[SOLVED] PVE-Firewall and Gui Access

[jamest65]

Hi Guys,

I have everything working on proxmox and I am working towards a paid license for proxmox and teaching myself passthrough and the basics, admin isn't my strongest point but I have found Proxmox to be very easy to work with, I can ping internally and do RDP securely to my VM's from my remote IP, I even have zerotier working great, etc.

I have set up an IPSET management at the DC level as per the tutorial and included my remote residential broadband IP thinking this would allow me remote access to the GUI but to no avail. I am hoping this is a simple misunderstanding on my part.

Q. By adding my remote residential broadband IP to ipset should this allow me remote access to https://node_ip:8006? or is there something else I have to set in order to allow my remote ip access? everytime I turn on pve-firewall I get locked out

Thanks in advance for any guidance I have searched everywhere.

 

[oguz]

hi,

sounds to me a like a misconfiguration.

* can you show your firewall rules?
* is firewall also configured on the node level?

 

[jamest65]

hi,

sounds to me a like a misconfiguration.

* can you show your firewall rules?
* is firewall also configured on the node level?

Hi and thanks for the quick response, Firewall is configured at DC and Node level yes.

[OPTIONS]

enable: 1
ebtables: 0
policy_in: ACCEPT

[IPSET externalip]

XXX.XX.XX.100 # MY LOCATION

[IPSET management] # Remote IP Access Gui

10.146.112.196
10.146.112.245

[RULES]

|IN ACCEPT -i eno2 -source XXX.XX.XX.100 -dest PUBLIC IP CENSORED -p udp -dport 8006 -sport 8006 -log nolog
|IN ACCEPT -i eno2 -source 10.146.112.245 -dest 10.146.112.103 -p tcp -dport 8006 -sport 8006 -log nolog
GROUP pxcetl -i eno2 # Management Group
IN DROP -log nolog

[group pxcetl] # default pxc group

|IN ACCEPT -source 10.146.112.196 -dest 10.14.112.103 -p tcp -dport 8006 -sport 8006 -log nolog
|IN ACCEPT -source 10.146.112.196 -dest 10.14.112.103 -p tcp -dport 8006 -sport 8006 -log nolog
|IN ACCEPT -source XXX.XX.XX.100 -dest PUBLIC IP CENSORED -p udp -dport 5404:5405 -sport 5404:5405 -log nolog
|IN ACCEPT -source XXX.XX.XX.100 -dest PUBLIC IP CENSORED -p udp -dport 9993 -sport 9993 -log nolog
|IN ACCEPT -source XXX.XX.XX.100 -dest PUBLIC IP CENSORED -p tcp -dport 8006 -sport 8006 -log nolog
|IN ACCEPT -source XXX.XX.XX.100 -dest PUBLIC IP CENSORED -p tcp -dport 5900:5999 -sport 5900:5999 -log nolog
|IN ACCEPT -source XXX.XX.XX.100 -dest PUBLIC IP CENSORED -p tcp -dport 111 -sport 111 -log nolog
|IN ACCEPT -source XXX.XX.XX.100 -dest PUBLIC IP CENSORED -p tcp -dport 22 -sport 22 -log nolog
|IN ACCEPT -source XXX.XX.XX.100 -dest PUBLIC IP CENSORED -p tcp -dport 3128 -sport 3128 -log nolog
|IN DROP -log nolog188

 

[oguz]

to allow port 8006, you should pick destination port 8006 and source port empty (also for the other ports)

 

[jamest65]

to allow port 8006, you should pick destination port 8006 and source port empty (also for the other ports)

Hi Thanks, I removed all the -sport from the cluster.fw and restarted everything, and still no access from my remote ip. I have an open ssh session to make sure I don't lose access.

 

[jamest65]

I noticed that 8006 is only listening on ipv6

tcp6       0      0 :::8006                 :::*                    LISTEN      59100/pveproxy

is that normal?

 

[oguz]

I noticed that 8006 is only listening on ipv6

tcp6       0      0 :::8006                 :::*                    LISTEN      59100/pveproxy

is that normal?

what are you getting from ss -antlp | grep 8006 ?
can you also post:
* cat /etc/hosts
* cat /etc/default/pveproxy (maybe empty)
* cat /etc/pve/nodes/<NODENAME>/host.fw and the cluster.fw again

 

[jamest65]

thanks for your patience Oguz, there is deinitely a misconfiguration somewhere PVEPROXY is missing see below

ss -antlp |grep 8006 shows

LISTEN   0        128                          *:8006                  *:*       users:(("pveproxy worker",pid=59103,fd=6),("pveproxy worker",pid=59102,fd=6),("pveproxy worker",pid=59101,fd=6),("pveproxy",pid=59100,fd=6))

I looked in cat /etc/default/pveproxy and there is no pveproxy file?

127.0.0.1 localhost.localdomain localhost
PUBLIC IP CENSORED PVE-PXC-ETL001.LOCAL PVE-PXC-ETL001

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

NODE FW

[OPTIONS]

enable: 1

[RULES]

IN ACCEPT -i eno2 -source +externalip -dest PUBLIC IP CENSORED -p udp -dport 8006 -log nolog
IN ACCEPT -i eno2 -source 10.146.112.245 -dest 10.146.112.103 -p udp -dport 8006 -log nolog
IN ACCEPT -i eno2 -source 10.146.112.245 -dest 10.146.112.103 -p udp -dport 9993 -log nolog
IN ACCEPT -i eno2 -source +management -dest 10.146.112.103 -p udp -dport 9993 -log nolog
GROUP pxcetl -i eno2
IN DROP -log nolog

 

[oguz]

ss -antlp |grep 8006 shows

LISTEN 0 128 *:8006 *:*

this is then normal

I looked in cat /etc/default/pveproxy and there is no pveproxy file?

that's alright, it doesn't exist by default but i wanted to check.

IN ACCEPT -i eno2 -source +externalip -dest PUBLIC IP CENSORED -p udp -dport 8006 -log nolog

can you try with protocol TCP instead of UDP for port 8006?

how are you restarting the firewall? please try as [0]



[0]: https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#_services_and_commands

 

[jamest65]

Hi Oguz, I changed from UDP TO TCP AND I restart the firewall pve-firewall stop pve-firewall start etc. I also do a systemctl restart networking.service to be sure

services are showing as ok. I also enabled emerg 0 on the node log

 

[oguz]

did it work? can you access the UI from your IP now?

 

[jamest65]

did it work? can you access the UI from your IP now?

yes once I replaced my +externip with my ip direct in the FW rules it gave me access. thanks. I cant believe I missed the UDP - TCP lol. thanks for your patience.