Routed Configuration Port Forwarding

M

mbc

Member
Oct 12, 2020
16
0
6
25
So I'm starting to tinker with Proxmox and I'm setting a container with OpenVPN on it. On the OpenVPN side of things everything seems to be working correctly and OpenVPN is listening on port 1194.

The router is set to forward port 1194 into 192.168.1.222 which is the IP address of the Proxmox server. The network is 192.168.1.0/24

I'm using the Routed configuration from the Proxmox tutorial: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_network_configuration


My interfaces file is:
Code: 
auto lo
iface lo inet loopback



auto eno1
iface eno1 inet static
        address 192.168.1.222/24
        gateway 192.168.1.1
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp


auto vmbr0
iface vmbr0 inet static
        address 10.10.10.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-up   iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1


        post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 1194 -j DNAT --to 10.10.10.20:1194
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 1194 -j DNAT --to 10.10.10.20:1194
        post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp--dport 1194 -j DNAT --to 10.10.10.20:1194
        post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 1194 -j DNAT --to 10.10.10.20:1194

So as I said 192.168.1.222 is the server address on the LAN
VM 100 (which hosts OpenVPN) is on address 10.10.10.20 on bridge vmbr0:2020-10-12 22_57_07-Window.png


On the last 4 lines you can see my atempt at forwarding TCP+UDP port 1194 to said VM with no success.

From the VM I can ping to google.com which means that I have access to the WAN.
Using Open Port check tool: https://www.yougetsignal.com/tools/open-ports/ I can see that port 1194 is not open.
As this is a house with dynamic IP I'm using a DDNS to have outside access to the server. If I introduce the DDNS address I get redirected to the router's managment interface. So this means that everything is working correctly on this side.

With all this checkup I'm pretty sure the problem is in the port Forwarding of Proxmox
What am I doing wrong?




PS: I also tried using the simple setup for network configuration: https://hery.serasera.org/mg/content/proxmox-4-single-public-ip-setup-private-network But this configuration makes the server unreachable. So that's why I'm struggling with this.
 
Last edited:
Executing netstat -tulp on the host gives:
Code: 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:3128            0.0.0.0:*               LISTEN      1160/spiceproxy     
tcp        0      0 localhost.localdom:smtp 0.0.0.0:*               LISTEN      1029/master         
tcp        0      0 0.0.0.0:8006            0.0.0.0:*               LISTEN      1154/pveproxy       
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      1/init             
tcp        0      0 localhost.localdomai:85 0.0.0.0:*               LISTEN      1145/pvedaemon     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      816/sshd           
tcp6       0      0 ip6-localhost:smtp      [::]:*                  LISTEN      1029/master         
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      1/init             
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      816/sshd           
udp        0      0 0.0.0.0:sunrpc          0.0.0.0:*                           1/init             
udp6       0      0 [::]:sunrpc             [::]:*                              1/init

And on the LXC container:

Code: 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 127.0.0.53:domain       0.0.0.0:*               LISTEN      92/systemd-resolved
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      132/sshd           
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      288/master         
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      132/sshd           
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN      288/master         
udp        0      0 127.0.0.53:domain       0.0.0.0:*                           92/systemd-resolved
udp        0      0 CT100.google.co:openvpn 0.0.0.0:*                           118/openvpn

So it seems like the host hasn't forwarded the OPENVPN ports
 
It seems to me that your problem may lie in the fact you have two internal networks 192.168.1.0/24 and 10.10.10.20/24 - how are you routing between them?

On my personal setup, my proxmox host runs behind a pfSense firewall. I can host a webserver and have my Plex and Emby servers NAT'd behind the PFSense and that works solidly. If I really need external access to my system I have OpenVPN running as a service on pfSense and with a VPN client I can access my internal network from wherever I need to.
 
Last edited:
Thanks for your reply

bobmc said:
It seems to me that your problem may lie in the fact you have two internal networks 192.168.1.0/24 and 10.10.10.20/24 - how are you routing between them?
Click to expand...

Being able to ping to my internalk 192.198.1.0 and external (google.com) network I though that all my routing was correct. Am I wrong?

bobmc said:
On my personal setup, my proxmox host runs behind a pfSense firewall. I can host a webserver and have my Plex and Emby servers NAT'd behind the PFSense and that works solidly. If I really need external access to my system I have OpenVPN running as a service on pfSense and with a VPN client I can access my internal network from wherever I need to.
Click to expand...
Y only have this Proxmox server. I'm stuck with the crappy ISP router :(
 
I'm surprised that you can ping 192.168.1.1 and google.com from your vm - which has it's gateway on a separate network and really should not work.
Can you do a traceroute from the VM?

It's possible to run pfsense behind an ISP router, but it's simpler if you can enable "pass-through" or "modem mode" if you want to run complex network setups but this also means you would have to provide your own wifi setup as well.

What's your goal with this? or are you just trying to learn?
 
  • Like
Reactions: mbc
bobmc said:
I'm surprised that you can ping 192.168.1.1 and google.com from your vm - which has it's gateway on a separate network and really should not work.
Can you do a traceroute from the VM?
Click to expand...
I was surpised too. At first the gatway was on the 10.10.10.0 network, but it didn't work.
Here's the traceroute:

Code: 
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max
  1   10.10.10.1  0.002ms  0.001ms  0.002ms
  2   192.168.1.1  0.460ms  0.277ms  0.259ms


If I traceroute to the google.com it's the same as above but with several step through the outside network of the house.

bobmc said:
What's your goal with this? or are you just trying to learn?
Click to expand...
For the moment it's just for learning.
 
Ah, I suppose this is working because the Proxmox network is acting as a Network Bridge but it's not able to route

You might get some clues and pointers here

Proxmox Networks
 
It turns out that yesterday I was too asleep. Because now I have tried to change the gateway on the VM to 10.10.10.1 and it works. The traceroute is the same though.

2020-10-15 11_44_58-Window.png

I still can't forward the port 1194
Inked2020-10-15 11_45_46-Window_LI.jpg
 
Last edited:
bobmc said:
Ah, I suppose this is working because the Proxmox network is acting as a Network Bridge but it's not able to route

You might get some clues and pointers here

Proxmox Networks
Click to expand...
Ok that's the same guide I followed but from a differnt Proxmox page.


I used, from that same page, the same configuration as the "Routed Configuration" section (changing the necessary IP address). The problem is that this guide doesn't describe how to port forward ports.

So the question is: Does anyone know how to port forward in the "Routed Configuration" Proxmox's guide?
 
The problem was that your DNAT rules were matching traffic coming in the bridge: -i vmbr0

where you should have matched on the WAN-facing interface: eno1

Code: 
post-up iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 1194 -j DNAT --to 10.10.10.20:1194
etc.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back