Trouble with local LXC ports access (behind OPNsense VM) from home network machines.

L

Land_Strider

New Member
Nov 25, 2025
2
0
1
Hey folks, my first post here after about a month into Proxmox and homelab experience on an HP Prodesk machine.

Mainly I'm getting about 10 unprivileged lxc containers for various programs work behind an OPNsense VM and successfully tunneled via cloudflared lxc to be reachable from the internet. Here's my rudimentary network map for starters:
Network Map.png

However, I can't reach those programs or containers directly from my Windows PC on the same ISP router home network. I can reach the Proxmox host directly on on LAN 192.168.1.20:8006 or via ssh, but I can neither reach the containers directly or the programs in them, despite having fiddled with OPNsense NAT for some time. Here's my OPNsense Port Forwarding:
1764083731170.png
1764083787966.png
1764083819060.png

Firewall logs (when trying to reach 192.168.1.100:8096 from Windows PC):
1764084136722.png
There are no block general or specific block rules touching the 8096 port interactions, it seems.

All Proxmox firewalls are turned off and input/output policies set to Allow on datacenter, node or VM/CT levels on the webgui.

Programs are reachable either via Ubuntu VM on the same OPNsense vmbr1 network with containers (192.168.20.x), or via internet as tunneled by the cloudflared CT translating the container+port addresses to subdomain.mydomain.net.

I can't reach the programs from my Windows PC via LAN in my home network and I can't figure out at which level (ISP router, Proxmox, or OPNsense) I'm having my connection secretly blocked or dropped as I don't even get an error code other than the connection stalling for a few minutes then timing out or giving "connection reset".
 
How does the network config of Jellyfin look like? Is a default gateway configured there? If not, it wouldn't know how to reply to an IP outside of its own subnet.
If that doesn't help you could try to use tcpdump on Jellyfin to find out if there are any incoming packets when you try to reach it from your Windows PC.

And, according to your diagram, Jellyfin, Minecraft and Factorio all have the same IP. Is that a typo?
 
dnllmb said:
How does the network config of Jellyfin look like? Is a default gateway configured there? If not, it wouldn't know how to reply to an IP outside of its own subnet.
If that doesn't help you could try to use tcpdump on Jellyfin to find out if there are any incoming packets when you try to reach it from your Windows PC.

And, according to your diagram, Jellyfin, Minecraft and Factorio all have the same IP. Is that a typo?
Click to expand...
Hey, thanks for your interest. Here's my Jellyfin network.xml content:


XML: 
<?xml version="1.0" encoding="utf-8"?>
<NetworkConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <BaseUrl></BaseUrl>
  <EnableHttps>false</EnableHttps>
  <RequireHttps>false</RequireHttps>
  <CertificatePath />
  <CertificatePassword />
  <InternalHttpPort>8096</InternalHttpPort>
  <InternalHttpsPort>8920</InternalHttpsPort>
  <PublicHttpPort>8096</PublicHttpPort>
  <PublicHttpsPort>8920</PublicHttpsPort>
  <AutoDiscovery>true</AutoDiscovery>
  <EnableIPv4>true</EnableIPv4>
  <EnableIPv6>false</EnableIPv6>
  <EnableRemoteAccess>true</EnableRemoteAccess>
  <LocalNetworkSubnets>
        <string>192.168.20.0/24</string>
  </LocalNetworkSubnets>
  <LocalNetworkAddresses>
        <string>192.168.20.0/24</string>
  </LocalNetworkAddresses>
  <KnownProxies>
        <string>192.168.20.0/24</string>
  </KnownProxies>
  <IgnoreVirtualInterfaces>true</IgnoreVirtualInterfaces>
  <VirtualInterfaceNames>
    <string>veth</string>
  </VirtualInterfaceNames>
  <EnablePublishedServerUriByRequest>false</EnablePublishedServerUriByRequest>
  <PublishedServerUriBySubnet />
  <RemoteIPFilter />
  <IsRemoteIPFilterBlacklist>false</IsRemoteIPFilterBlacklist>
</NetworkConfiguration>

I don't see a default gateway setting either here or on the webui (same options there). Am I supposed to handle it elsewhere?

The container ip assigments being the same is a mistake from copy/pasting the diagram boxes. All containers and VMs have their own ip4 addresses on the same LAN.
 
Hi Land_Strider,
the gateway for an LXC is configured on the Proxmox web UI in the network settings of the LXC, right were you also configure its IP.
 
You must log in or register to reply here.
Top Bottom