Two IPs for node, port 8006 is working only to one.

P

pavelg

New Member
Apr 26, 2023
8
0
1
Hello,

Please help understand the correct setup.
Current config:
PCI shelf with one installed G25A - EMBEDDED SINGLE BOARD COMPUTER.
Two IPs are defined:
1.2.3.4/24 for eno1 I/F
3.4.5.101/26 for enp4s0f1 I/F
#ip a (only relevant): 3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UP group default qlen 1000 link/ether XX:XX:XX:XX:88:21 brd ff:ff:ff:ff:ff:ff altname enp0s25 8: enp4s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr2 state UP group default qlen 1000 link/ether XX:XX:XX:XX:a8:21 brd ff:ff:ff:ff:ff:ff 16: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether XX:XX:XX:XX:88:21 brd ff:ff:ff:ff:ff:ff inet 1.2.3.4/24 scope global vmbr1 valid_lft forever preferred_lft forever inet6 XXXX::XXXX:XXXX:XXXX:8821/64 scope link valid_lft forever preferred_lft forever 21: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether XX:XX:XX:XX:a8:21 brd ff:ff:ff:ff:ff:ff inet 3.4.5.101/26 scope global vmbr2 valid_lft forever preferred_lft forever inet6 XXXX::XXXX:XXXX:XXXX:a821/64 scope link valid_lft forever preferred_lft forever #ip rule show 0: from all lookup local 32764: from all to 3.4.5.64/26 lookup rt2 32765: from 3.4.5.64/26 lookup rt2 32766: from all lookup main 32767: from all lookup default # ip route list table rt2 default via 3.4.5.126 dev vmbr2 3.4.5.64/26 dev vmbr2 scope link src 3.4.5.101

Web access to 1.2.3.4:8006 is working well. This is our main I/F for developers.

#nc -zv 3.4.5.101 8006 (from the remote machine) Connection to 3.4.5.101 8006 port [tcp/*] succeeded!

However, when going to http://3.4.5.101:8006 - the following error appears
This page isn’t working
3.4.5.101 didn’t send any data.
ERR_EMPTY_RESPONSE

Should I define 3.4.5.101 as "Management Interface", like 1.2.3.4 ? Can they be both defined as "Management I/F" or only one?

Thank you in advance,
Pavel
 
unless you manually changed that, pveproxy should listen on all interfaces/addresses. did you by chance enable the pve-firewall?
 
fabian said:
unless you manually changed that, pveproxy should listen on all interfaces/addresses. did you by chance enable the pve-firewall?
Click to expand...
Hi Fabian,

Thank you for the fast reply.
This what only is defined:
fw.jpg

Should I add/change something?

Regards,
Pavel
 
fabian said:
if you enable the firewall, there is a special ipset for defining who can access the API/GUI:

https://pve.proxmox.com/pve-docs/ch..._ip_set_span_class_monospaced_management_span
Click to expand...
Thank you.

This example is pointing to /etc/pve/firewall/cluster.fw file.
We do not have even /etc/pve/firewall folder. Should I create it?

I only see /etc/pve/nodes/OUR-NODE/host.fw file.

#cat /etc/pve/nodes/OUR-NODE/host.fw [RULES] OUT ACCEPT -p tcp -dport 10051 -sport 10051 -log nolog IN ACCEPT -p tcp -dport 10051 -sport 10051 -log nolog OUT ACCEPT -p tcp -dport 10050 -sport 10050 -log nolog IN ACCEPT -p tcp -dport 10050 -sport 10050 -log nolog


As you can see, no [IPSET management] is defined there.
Should I define it adding both my subnets as allowed for the management?

Regards,
Pavel
 
Last edited:
what does pve-firewall status say?
 
then it's not the firewall that is blocking your access ;) did you maybe forget to add the S to httpS:// ? the most recent versions of PVE should redirect you in that case, but maybe yours is not recent enough?
 
fabian said:
then it's not the firewall that is blocking your access ;) did you maybe forget to add the S to httpS:// ? the most recent versions of PVE should redirect you in that case, but maybe yours is not recent enough?
Click to expand...
You are SUPER!!!
https was the issue

# pveversion pve-manager/7.2-3/c743d6c1 (running kernel: 5.15.30-2-pve)
 
You must log in or register to reply here.
Top Bottom