PVE 2.3 - Web Interface Working Locally, Not Externally

[DaveYoung]

Hi all. I installed Proxmox 2.3 some about a year ago and have been very happy with the result! I have two VPSs installed and 100% functioning.

My problem is for the first time I had a need to do a full backup of one of the VPSs via the web interface but discovered that I cannot access the web interface from outside the local LAN. I have had no problem connecting from the local LAN at any point.

There are 2 NICs in the server hosting Proxmox. Eth0 is configured as a bridge and has the external IP .85, Eth1 is configured as standalone and has a static internal IP. I have no problem reaching either of the two VPSs from outside the local LAN via the external IP addresses (.83 & .84) on any port (after configuring IPTables on each).

I have done nothing with the configuration manually.

I am clearly not a Debian expert by any means!

Content of /proc/version:

Linux version 2.6.32-18-pve (root@maui) (gcc version 4.4.5 (Debian 4.4.5-8) ) #1 SMP Mon Jan 21 12:09:05 CET 2013​

Content of the /etc/network/interfaces (IPs hidden but correct):

auto lo
iface lo inet loopback


auto vmbr0
iface vmbr0 inet static
address ##.##.##.85
netmask 255.255.255.0
gateway ##.##.##.##
bridge_ports eth0
bridge_stp off
bridge_fd 0


auto eth1
iface eth1 inet static
address 192.168.3.241
netmask 255.255.255.0
gateway 192.168.3.1​

Note: the host name resolves locally to the external IP and I can ping the external IP from outside the LAN

Output of pveversion -v:

pve-manager/2.3/ad9c5c05
root@vps:~# pveversion -v
pve-manager: 2.3-12 (pve-manager/2.3/ad9c5c05)
running kernel: 2.6.32-18-pve
proxmox-ve-2.6.32: 2.3-88
pve-kernel-2.6.32-18-pve: 2.6.32-88
lvm2: 2.02.95-1pve2
clvm: 2.02.95-1pve2
corosync-pve: 1.4.4-4
openais-pve: 1.1.4-2
libqb: 0.10.1-2
redhat-cluster-pve: 3.1.93-2
resource-agents-pve: 3.9.2-3
fence-agents-pve: 3.1.9-1
pve-cluster: 1.0-36
qemu-server: 2.3-17
pve-firmware: 1.0-21
libpve-common-perl: 1.0-48
libpve-access-control: 1.0-26
libpve-storage-perl: 2.3-6
vncterm: 1.0-3
vzctl: 4.0-1pve2
vzprocps: 2.0.11-2
vzquota: 3.1-1
pve-qemu-kvm: 1.4-6
ksm-control-daemon: 1.1-1​

Output of ipables --list:

Chain INPUT (policy ACCEPT)
target prot opt source destination


Chain FORWARD (policy ACCEPT)
target prot opt source destination


Chain OUTPUT (policy ACCEPT)
target prot opt source destination​

 

[dietmar]

but discovered that I cannot access the web interface from outside the local LAN. I have had no problem connecting from the local LAN at any point.

Do you get any error message? That should work without problems.

 

[m.ardito]

What URL are you using from the LAN and from outside, to access the web interface?

Marco

 

[DaveYoung]

Thanks for the quick reply! There is nothing in the apache log (no connection is established). What other error log should I review?

 

[DaveYoung]

Same URL: https://(FQDN):8006/

The FQDN resolves to the correct external IP both from inside the subnet and outside. It also resolves on the Proxmox server itself.

 

[dietmar]

Try to use tcpdump to see where packets gets lost.

 

[m.ardito]

Same URL: https://(FQDN):8006/

The FQDN resolves to the correct external IP both from inside the subnet and outside. It also resolves on the Proxmox server itself.

can you ping that FQDN from outside?

Marco

 

[DaveYoung]

tcpdump is showing no connection attempt from the IP addy my device outside the local subnet is on. This "feels" like a firewall issue except for the fact that through the same interface I can, from outside the subnet, access bridged IPs in the two VPSs on that box.

 

[DaveYoung]

Sure can.

 

[DaveYoung]

Update: In an effort to simplify the situation I decided to remove the 2nd NIC from the configuartion (eth1) which has a static ip on the local subnet and lo and behold I can now access the web interface (and ssh) the FQDN from outside the local net. I have no idea how that 2nd NIC config is affecting the eth0/bridge though.