Hi, first post here.
I've been trying to set up a Proxmox server with OPNsense as its main firewall. Having problems with what should be simple port forwarding for various other containers.
Mainly can't reach containers from Windows PC on the same ISP router as Proxmox/OPNsense despite what looks like a correct port forwarding.
My basic network map and Proxmox network devices are below. I'll attach OPNsense port forwarding pages and logs on immediate replies.
Network Map.png
Node Network.png
All traffic for other VMs and unprivileged LXCs pass through the OPNSense VM:
WAN: vmbr0 (sole NIC eno1 slaved to it with 192.168.1.20/24 ip and 192.168.1.1 gateway)
LAN: vmbr1 (handled by OPNsense, given 192.168.20.1)
All firewalls on Proxmox webui for datacenter, node and VM/CT levels are off.
OPNsense firewall is mostly set to default pass till I figure out the port forwarding issues.
Internet access is available in all the containers and VMs.
Cloudflared tunnel works and programs on various containers are reachable through the tunnel.
If I move the containers to vmbr0 and have the visible by the ZTE router, access inside works without any problems.
Summarily, what doesn't work is direct access from my Windows PC (192.168.1.70) on the same ZTE LAN as Proxmox (192.168.1.20) and OPNsense (192.168.1.100) to the programs inside containers (on 192.168.20.x LAN network provided by OPNsense).
Incidentally, Factorio is reachable while Jellyfin or Soldat 2 is unreachable, which is even more confusing.
DNAT/SNAT
Port Forward-min.png
Outbound-min.png
WAN Rules-min.png
LAN Rules-min.png
Firewall logs
Factorio (working port forward):
Factorio Firewall Logs-min.png
Jellyfin (not working port forward)
Jellyfin Firewall Logs-min.png
Soldat 2 (not working port forward
Soldat 2 Firewall Logs-min.png
Possibly the services don't accept access from outside of their local subnet.
Another possible reason is that the containers are missing a default gateway.
Quote from: viragomann on December 09, 2025, 02:48:34 PMPossibly the services don't accept access from outside of their local subnet.
Jellyfin has an related option (I think) for this, but setting my router LAN subnet for it doesn't change anything, either.
Jellyfin LAN Networks.png
Quote from: viragomann on December 09, 2025, 02:48:34 PMAnother possible reason is that the containers are missing a default gateway.
DHCP ip binding and default gateways for the containers look usual:
root@Jellyfin:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether bc:24:11:cb:07:b7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.20.90/24 brd 192.168.20.255 scope global dynamic eth0
valid_lft 61862sec preferred_lft 61862sec
inet6 fe80::be24:11ff:fecb:7b7/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
root@Jellyfin:~# ip route show
default via 192.168.20.1 dev eth0
192.168.20.0/24 dev eth0 proto kernel scope link src 192.168.20.90
As the live view shows, the traffic is passed through OPNsense.
To get sure, you can run a packet capture on the LAN. Presumably the packets from the PC are going out there, but nothing is coming back.
If so, it's not on OPNsense.
You can try to hairping the restive traffic on the LAN interface and see if it helps.
Quote from: viragomann on December 09, 2025, 08:07:43 PMAs the live view shows, the traffic is passed through OPNsense.
To get sure, you can run a packet capture on the LAN. Presumably the packets from the PC are going out there, but nothing is coming back.
If so, it's not on OPNsense.
You can try to hairping the restive traffic on the LAN interface and see if it helps.
I tried to capture the packet traffic from both ends via Wireshark and OPNsense interface, but I'm not sure how to make sense of it at the moment.
Looks like SNAT/DNAT works, but there is some other problem causing no response to be received by PC for the packets it keeps re-sending. The ISP router could be dropping the packets, but as far as the NAT goes the packets should look requested ones, right?
Attaching the filtered pcap files.