Trouble with local LXC ports access (behind OPNsense VM) from home network machines.

L

Land_Strider

New Member
Nov 25, 2025
4
0
1
Hey folks, my first post here after about a month into Proxmox and homelab experience on an HP Prodesk machine.

Mainly I'm getting about 10 unprivileged lxc containers for various programs work behind an OPNsense VM and successfully tunneled via cloudflared lxc to be reachable from the internet. Here's my rudimentary network map for starters:
Network Map.png

However, I can't reach those programs or containers directly from my Windows PC on the same ISP router home network. I can reach the Proxmox host directly on on LAN 192.168.1.20:8006 or via ssh, but I can neither reach the containers directly or the programs in them, despite having fiddled with OPNsense NAT for some time. Here's my OPNsense Port Forwarding:
1764083731170.png
1764083787966.png
1764083819060.png

Firewall logs (when trying to reach 192.168.1.100:8096 from Windows PC):
1764084136722.png
There are no block general or specific block rules touching the 8096 port interactions, it seems.

All Proxmox firewalls are turned off and input/output policies set to Allow on datacenter, node or VM/CT levels on the webgui.

Programs are reachable either via Ubuntu VM on the same OPNsense vmbr1 network with containers (192.168.20.x), or via internet as tunneled by the cloudflared CT translating the container+port addresses to subdomain.mydomain.net.

I can't reach the programs from my Windows PC via LAN in my home network and I can't figure out at which level (ISP router, Proxmox, or OPNsense) I'm having my connection secretly blocked or dropped as I don't even get an error code other than the connection stalling for a few minutes then timing out or giving "connection reset".
 
How does the network config of Jellyfin look like? Is a default gateway configured there? If not, it wouldn't know how to reply to an IP outside of its own subnet.
If that doesn't help you could try to use tcpdump on Jellyfin to find out if there are any incoming packets when you try to reach it from your Windows PC.

And, according to your diagram, Jellyfin, Minecraft and Factorio all have the same IP. Is that a typo?
 
dnllmb said:
How does the network config of Jellyfin look like? Is a default gateway configured there? If not, it wouldn't know how to reply to an IP outside of its own subnet.
If that doesn't help you could try to use tcpdump on Jellyfin to find out if there are any incoming packets when you try to reach it from your Windows PC.

And, according to your diagram, Jellyfin, Minecraft and Factorio all have the same IP. Is that a typo?
Click to expand...
Hey, thanks for your interest. Here's my Jellyfin network.xml content:


XML: 
<?xml version="1.0" encoding="utf-8"?>
<NetworkConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <BaseUrl></BaseUrl>
  <EnableHttps>false</EnableHttps>
  <RequireHttps>false</RequireHttps>
  <CertificatePath />
  <CertificatePassword />
  <InternalHttpPort>8096</InternalHttpPort>
  <InternalHttpsPort>8920</InternalHttpsPort>
  <PublicHttpPort>8096</PublicHttpPort>
  <PublicHttpsPort>8920</PublicHttpsPort>
  <AutoDiscovery>true</AutoDiscovery>
  <EnableIPv4>true</EnableIPv4>
  <EnableIPv6>false</EnableIPv6>
  <EnableRemoteAccess>true</EnableRemoteAccess>
  <LocalNetworkSubnets>
        <string>192.168.20.0/24</string>
  </LocalNetworkSubnets>
  <LocalNetworkAddresses>
        <string>192.168.20.0/24</string>
  </LocalNetworkAddresses>
  <KnownProxies>
        <string>192.168.20.0/24</string>
  </KnownProxies>
  <IgnoreVirtualInterfaces>true</IgnoreVirtualInterfaces>
  <VirtualInterfaceNames>
    <string>veth</string>
  </VirtualInterfaceNames>
  <EnablePublishedServerUriByRequest>false</EnablePublishedServerUriByRequest>
  <PublishedServerUriBySubnet />
  <RemoteIPFilter />
  <IsRemoteIPFilterBlacklist>false</IsRemoteIPFilterBlacklist>
</NetworkConfiguration>

I don't see a default gateway setting either here or on the webui (same options there). Am I supposed to handle it elsewhere?

The container ip assigments being the same is a mistake from copy/pasting the diagram boxes. All containers and VMs have their own ip4 addresses on the same LAN.
 
Hi Land_Strider,
the gateway for an LXC is configured on the Proxmox web UI in the network settings of the LXC, right were you also configure its IP.
 
dnllmb said:
Hi Land_Strider,
the gateway for an LXC is configured on the Proxmox web UI in the network settings of the LXC, right were you also configure its IP.
Click to expand...
Tried setting the default gateway to 192.168.20.1 but it didn't work. 192.168.1.1 didn't work either, and internet was unreachable through this.
1764225786102.png

Here's a few second of tcpdump from Jellyfin container. Looks like it receives from and returns traffic to OPNsense Lan gateway (192.168.20.1) when I try to access 192.168.1.100:8096 from my PC:

Code: 
root@Jellyfin:~# tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
07:24:02.455585 IP 192.168.20.1.62742 > Jellyfin.local.8096: Flags [S], seq 3172986105, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
07:24:02.455598 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [S.], seq 3895099770, ack 3172986106, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
07:24:02.456393 IP 192.168.20.1 > Jellyfin.local: ICMP redirect 192.168.20.1 to host 192.168.1.70, length 60
07:24:02.457068 IP 192.168.20.1.62742 > Jellyfin.local.8096: Flags [.], ack 1, win 513, length 0
07:24:02.457294 IP 192.168.20.1.62742 > Jellyfin.local.8096: Flags [P.], seq 1:412, ack 1, win 513, length 411
07:24:02.457304 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [.], ack 412, win 501, length 0
07:24:02.457406 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [P.], seq 1:112, ack 412, win 501, length 111
07:24:02.548830 IP Jellyfin.local.52331 > one.one.one.one.domain: 22651+ PTR? 1.20.168.192.in-addr.arpa. (43)
07:24:02.566781 IP one.one.one.one.domain > Jellyfin.local.52331: 22651 NXDomain 0/0/0 (43)
07:24:02.566931 IP Jellyfin.local.40333 > one.one.one.one.domain: 41801+ PTR? 70.1.168.192.in-addr.arpa. (43)
07:24:02.584898 IP one.one.one.one.domain > Jellyfin.local.40333: 41801 NXDomain 0/0/0 (43)
07:24:02.653695 IP Jellyfin.local.35723 > one.one.one.one.domain: 55584+ PTR? 1.1.1.1.in-addr.arpa. (38)
07:24:02.660604 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [P.], seq 1:112, ack 412, win 501, length 111
07:24:02.671287 IP one.one.one.one.domain > Jellyfin.local.35723: 55584 1/0/0 PTR one.one.one.one. (67)
07:24:02.757729 IP 192.168.20.1.62742 > Jellyfin.local.8096: Flags [P.], seq 1:412, ack 1, win 513, length 411
07:24:02.757735 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [.], ack 412, win 501, options [nop,nop,sack 1 {1:412}], length 0
07:24:02.868605 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [P.], seq 1:112, ack 412, win 501, length 111
07:24:03.276609 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [P.], seq 1:112, ack 412, win 501, length 111
07:24:03.362719 IP 192.168.20.1.62742 > Jellyfin.local.8096: Flags [P.], seq 1:412, ack 1, win 513, length 411
07:24:03.362726 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [.], ack 412, win 501, options [nop,nop,sack 1 {1:412}], length 0
07:24:04.116522 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [P.], seq 1:112, ack 412, win 501, length 111
07:24:04.572792 IP 192.168.20.1.62742 > Jellyfin.local.8096: Flags [P.], seq 1:412, ack 1, win 513, length 411
07:24:04.572806 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [.], ack 412, win 501, options [nop,nop,sack 1 {1:412}], length 0
07:24:05.780604 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [P.], seq 1:112, ack 412, win 501, length 111
07:24:06.977737 IP 192.168.20.1.62742 > Jellyfin.local.8096: Flags [P.], seq 1:412, ack 1, win 513, length 411
07:24:06.977745 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [.], ack 412, win 501, options [nop,nop,sack 1 {1:412}], length 0
07:24:07.637601 ARP, Request who-has 192.168.20.1 tell Jellyfin.local, length 28
07:24:07.637770 ARP, Reply 192.168.20.1 is-at bc:24:11:3f:e4:4f (oui Unknown), length 28
07:24:09.044613 IP Jellyfin.local.8096 > 192.168.20.1.62742: Flags [P.], seq 1:112, ack 412, win 501, length 111

29 packets captured
29 packets received by filter
0 packets dropped by kernel
 
tcpdump from pve node at the same time:

Code: 
10:24:02.004820 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 36764:37001, ack 1, win 594, length 237
10:24:02.059400 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 37001, win 4104, length 0
10:24:02.103580 IP 198.41.200.63.7844 > 192.168.1.100.27366: UDP, length 21
10:24:02.108868 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 37001:37315, ack 1, win 594, length 314
10:24:02.127163 IP 192.168.1.100.48098 > 198.41.200.193.7844: UDP, length 41
10:24:02.129296 IP 192.168.1.100.27366 > 198.41.200.63.7844: UDP, length 49
10:24:02.152473 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 37315, win 4103, length 0
10:24:02.168324 IP 198.41.200.193.7844 > 192.168.1.100.48098: UDP, length 32
10:24:02.212780 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 37315:37785, ack 1, win 594, length 470
10:24:02.261062 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 37785, win 4101, length 0
10:24:02.316783 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 37785:38022, ack 1, win 594, length 237
10:24:02.317108 IP 192.168.1.100.44841 > 198.41.192.77.7844: UDP, length 41
10:24:02.369614 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 38022, win 4106, length 0
10:24:02.398423 IP 198.41.192.77.7844 > 192.168.1.100.44841: UDP, length 29
10:24:02.420866 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 38022:38413, ack 1, win 594, length 391
10:24:02.455450 IP 192.168.1.70.52089 > 192.168.1.100.8096: Flags [S], seq 3172986105, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:24:02.455718 IP 192.168.1.100.8096 > 192.168.1.70.52089: Flags [S.], seq 3895099770, ack 3172986106, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
10:24:02.456264 IP 192.168.1.1 > 192.168.1.100: ICMP redirect 192.168.1.70 to host 192.168.1.70, length 60
10:24:02.456944 IP 192.168.1.70.52089 > 192.168.1.100.8096: Flags [.], ack 1, win 513, length 0
10:24:02.457047 IP 192.168.1.70.52089 > 192.168.1.100.8096: Flags [P.], seq 1:412, ack 1, win 513, length 411
10:24:02.457421 IP 192.168.1.100.8096 > 192.168.1.70.52089: Flags [.], ack 412, win 501, length 0
10:24:02.457454 IP 192.168.1.100.8096 > 192.168.1.70.52089: Flags [P.], seq 1:112, ack 412, win 501, length 111
10:24:02.462648 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 38413, win 4104, length 0
10:24:02.524868 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 38413:39507, ack 1, win 594, length 1094
10:24:02.535958 ARP, Request who-has 192.168.1.106 tell 192.168.1.115, length 46
10:24:02.537111 ARP, Request who-has 192.168.1.110 tell 192.168.1.115, length 46
10:24:02.538275 ARP, Request who-has 192.168.1.1 tell 192.168.1.115, length 46
10:24:02.539486 ARP, Request who-has 192.168.1.104 tell 192.168.1.115, length 46
10:24:02.549043 IP 192.168.1.100.42923 > one.one.one.one.domain: 22651+ PTR? 1.20.168.192.in-addr.arpa. (43)
10:24:02.566643 IP one.one.one.one.domain > 192.168.1.100.42923: 22651 NXDomain 0/0/0 (43)
10:24:02.567032 IP 192.168.1.100.61336 > one.one.one.one.domain: 41801+ PTR? 70.1.168.192.in-addr.arpa. (43)
10:24:02.567274 IP pve.local.8006 > 192.168.1.70.52036: Flags [P.], seq 3313457397:3313457756, ack 1271465990, win 594, length 359
10:24:02.571340 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 39507, win 4106, length 0
10:24:02.584682 IP one.one.one.one.domain > 192.168.1.100.61336: 41801 NXDomain 0/0/0 (43)
10:24:02.585321 IP pve.local.8006 > 192.168.1.70.52036: Flags [P.], seq 359:924, ack 1, win 594, length 565
10:24:02.585544 IP 192.168.1.70.52036 > pve.local.8006: Flags [.], ack 924, win 4106, length 0
10:24:02.628753 IP pve.local.50390 > one.one.one.one.domain: 47818+ PTR? 106.1.168.192.in-addr.arpa. (44)
10:24:02.628920 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 39507:39645, ack 1, win 594, length 138
10:24:02.646152 IP one.one.one.one.domain > pve.local.50390: 47818 NXDomain 0/0/0 (44)
10:24:02.646449 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 39645:40836, ack 1, win 594, length 1191
10:24:02.646800 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 40836, win 4101, length 0
10:24:02.653867 IP 192.168.1.100.2288 > one.one.one.one.domain: 55584+ PTR? 1.1.1.1.in-addr.arpa. (38)
10:24:02.660758 IP 192.168.1.100.8096 > 192.168.1.70.52089: Flags [P.], seq 1:112, ack 412, win 501, length 111
10:24:02.671132 IP one.one.one.one.domain > 192.168.1.100.2288: 55584 1/0/0 PTR one.one.one.one. (67)
10:24:02.671753 IP pve.local.8006 > 192.168.1.70.52036: Flags [P.], seq 924:1362, ack 1, win 594, length 438
10:24:02.695770 IP 198.41.192.67.7844 > 192.168.1.100.21210: UDP, length 21
10:24:02.721330 IP 192.168.1.100.21210 > 198.41.192.67.7844: UDP, length 60
10:24:02.726438 IP 192.168.1.70.52036 > pve.local.8006: Flags [.], ack 1362, win 4104, length 0
10:24:02.732916 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 40836:42063, ack 1, win 594, length 1227
10:24:02.756990 IP pve.local.8006 > 192.168.1.70.52036: Flags [P.], seq 1362:1716, ack 1, win 594, length 354
10:24:02.757566 IP 192.168.1.70.52089 > 192.168.1.100.8096: Flags [P.], seq 1:412, ack 1, win 513, length 411
10:24:02.757847 IP 192.168.1.100.8096 > 192.168.1.70.52089: Flags [.], ack 412, win 501, options [nop,nop,sack 1 {1:412}], length 0
10:24:02.788548 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 42063, win 4106, length 0
10:24:02.804059 IP 192.168.1.70.52036 > pve.local.8006: Flags [.], ack 1716, win 4103, length 0
10:24:02.836815 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 42063:42753, ack 1, win 594, length 690
10:24:02.861060 IP pve.local.8006 > 192.168.1.70.52036: Flags [P.], seq 1716:1990, ack 1, win 594, length 274
10:24:02.868765 IP 192.168.1.100.8096 > 192.168.1.70.52089: Flags [P.], seq 1:112, ack 412, win 501, length 111
10:24:02.881526 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 42753, win 4103, length 0
10:24:02.912577 IP 192.168.1.70.52036 > pve.local.8006: Flags [.], ack 1990, win 4102, length 0
10:24:02.940850 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 42753:43311, ack 1, win 594, length 558
10:24:02.965022 IP pve.local.8006 > 192.168.1.70.52036: Flags [P.], seq 1990:2129, ack 1, win 594, length 139
10:24:02.990207 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 43311, win 4101, length 0

...

10:24:08.036824 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 69533:69771, ack 30, win 594, length 238
10:24:08.078591 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 69771, win 4102, length 0
10:24:08.140883 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 69771:70009, ack 30, win 594, length 238
10:24:08.155484 IP 198.41.200.63.7844 > 192.168.1.100.27366: UDP, length 21
10:24:08.178222 IP 192.168.1.100.48098 > 198.41.200.193.7844: UDP, length 41
10:24:08.181423 IP 192.168.1.100.27366 > 198.41.200.63.7844: UDP, length 49
10:24:08.187174 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 70009, win 4101, length 0
10:24:08.219357 IP 198.41.200.193.7844 > 192.168.1.100.48098: UDP, length 32
10:24:08.244921 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 70009:70557, ack 30, win 594, length 548
10:24:08.295784 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 70557, win 4106, length 0
10:24:08.348865 IP pve.local.8006 > 192.168.1.70.52026: Flags [P.], seq 70557:70795, ack 30, win 594, length 238
10:24:08.358153 ARP, Request who-has 192.168.1.100 (bc:24:11:94:3f:c9 (oui Unknown)) tell 192.168.1.70, length 46
10:24:08.358317 ARP, Reply 192.168.1.100 is-at bc:24:11:94:3f:c9 (oui Unknown), length 28
10:24:08.388862 IP 192.168.1.70.52026 > pve.local.8006: Flags [.], ack 70795, win 4105, length 0
10:24:08.428689 IP 192.168.1.70.52098 > pve.local.8006: Flags [S], seq 3521541508, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
10:24:08.428707 IP pve.local.8006 > 192.168.1.70.52098: Flags [S.], seq 1134567808, ack 3521541509, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
10:24:08.429519 IP 192.168.1.70.52098 > pve.local.8006: Flags [.], ack 1, win 4106, length 0
10:24:08.429966 IP 192.168.1.70.52098 > pve.local.8006: Flags [.], seq 1:1461, ack 1, win 4106, length 1460
10:24:08.429974 IP pve.local.8006 > 192.168.1.70.52098: Flags [.], ack 1461, win 525, length 0
10:24:08.430079 IP 192.168.1.70.52098 > pve.local.8006: Flags [P.], seq 1461:2400, ack 1, win 4106, length 939
10:24:08.430085 IP pve.local.8006 > 192.168.1.70.52098: Flags [.], ack 2400, win 548, length 0
10:24:08.431869 IP pve.local.8006 > 192.168.1.70.52098: Flags [P.], seq 1:2911, ack 2400, win 548, length 2910
10:24:08.432848 IP 192.168.1.70.52098 > pve.local.8006: Flags [.], ack 2911, win 4106, length 0
10:24:08.433566 IP 192.168.1.70.52098 > pve.local.8006: Flags [P.], seq 2400:2480, ack 2911, win 4106, length 80
10:24:08.433676 IP 192.168.1.70.52098 > pve.local.8006: Flags [P.], seq 2480:3417, ack 2911, win 4106, length 937
10:24:08.433776 IP pve.local.8006 > 192.168.1.70.52098: Flags [P.], seq 2911:3421, ack 3417, win 571, length 510
10:24:08.435295 IP pve.local.8006 > 192.168.1.70.52098: Flags [P.], seq 3421:4629, ack 3417, win 571, length 1208
10:24:08.435512 IP 192.168.1.70.52098 > pve.local.8006: Flags [.], ack 4629, win 4106, length 0
10:24:08.444059 IP 192.168.1.70.52098 > pve.local.8006: Flags [P.], seq 3417:4358, ack 4629, win 4106, length 941
10:24:08.446999 IP pve.local.8006 > 192.168.1.70.52098: Flags [P.], seq 4629:6123, ack 4358, win 594, length 1494
10:24:08.447265 IP 192.168.1.70.52098 > pve.local.8006: Flags [.], ack 6123, win 4106, length 0
 
tcpdump on PVE shows a few replies from 192.168.1.100:8096 to 192.168.1.70, so the configuration on LXC and OPNsense seems to be correct now and OPNsense tries to send replies at least.
  1. You have firewall enabled for the OPNsense VM. How does the firewall configuration for that machine look like on PVE?
  2. If there is nothing suspicious, you could
    1. check the output of ip a on PVE
    2. create an pcap file with tcpdump on PVE by using the -w parameter and open it with Wireshark. There you could check the packets from 192.168.1.100:8096 and look for the "Interface index". ip a also shows the interface indexes of the PVE host and so you could find out which interface is used to send these packets. If some of them are send out on eno1, PVE seems to be configured properly.
  3. If that's the case you could use Wireshark on Windows PC to see if there are any incoming packets from 192.168.1.100:8096.
 
You must log in or register to reply here.
Top Bottom