Messages

Crystal clear, conclusion I was moving towards....

However, why does enabling this rule in OPNSense prevent me from accessing any of my other servers inside the same network, BUT my Proxmox Webgui....

Thank you guys for your replies.

I know there are some other ways of limiting access to my Proxmox GUI, but the intent of this post is to understand why a PC is able to connect to one machine (my Proxmox host) when I have specific rules on my firewall explicitly blocking traffic to the whole network range except to the DNS server / port, when I'm not a "ManagementPC". The rule seems to be working, as I'm not able to access the Opnsense WebGUI - again, this is the expected behaviour - but I'm still able to log into my Proxmox WebGUI.

To cookiemonster's question, here's my setup:

--------------------
| Proxmox Host     |-------------- Managed Switch --------------- PC
| ------------------|
| Opnsense is a     |
| VM here              |                          LAN
|                          |
--------------------

• Proxmox host has a static IP on the Management VLAN
• PC is connected to Management VLAN and gets it's IP from Opnsense in the management VLAN
• OpnSense is a VM using
  
  
  
  • native Proxmox LAN as its LAN interface
  • a specific WAN interface on a WAN VLAN as the WAN interface
  • a specific pfsync interface on a specific VLAN as OPT1 interface
  • all other VLANs (including Management VLAN, main LAN VLAN and guest VLAN for instance) are set up inside Opnsense
    

Thanks for your reply.

In that case, how come I'm getting the expected behavior - i.e not able to connect to my Opnsense webgui when I'm not a Management_PC?

no one ?

[I still CAN ping and actually log into the web GUI of both my Proxmox hosts.]

Hi all,

I've been struggling with the below for the whole day.
Didn't find any related topic here, so here I am -

I have 2 Proxmox physical machines, on each one of them, I have an OpnSense VM (both Opns run in HA).
All 4 machines live in the same "management" VLAN, let's say 10.0.10.0/24.
I have defined the following rules on the MGMT interface (VLAN 10):

• allow any IPv4 - TCP/UDP traffic from MGMT net to OPNsense VIP on port 53 (DNS)
• allow any IPv4 traffic to non RFC1918+bogon networks (allow all machines on the MGMT net to access the Internet)
  
• allow any IPv4 traffic from ManagementPCs (alias) to any


• block IPv4+IPv6 traffic from any to any (I guess this one is not necessary, but I like to be explicit)
  

Now from a ManagementPC, I get the exact behaviour I want, basically, I have access to anything.
However, still on the MGMT interface, when connecting from my laptop (which receives an IP that is not listed in the Management PCs alias), I have a weird behavior related to rule 4:

• I can ping/access the internet both 8.8.8.8 and google.com - this is expected through rules 1 and 2
  I cannot ping any of my OpnSense VMs nor any of my other VMs for that matter - this is expected through rule 4 as I'm not a Management PC
• BUT I still CAN ping and actually log into the web GUI of both my Proxmox hosts. Not expected.
  

I'm actually trying to restrict access to my Servers web interfaces/SSH/etc, to only my Management PCs which again, my laptop is not yet.

I'm sure one of the geniuses right here can help me sort this out.

Until then, thanks for the great support and fruitful discussions here.