0

i don't see the trees anymore. Any hints are appreciated.

I have a root server and installed proxmox, i only have one public ip. Went with a routed setup. Set up some basic stuff like 2FA and TLS Certificated and then went on to get pfsense running so that i can openvpn into my private subnet and block access from the internet to the proxmox Web UI.

I cant figure out what im missing, no matter what, i cant seem to get port forward from my Debian to the pfsense VM working.

IP Forwarding is enabled:

cat /proc/sys/net/ipv4/conf/enp35s0/forwarding
1

I have my Private Subnet, some client VMs in there, everything works fine:

auto vmbr1
iface vmbr1 inet static
        address 10.0.0.0/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

Main main interface with the public address:

auto enp35s0
iface enp35s0 inet static
        address 1.1.1.175/26
        gateway 1.1.1.129
        up route add -net 1.1.1.128 netmask 255.255.255.192 gw 1.1.1.129 dev enp35s0

On enp35s0 all is good, have ssh and Web UI access. Here is the config which im guessing is somehow wrong

auto vmbr0
iface vmbr0 inet static
        address 172.16.0.1
        netmask 255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        # NAT
        post-up   iptables -t nat -A POSTROUTING -s '172.16.0.0/24' -o enp35s0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '172.16.0.0/24' -o enp35s0 -j MASQUERADE
        # Port Forward
        post-up iptables -t nat -A PREROUTING -d 1.1.1.175 -p tcp --dport 1194 -j DNAT --to-destination 172.16.0.2:1194
        post-up iptables -A FORWARD -p tcp -d 172.16.0.2 --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
        post-up iptables -A POSTROUTING -t nat -p tcp -m tcp -s 172.16.0.2 --sport 1194 -j SNAT --to-source 1.1.1.175
        post-down iptables -t nat -D PREROUTING -i enp35s0 -p tcp --dport 1194 -j DNAT --to 172.16.0.2:1194

So basically:

< Internet > <Debian 1.1.1.175> <pfSense 172.16.0.2 / 10.0.0.1> <Client 10.0.0.2>

The Client gets its IP from the pfSense DHCP and can Ping pfsense & reach the internet. Im guessing this means the basic functionallity and routing on vmbr0 is working as expected.

Whats not working is that i cant reach the OpenVPN Server configured on the pfSense from the Outside. When i test it with nmap it just reports the port is closed.

Any ideas?

EDIT1: I dont use the built-in PVE firewall

As suggested by Nikita i persisted the configs as following IP forward

grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward=1

Created an iptables save and rebooted the server to check if config persists. Interface config now looks like

auto vmbr0
iface vmbr0 inet static
        address 172.16.0.1
        netmask 255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0

EDIT2: Routing table looks fine for me:

default via 1.1.1.129 dev enp35s0 proto kernel onlink
10.0.0.0/24 dev vmbr1 proto kernel scope link src 10.0.0.0
1.1.1.128/26 via 1.1.1.129 dev enp35s0
1.1.1.128/26 dev enp35s0 proto kernel scope link src 1.1.1.175
172.16.0.0/24 dev vmbr0 proto kernel scope link src 172.16.0.1
embedded
  • 466
  • 2
  • 6
  • 19
  • 1. Do you use built-in PVE firewall? 2. It is not a good idea to add such rules dynamically. Also you don't need a "SNAT" rule you've created, "MASQUERADE" is a SNAT-type rule, it is already there and will do everything. 3. You configured `10.0.0.0/24` on the bridge which is wrong address itself (available host addresses begin from 10.0.0.1 in this network), but try to set up port forwarding to `172.16.0.2`. How the host should access `172.16.0.0/24`, where is the route towards this network? Please make your configuration consistent, and then edit the question to reflect that. – Nikita Kipriyanov Jun 15 '22 at 12:53
  • *block access from the internet to the proxmox Web UI* --- by the way, Proxmox guys **state explicitly** that their Web UI is secure enough to be put directly into Internet without hesitations. It is possible that your "protection" will be less secure that just leaving it as it is by default. – Nikita Kipriyanov Jun 15 '22 at 12:59
  • Agreed that they state this. But its not best practice anyway IMHO. I dont think that reducing the attack surface is a problem per se as long as the OpenVPN or Wireguard service is kept up to date. For me this approach is easier, in regards of vulnerability scanning. Its hard to monitor and assess the vulns on the Web UI plus all its used libraries. – embedded Jun 15 '22 at 13:25
  • Why should 10.0.0.0 not be a valid address? – embedded Jun 15 '22 at 13:29
  • @NikitaKipriyanov Made the changes and edited the question accordingly – embedded Jun 15 '22 at 13:42

0 Answers0