Unable to Connect to Proxmox GUI from Another Subnet

[andrewixl]

I have been trying for days on a fresh proxmox install to access the web gui from a different subnet.

PC1 (192.168.11.145/24)
Proxmox (192.168.10.27/24)
Unifi Gateway/Firewall (192.168.10.1 or 192.168.11.1)

I can ping the Proxmox box from PC 1 but ssh and the web gui (ensuring to use HTTPS) does not work.

I have disabled the firewall on the Datacenter and Node with no new success.
I have disabled all rules on my unifi device that could block traffic.

The only success I have had is creating a new bridge connected to a separate NIC linked to 192.168.11.252. This then allows me to ssh and access the gui from PC1 using 192.168.10.27 IP address. The only problem with this is that for each VM I then need to link it to both bridges which is not ideal as my 192.168.11.0/24 is 99% DHCP, I would prefer to use static.

Any help would be greatly appreciated. let me know if you need anything else.

 

[fba]

Please provide the output of the following two commands for PVE host:
cat /etc/network/interfaces
ip r s

 

[andrewixl]

Please provide the output of the following two commands for PVE host:
cat /etc/network/interfaces
ip r s

cat /etc/network/interfaces:
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface enp3s0 inet manual

iface enp4s0 inet manual

iface wlo1 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.10.27/24
gateway 192.168.10.1
bridge-ports enp3s0
bridge-stp off
bridge-fd 0

source /etc/network/interfaces.d/*

ip r s:
default via 192.168.10.1 dev vmbr0 proto kernel onlink
192.168.10.0/24 dev vmbr0 proto kernel scope link src 192.168.10.27

 

[fba]

I have disabled the firewall on the Datacenter and Node with no new success.

Firewall at PVE does neither block ssh nor GUI access by default.

separate NIC linked to 192.168.11.252. This then allows me to ssh and access the gui from PC1 using 192.168.10.27 IP address

This is confusing me. You add another virtual bridge at the PVE host. The assigned port is enp4s0 (?), the ip is 192.168.11.252/24. And then suddendly you can access the PVE host at it's ip 192.168.10.27? How is this network interface connected, to the same unifi device?

Would also please share the output of command ip a?

 

[andrewixl]

Firewall at PVE does neither block ssh nor GUI access by default.


This is confusing me. You add another virtual bridge at the PVE host. The assigned port is enp4s0 (?), the ip is 192.168.11.252/24. And then suddendly you can access the PVE host at it's ip 192.168.10.27? How is this network interface connected, to the same unifi device?

Would also please share the output of command ip a?

Yes this interface is connected to the same unifi device but the port is set to the .11 subnet.

ip a:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000
link/ether e0:be:03:68:9a:9f brd ff:ff:ff:ff:ff:ff
3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 8c:a6:82:70:07:dc brd ff:ff:ff:ff:ff:ff
inet6 fd62:2566:7fd0:4e49:8ea6:82ff:fe70:7dc/64 scope global dynamic mngtmpaddr
valid_lft 1701sec preferred_lft 1701sec
inet6 fe80::8ea6:82ff:fe70:7dc/64 scope link
valid_lft forever preferred_lft forever
4: wlo1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 70:a8:d3:35:9b:34 brd ff:ff:ff:ff:ff:ff
altname wlp0s20f3
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e0:be:03:68:9a:9f brd ff:ff:ff:ff:ff:ff
inet 192.168.10.27/24 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::e2be:3ff:fe68:9a9f/64 scope link
valid_lft forever preferred_lft forever
19: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 8c:a6:82:70:07:dc brd ff:ff:ff:ff:ff:ff
inet 192.168.11.252/24 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::8ea6:82ff:fe70:7dc/64 scope link
valid_lft forever preferred_lft forever
22: tap100i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether fe:c7:cc:b3:c3:e6 brd ff:ff:ff:ff:ff:ff
23: tap100i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether 2e:a1:d0:de:15:43 brd ff:ff:ff:ff:ff:ff

 

[fba]

19: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 8c:a6:82:70:07:dc brd ff:ff:ff:ff:ff:ff
inet 192.168.11.252/24 scope global vmbr0

Is the vmbr0 here a copy-paste error?
If not, then you configured bridge vmbr1 to have vmbr0 as port. In result you have a second ip address and therefore are in the same subnet as the pc.
Are you sure the unifi device is configured right regarding routing?

 

[andrewixl]

Is the vmbr0 here a copy-paste error?
If not, then you configured bridge vmbr1 to have vmbr0 as port. In result you have a second ip address and therefore are in the same subnet as the pc.
Are you sure the unifi device is configured right regarding routing?

Apoloigies, you are correct that is an error, I was trying to test to see if I could when I took that ip a

ip a:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000
link/ether e0:be:03:68:9a:9f brd ff:ff:ff:ff:ff:ff
3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 8c:a6:82:70:07:dc brd ff:ff:ff:ff:ff:ff
inet6 fd62:2566:7fd0:4e49:8ea6:82ff:fe70:7dc/64 scope global dynamic mngtmpaddr
valid_lft 1701sec preferred_lft 1701sec
inet6 fe80::8ea6:82ff:fe70:7dc/64 scope link
valid_lft forever preferred_lft forever
4: wlo1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 70:a8:d3:35:9b:34 brd ff:ff:ff:ff:ff:ff
altname wlp0s20f3
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e0:be:03:68:9a:9f brd ff:ff:ff:ff:ff:ff
inet 192.168.10.27/24 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::e2be:3ff:fe68:9a9f/64 scope link
valid_lft forever preferred_lft forever
19: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 8c:a6:82:70:07:dc brd ff:ff:ff:ff:ff:ff
inet 192.168.11.252/24 scope global vmbr1
valid_lft forever preferred_lft forever
inet6 fe80::8ea6:82ff:fe70:7dc/64 scope link
valid_lft forever preferred_lft forever
22: tap100i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether fe:c7:cc:b3:c3:e6 brd ff:ff:ff:ff:ff:ff
23: tap100i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr1 state UNKNOWN group default qlen 1000
link/ether 2e:a1:d0:de:15:43 brd ff:ff:ff:ff:ff:ff

 

[fba]

Well, the network configurations you posted are looking fine to me. From everything you posted so far, my best guess is, it might be an issue with the Unifi device, not routing/allowing traffic between the networks. So it might be an option to ask in manufacturer's community instead.