Setup PVE Firewall on Masquerading config to open ports for my VM. I loose VM internet connection

G

getmekd

New Member
May 30, 2024
8
0
1
Hi all,

thanks in advance for anyone who helps me.
I've set up a proxmox server with one node and 1 VM.
Set up the config for the network access with one vmbr0 who briges the nic and then another vmbr1 to whom i connected my vm.
Internet access works fine but i realized i have no firewall enabled. Tried to enable it the first time and lost connection to the dashboard.
Managed to stop it from the console and set the port that proxmox uses for the dashboard in the firewall rules and i got back on it.
The problem is, whenever i enable the firewall i loose connection to internet from the VM.
Could someone please help me with this?

Thanks
 
Can you post your network configuration as well as your firewall configuration?

Code: 
ip a
cat /etc/network/interfaces

cat /etc/pve/firewall/*
cat /etc/pve/local/host.fw

iptables-save -c
iptables-save -t nat -c
pve-firewall localnet

How are you trying to access your VM? From the outside?
 
Yes, i'm trying to access the vm from outside because i configured a git service and i need to access from outside.
Do i need to do these commands in the proxmox console?
 
What IP are you using to access the VM, the one on vmbr0? Do you have DNAT enabled for the VM or set up a public IP for the VM on vmbr0?

Yes, you need to use the console.
 
Yes i have one public ip set up on the vmbr0. The one that i use to access the proxmox gui too via the 8006 port
Going forward, the question really is, do i need the pve firewall?
 
If you want to access the VM then you either need to setup DNAT or get a second public IP with which the VM is reachable.
 
Hi @shanreich i've managed to get to the service on the public ip with this rule:

ipables -t nat -A PREROUTING -p tcp -d MYPUBLICIP --dport 3000 -i vmbr0 -j DNAT --to-destination VMIP:3000

Is it good like that or i need to set up anything else?
 
getmekd said:
Hi @shanreich i've managed to get to the service on the public ip with this rule:

ipables -t nat -A PREROUTING -p tcp -d MYPUBLICIP --dport 3000 -i vmbr0 -j DNAT --to-destination VMIP:3000

Is it good like that or i need to set up anything else?
Click to expand...

Just wanted to post it! You should be fine using this rule.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back