TLDR: this is NOT about not being able to access PXVE from external SSH client.
This is asking how to stop Firewall from blocking accesses to a local virtual ethernet device, which it happens I am accessing _from_ a local tun device which is the exit of an ssh point-to-point encrypted IP tunnel.
Apologies post is slightly long, but it could also be a good guide to ssh access to web GUI for newbies.
Some background.
I have fully working GUI and ssh access to my PXVE development server on the LAN here beside me.
As intermediate steps I first setup simple SSH access:
GUI accessible via
'firefox --url=https://192.168.5.252:8006'
I had setup access to web GUI via ssh port forward:
	
	
	
		
GUI accessible via
'firefox --url=https://127.0.0.1:18006'
Then I had set up a virtual ethernet dummy inteface on the server
	
	
	
		
access to web GUI via ssh (PXVE listening on a local virtual interface dummy0)
	
	
	
		
Those were intermediate steps on the way to setting up a tun device that sshd could use:
	
	
	
		
after adding ip addresses and checking routing etc.
I can access the web gui on PXVE using the encrypted tunnel thus:
GUI accessible via
'firefox --url=https://10.255.0.1:8006'
So far all is good.
I have a 10.0.0.0/8 encrypted network that I can use for administration.
 
  
 
Now I try to use the Proxmox Firewall and stuffs begins to confuse me.
I attempted to follow along according to the documentation.
https://pve.proxmox.com/wiki/Proxmox_VE_Firewall#WebUI_Configuration
I am familiar with iptables for many years, but when I cannot make firewall do what I want
I think to return it to disabled, and thus restore my access, but this does not happen.
Reload the firewall settings to activate any changes.
Server View / NodeName / Services Tab / pve-firewall Restart
But now my access to dummy0 10.255.0.1 _from_ tun0 is filtered
whereas access to dummy0 from 127.0.0.1 still works.
	
	
	
		
p.s. I took screenshots but forum no let me upload them.
	
	
	
		
	
	
	
		
	
	
	
		
				
			This is asking how to stop Firewall from blocking accesses to a local virtual ethernet device, which it happens I am accessing _from_ a local tun device which is the exit of an ssh point-to-point encrypted IP tunnel.
Apologies post is slightly long, but it could also be a good guide to ssh access to web GUI for newbies.

Some background.
I have fully working GUI and ssh access to my PXVE development server on the LAN here beside me.
As intermediate steps I first setup simple SSH access:
GUI accessible via
'firefox --url=https://192.168.5.252:8006'
I had setup access to web GUI via ssh port forward:
		Code:
	
	# temporary. use an external interface to proxy via ssh
Host deb82_pe
        Hostname 192.168.11.138
        Port 22
        User root
        LocalForward localhost:18006 192.168.11.138:8006
        LocalForward localhost:3128 192.168.11.138:3128
        LocalForward localhost:61000 192.168.11.138:61000GUI accessible via
'firefox --url=https://127.0.0.1:18006'
Then I had set up a virtual ethernet dummy inteface on the server
		Code:
	
	root@deb82:~# cat /etc/network/interfaces.d/dummy0
auto dummy0
iface dummy0 inet static
        address 10.255.0.1
        netmask 255.0.0.0
        bridge_ports none
		Code:
	
	Host deb82_p
        Hostname 192.168.11.138
        Port 22
        User root
        LocalForward localhost:18006 10.255.0.1:8006
        LocalForward localhost:3128 10.255.0.1:3128
        LocalForward localhost:61000 10.255.0.1:61000Those were intermediate steps on the way to setting up a tun device that sshd could use:
		Code:
	
	root@deb82:~# cat /etc/network/interfaces.d/tun0
auto tun0
iface tun0 inet manual
  tunctl_user ssh
  up ifconfig tun0 promisc arp 0.0.0.0 up
[user@k8 ~]$ sudo ssh -l root -o Tunnel=point-to-point -w any:0 192.168.11.138
root@deb82:~# ip addr | egrep -A 2 '^[[:digit:]]+:[[:space:]]+tun[[:digit:]]+:[[:space:]]+'
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 10.0.10.1/8 scope global tun0I can access the web gui on PXVE using the encrypted tunnel thus:
GUI accessible via
'firefox --url=https://10.255.0.1:8006'
So far all is good.
I have a 10.0.0.0/8 encrypted network that I can use for administration.
 
  
 
Now I try to use the Proxmox Firewall and stuffs begins to confuse me.
I attempted to follow along according to the documentation.
https://pve.proxmox.com/wiki/Proxmox_VE_Firewall#WebUI_Configuration
I am familiar with iptables for many years, but when I cannot make firewall do what I want
I think to return it to disabled, and thus restore my access, but this does not happen.
Reload the firewall settings to activate any changes.
Server View / NodeName / Services Tab / pve-firewall Restart
But now my access to dummy0 10.255.0.1 _from_ tun0 is filtered
whereas access to dummy0 from 127.0.0.1 still works.
		Code:
	
	root@deb82:~# nmap -S 127.0.0.1 -T4 -Pn -p 22,111,3128,5900,8006,61000 10.255.0.1
Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-14 11:46 BST
Nmap scan report for 10.255.0.1
Host is up (0.000018s latency).
PORT      STATE    SERVICE
22/tcp    open     ssh
111/tcp   open     rpcbind
3128/tcp  open     squid-http
5900/tcp  filtered vnc
8006/tcp  open     unknown
61000/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 14.38 seconds
root@deb82:~#
root@deb82:~# nmap  -e tun0 -T4 -Pn -p 22,111,3128,5900,8006,61000 10.255.0.1
Starting Nmap 6.47 ( http://nmap.org ) at 2016-09-14 11:47 BST
Nmap scan report for 10.255.0.1
Host is up (0.00083s latency).
PORT      STATE    SERVICE
22/tcp    filtered ssh
111/tcp   filtered rpcbind
3128/tcp  filtered squid-http
5900/tcp  filtered vnc
8006/tcp  filtered unknown
61000/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 13.28 seconds
root@deb82:~#p.s. I took screenshots but forum no let me upload them.
		Code:
	
	$ ls -lGh
total 424K
-rw-rw-r-- 1 colin 218K Sep 14 12:07 deb82_Datacentre_Firewall_Rules.png
-rw-rw-r-- 1 colin 203K Sep 14 12:10 deb82_Firewall_Rules.png
		Code:
	
	root@deb82:~# cat /etc/pve/firewall/cluster.fw
[OPTIONS]
enable: 1
policy_in: ACCEPT
[RULES]
OUT ACCEPT -i dummy0 -dest 192.168.0.0/16 -p tcp
IN ACCEPT -i dummy0 -source 192.168.0.0/16 -p tcp
IN ACCEPT -i dummy0 -source 10.0.0.0/8 -p tcp
OUT ACCEPT -i dummy0 -dest 10.0.0.0/8 -p tcp
IN ACCEPT -i tun0 -source 192.168.0.0/16 -p tcp
OUT ACCEPT -i tun0 -dest 192.168.0.0/16 -p tcp
OUT ACCEPT -i tun0 -dest 10.0.0.0/8 -p tcp
IN ACCEPT -i tun0 -source 10.0.0.0/8 -p tcp
|IN ACCEPT -i dummy0 -p tcp -dport 61000
|IN ACCEPT -i dummy0 -p tcp -dport 3128
|IN ACCEPT -i dummy0 -p tcp -dport 8006
|IN ACCEPT -i vmbr1 -p tcp -dport 8006
|IN ACCEPT -i vmbr1 -p tcp -dport 22
IN ACCEPT -i eth1 -dest 192.168.5.252 -p tcp -dport 22
IN ACCEPT -i eth0 -dest 192.168.11.138 -p tcp -dport 22
		Code:
	
	root@deb82:~# cat /etc/pve/nodes/deb82/host.fw
[OPTIONS]
enable: 1
log_level_in: debug
log_level_out: debug
[RULES]
OUT ACCEPT -i dummy0 -dest 192.168.0.0/16 -p tcp
IN ACCEPT -i dummy0 -source 192.168.0.0/16 -p tcp
OUT ACCEPT -i tun0 -dest 192.168.0.0/16 -p tcp
IN ACCEPT -i tun0 -source 192.168.0.0/16 -p tcp
OUT ACCEPT -i dummy0 -dest 10.0.0.0/8 -p tcp
IN ACCEPT -i dummy0 -source 10.0.0.0/8 -p tcp
OUT ACCEPT -i tun0 -dest 10.0.0.0/8 -p tcp
IN ACCEPT -i tun0 -source 10.0.0.0/8 -p tcp
IN ACCEPT -i eth0 -source 192.168.0.0/16 -p tcp
			
				Last edited: 
				
		
	
										
										
											
	
										
									
								 
	 
	