Ok so rather than letting the router perform the allow-list, you told the PVE firewall to perform this? I think I will simply let my router's firewall perform this.I don’t use VPN in that case but I opened the port only for specific source IP addresses (so only addresses of my Nodes). All other Source IPs are blocked by Firewall.
Oh nice, I just setup two OPNSense routers, so much higher performance, even on weak old xeons! Why spend thousands on something with 1-4GB of RAM and a few ARM CPU cores when you can build a better version for a couple hundred?No, I have a dedicated machine as firewall (OPNsense) and Proxmox Backup Server is running as VM on my QNAP.