508341353 ACK=0 WINDOW=1024 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:31 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=43 ID=176 DF PROTO=TCP SPT=49324 DPT=3389 SEQ=3467766047 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:33 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=110.93.230.109 DST=5.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=9087 DF PROTO=TCP SPT=64224 DPT=3389 SEQ=2350235112 ACK=0 WINDOW=65535 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:49 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=45.148.121.63 DST=5.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=59066 PROTO=TCP SPT=48612 DPT=12774 SEQ=1844140534 ACK=0 WINDOW=1024 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:53 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=13346 DF PROTO=TCP SPT=65185 DPT=3389 SEQ=2582195579 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:00:56 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=2331 DF PROTO=TCP SPT=65185 DPT=3389 SEQ=2582195579 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:12 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=21281 DF PROTO=TCP SPT=53598 DPT=3389 SEQ=3607209351 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:15 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=8287 DF PROTO=TCP SPT=53598 DPT=3389 SEQ=3607209351 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:17 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=45.148.121.63 DST=5.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=57377 PROTO=TCP SPT=48612 DPT=12870 SEQ=2459655373 ACK=0 WINDOW=1024 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:21 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=43 ID=17432 DF PROTO=TCP SPT=53598 DPT=3389 SEQ=3607209351 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:32 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=110.93.230.109 DST=5.xxx.xxx.xxx LEN=52 TOS=0x02 PREC=0x00 TTL=111 ID=19411 DF PROTO=TCP SPT=42067 DPT=3389 SEQ=1817664940 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:35 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=110.93.230.109 DST=5.xxx.xxx.xxx LEN=52 TOS=0x02 PREC=0x00 TTL=111 ID=20338 DF PROTO=TCP SPT=42067 DPT=3389 SEQ=1817664940 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:41 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=110.93.230.109 DST=5.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=20341 DF PROTO=TCP SPT=42067 DPT=3389 SEQ=1817664940 ACK=0 WINDOW=65535 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:43 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=11687 DF PROTO=TCP SPT=53535 DPT=3389 SEQ=1981360779 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:46 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=43 ID=177 DF PROTO=TCP SPT=53535 DPT=3389 SEQ=1981360779 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:52 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=175.155.179.222 DST=5.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=43 ID=11372 DF PROTO=TCP SPT=53535 DPT=3389 SEQ=1981360779 ACK=0 WINDOW=8192 SYN 
100 6 tap100i0-IN 28/Oct/2022:18:01:53 +0300 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=tap100i0 MAC=22:a1:e7:35:6a:89:00:09:0f:09:00:20:08:00 SRC=45.148.122.243 DST=5.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=40608 PROTO=TCP SPT=44756 DPT=13101 SEQ=3949273895 ACK=0 WINDOW=1024 SYN

 

[shanreich]

I think this is because you have IP Filter enabled in your Firewall settings but probably not properly configured. Does it work when you turn the IP Filter off?

 

[eletix]

I think this is because you have IP Filter enabled in your Firewall settings but probably not properly configured. Does it work when you turn the IP Filter off?

Yes, it's fixed now. So what does IP filtering do? Aren't firewall rules already a filtering in itself? I am confused

 

[shanreich]

Yes, it's fixed now. So what does IP filtering do? Aren't firewall rules already a filtering in itself? I am confused

IP Filter restricts the IP addresses the VM is allowed to use. So for instance if you do not control the VM but somebody else, he could change the IP of the VM to something else and maybe then circumvent some firewall rules. By using the IP Filter you can specify which IPs the VM is allowed to use under IPSet.

 

[eletix]

IP Filter restricts the IP addresses the VM is allowed to use. So for instance if you do not control the VM but somebody else, he could change the IP of the VM to something else and maybe then circumvent some firewall rules. By using the IP Filter you can specify which IPs the VM is allowed to use under IPSet.

I understand, my master. Thank you for all your help. Thank you.