VM firewall Rules functioning intermittently

bibostin

New Member
Aug 28, 2022
4
0
1
Hi there, hope you are all doing well! I'm having a bit of an issue with getting proxmox's firewall to play nicely with a VM I have. My use case at this very minute is quite simple, I just want to host a single arch VM while I lean more about the OS as I switch from vmware, this VM has a teamspeak voip service running that uses ports 9987/udp and 30033/tcp to communicate with clients, pretty bog standard but we all have to start somewhere :)

I think I have my head wrapped around how proxmox's firewalling operates but just to lay it in the open my current understanding is that DC firewall rules apply to all hosts in a cluster but hosts can also have individual firewall settings for case by case control, individual VM firewalls are separate from both the dc and node firewalls given you are using a bridging interface and not NAT or masquerading (I am using a bridging interface to connect VM's to my private network.)

The current problem I am encountering is that only some of the firewall rules I have applied to my VM instance seem to actually take effect, both the ICMP and SSH rule I have bellow work fine, however the other three do not seem to function. I have pinned this down specifically to the VM firewall rules with my current understanding.
Screenshot_2022-08-28_19-47-29.png
this can be seen when I turn the firewall on and off as shown bellow:

Working but firewall disabled :(
Screenshot_2022-08-28_19-28-23.png
Not working but firewall enabled with valid rules :(
Screenshot_2022-08-28_19-29-28.png
pinging and ssh however both work as expected on my local network.
Screenshot_2022-08-28_19-34-40.png


I feel its worth mentioning along side this that my troubleshooting thus far has led me to poke around a bit at the common problems people face and that all of the following are currently true:
- I have the VM's mac tied to a static address on my local network via DHCP so it doesn't hop around with reboots
- rebooting the host / reloading the firewall doesn't effect the current result
- Data center firewall is enabled ( has local network limited macros to provide icmp and ssh)
- Node firewall is enabled (no rules)
- Guest VM firewall is enabled (service becomes accessible when its disabled)
- Guest VM interface (net0) has the affected by firewall checkbox enabled
Screenshot_2022-08-28_19-19-48.png
Guest VM netfilter rules are completely flushed, so proxmox should be the point of arbitration for firewall rules and theres no leftover rules causing this behaviour
Screenshot_2022-08-28_19-16-21.png
Firewall service is running on the host, host is also up to date package-wise
Screenshot_2022-08-28_19-23-16.png
likewise firewall config entries for both the host and VM (vm id being 100) are present and validate what the GUI is showing
Screenshot_2022-08-28_19-25-37.png
Screenshot_2022-08-28_19-45-14.png

Apologies in advance for this as I'm sure I'm missing something small however I just can't seem to find anything obvious in regards to what it might be, perhaps I am missing some syntax in the rule declaration that the ssh macro / icmp one handle? or maybe my understanding of how the firewall layers are logcially segregated isn't up to snuff, i'm not quite sure.

Thanks for all your help and advice in advance,
Bibostin.
 

Attachments

  • Screenshot_2022-08-28_19-29-28.png
    Screenshot_2022-08-28_19-29-28.png
    172.4 KB · Views: 3
Have you tried to remove the source port section? Usually, if another computer opens a new connection, the source port is not deterministic.
 
Bingo that was it.
Screenshot_2022-08-29_13-02-41.png
Thanks very much for your help Aaron, I always tend to overthink and miss the simple stuff that becomes obvious once someone reminds me of it, I should of slept on it a bit more.

I have one further question that should also be relatively simple, as can be seen in the above screenshot the service is available on my local network now from the VM, however when I try to access it via my public IP, its unreachable.
Screenshot_2022-08-28_19-16-211.png

The only other firewall present on my home network is the one present in my router and a NAT rule exists to forward traffic on these ports to the endpoint, the outgoing WAN interface for this page is set to the appropriate int and I have checked the page entries for all the other endpoints I have and none have conflicting assignments that might be messing with this.

Screenshot_2022-08-29_13-04-05.png

The domain definitely points to my public address and AAA records are propagated on the internet (was working on previous non vm host regardless, but always worth checking.)
Screenshot_2022-08-29_13-20-08111.png

The VM itself definitely has access to the internet via vmbr0
Screenshot_2022-08-28_19-25-373333.png

Any thoughts on where I might be going wrong here? my understanding is that given the VM is bridged by vmbr0 to my local network, I don't need to make further firewall changes at the DC or node level so this should just work, but obviously some part of the jigsaw is missing otherwise it would work.

Thanks again for all of your help in assisting me troubleshoot, I appreciate these are probably quite common problems that you get peppered with regularly but I hope that I'm including enough information and graphics to make understanding my problem simple on your end.

Bibostin.
 
Have you checked if it works from the outside? Your phone, a laptop connected to your phone in hotspot mode?

If it doesn't, do you actually end up on your router if you try to access it from the outside? No carrier grade NAT or such shenanigans?
 
Hi Aaron, no CGNAT that I am aware of, although maybe plusnet have changed this recently I have never encountered issues that would point to this in the past.

To illustrate this, I have another host on 192.168.1.3 that runs a DNS for the local network, but also provides wireguard access to the local network for remote hosts, this is done on port 51822 with no issues.
Screenshot_2022-08-30_15-34-33.png
in the bellow image, the terminal on the left is my laptop using my mobiles 4g connection via tethering to hit my home network from outside. The terminal on the right shows the host responsible for running the wireguard tunnel to my home network, as you can see, no issues, this works fine with my local NAT and the public address is reachable which is why I don't think CGNAT is a factor.

Screenshot_2022-08-30_15-26-40.png
I've had no issues with this in the past so I'm not quite sure whats causing the problem.
 

Attachments

  • Screenshot_2022-08-30_15-26-40.png
    Screenshot_2022-08-30_15-26-40.png
    312.4 KB · Views: 1
  • Screenshot_2022-08-30_17-01-35.png
    Screenshot_2022-08-30_17-01-35.png
    43.8 KB · Views: 1
Last edited:
funnily enough while reading through some documentation for Draytek routers online I discovered that theres actually a second page for setting up individual port redirection rules, rather then just doing what I'd normally do which is setup a page for each individual host.

Screenshot_2022-08-30_19-25-26.png
I've been pulling my hair out a bit over this so I though may aswell give it a go, and lo and behold! when I make a rule in here, which I've never had to do in the past it seems to get its act together.
Screenshot_2022-08-30_19-31-38.png
With port redirection rule disabled (bearing in mind previous open port page exists and is enabled for the exact same ports, you can ignore the port conflict note it has there, this is a false positive I've checked a few times.)

Screenshot_2022-08-30_19-32-19.png
Bit of a journey!

I appriciate this is a forum for proxmox but If anyone has any comments on why it be functioning this way out of the blue with no other changes I'd love to hear your thoughts, I don't think its a firmware issue as this draytek has been chugging along without any problems for years.

In any case perhaps its time to throw the towel and move to pfsense or opnsense on a VM and just have it work as a modem for that to avoid further weirdness.

Thanks again for all your help Aaron, hope you have a lovely rest of your week.
 

Attachments

  • Screenshot_2022-08-28_19-16-211.png
    Screenshot_2022-08-28_19-16-211.png
    133.2 KB · Views: 1
  • Screenshot_2022-08-30_19-25-41.png
    Screenshot_2022-08-30_19-25-41.png
    50.6 KB · Views: 0
  • Screenshot_2022-08-30_19-25-26.png
    Screenshot_2022-08-30_19-25-26.png
    54.2 KB · Views: 1
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!