Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - MaxG

Pages1
#1
General Discussion / Re: New set-up of OPNsense on Proxmox: host cannot access Internet
September 04, 2025, 01:35:33 PM
Thanks MeyerG(u)ru :)

I actually read this post, but did not even understand half of it; however, at the time (actually a few days ago) I though this is interesting stuff and book-marked it, and I read it when I have set-up OPNsense and understand it (at least a bit) better.

Since posting I did some further research, and changed Firewall | NAT | Outbound to manual and added a rule (Interface: WAN, Source: 192.168.2.0/24, Translation: 192.168.1.2).

I also did pick up that the Proxmox VMBRs had firewall=1 set. Silly me accepted the default, but pondered why it would firewall it, rather than OPNsense.

In any case, I find this firewall business quite challenging... it is easily buggered up.

Again, thank you.

Now that I have working, yet very basic config, I trash it and rebuild based on my notes. The ultimate proof the documentation is right.
#2
General Discussion / [Solved] New set-up of OPNsense on Proxmox: host cannot access Internet
September 04, 2025, 05:57:32 AM
I am new to OPNsense. I have installed Proxmox v9 on a Lenovo M82, which has one NIC and an USB Ethernet adapter. It was connected to my existing LAN 192.168.1.0/24, and it was able to ping, nslookup and download its updates. I added two additional VMBRs to the VM config and named these (WAN, LAN, DMZ).

Then I installed OPNsense 25.7.2 maybe it was .1 and when I updated it, it become .2. During the CLI install part I assigned vtnet to the valid interfaces. WAN: vtnet1; LAN: vtnet0; optional: DMZ = vtnet2. I reassigned the LAN network to 192.168.2.0/24, WAN to 192.168.1.0/24, DMZ to 192.168.3.0/24. OPNsense added its auto-generated rules to all three networks.

The WAN is on the private network 192.168.1.0/24 going via .1 through a FRITZbox

The DMZ is not configured and indicates that: no rules have been defined.
I can access the LAN on 192.168.2.100; an address that has been assigned by dnsmasq where did add a DHCP range (100-200).

Code Select
root@pve1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
      valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master vmbr0 state UP group default qlen 1000
    link/ether 00:23:24:a0:3c:3c brd ff:ff:ff:ff:ff:ff
    altname enp0s25
    altname enx002324a03c3c
3: enx00e04c896ad5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master vmbr1 state UP group default qlen 1000
    link/ether 00:e0:4c:89:6a:d5 brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:23:24:a0:3c:3c brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.2/24 scope global vmbr0
      valid_lft forever preferred_lft forever
    inet6 fe80::223:24ff:fea0:3c3c/64 scope link proto kernel_ll
      valid_lft forever preferred_lft forever
5: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:e0:4c:89:6a:d5 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2e0:4cff:fe89:6ad5/64 scope link proto kernel_ll
      valid_lft forever preferred_lft forever
6: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 0a:c5:e2:55:9c:00 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::f052:9aff:feb1:66c3/64 scope link proto kernel_ll
      valid_lft forever preferred_lft forever
7: tap100i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr100i0 state UNKNOWN group default qlen 1000
    link/ether 36:e5:d3:e9:a7:76 brd ff:ff:ff:ff:ff:ff
8: fwbr100i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c2:b0:4a:94:c3:0f brd ff:ff:ff:ff:ff:ff
9: fwpr100p0@fwln100i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
    link/ether a6:5b:2c:2c:a0:a3 brd ff:ff:ff:ff:ff:ff
10: fwln100i0@fwpr100p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i0 state UP group default qlen 1000
    link/ether c2:b0:4a:94:c3:0f brd ff:ff:ff:ff:ff:ff
11: tap100i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr100i1 state UNKNOWN group default qlen 1000
    link/ether 72:06:d2:90:5b:06 brd ff:ff:ff:ff:ff:ff
12: fwbr100i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 12:f4:74:8e:01:27 brd ff:ff:ff:ff:ff:ff
13: fwpr100p1@fwln100i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1 state UP group default qlen 1000
    link/ether 22:c8:5e:1c:12:fc brd ff:ff:ff:ff:ff:ff
14: fwln100i1@fwpr100p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i1 state UP group default qlen 1000
    link/ether 12:f4:74:8e:01:27 brd ff:ff:ff:ff:ff:ff
15: tap100i2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr100i2 state UNKNOWN group default qlen 1000
    link/ether ea:55:0d:c0:dd:63 brd ff:ff:ff:ff:ff:ff
16: fwbr100i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 42:df:3d:11:ea:e1 brd ff:ff:ff:ff:ff:ff
17: fwpr100p2@fwln100i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr2 state UP group default qlen 1000
    link/ether 0a:c5:e2:55:9c:00 brd ff:ff:ff:ff:ff:ff
18: fwln100i2@fwpr100p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i2 state UP group default qlen 1000
    link/ether 42:df:3d:11:ea:e1 brd ff:ff:ff:ff:ff:ff
root@pve1:~#
    link/ether ea:55:0d:c0:dd:63 brd ff:ff:ff:ff:ff:ff
16: fwbr100i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 42:df:3d:11:ea:e1 brd ff:ff:ff:ff:ff:ff
17: fwpr100p2@fwln100i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr2 state UP group default qlen 1000ult qlen 1000
    link/ether 0a:c5:e2:55:9c:00 brd ff:ff:ff:ff:ff:ff
18: fwln100i2@fwpr100p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i2 state UP group default qlen 1000default qlen 1000
    link/ether 42:df:3d:11:ea:e1 brd ff:ff:ff:ff:ff:ff
root@pve1:~#
17: fwpr100p2@fwln100i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr2 state UP group default qlen 1000ult qlen 1000
    link/ether 0a:c5:e2:55:9c:00 brd ff:ff:ff:ff:ff:ff
18: fwln100i2@fwpr100p2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr100i2 state UP group default qlen 1000default qlen 1000
    link/ether 42:df:3d:11:ea:e1 brd ff:ff:ff:ff:ff:ff
root@pve1:~#

I can telnet from my machine (um890) to ports 8006 and 22:
Code Select
telnet 192.168.2.2 8006
Trying 192.168.2.2...
Connected to 192.168.2.2.
Escape character is '^]'.
^[
HTTP/1.0 400 bad request
Cache-Control: max-age=0
Connection: close
Date: Wed, 03 Sep 2025 13:56:20 GMT
Pragma: no-cache
Server: pve-api-daemon/3.0
Content-Length: 11
Expires: Wed, 03 Sep 2025 13:56:20 GMT

bad requestConnection closed by foreign host.

# [2025-09-03 23:56] maxg@um890 ~ $
telnet 192.168.2.2 22
Trying 192.168.2.2...
Connected to 192.168.2.2.
Escape character is '^]'.
SSH-2.0-OpenSSH_10.0p2 Debian-7
^[
Invalid SSH identification string.
Connection closed by foreign host.


What seems right to me, the Proxmox cannot ping the Google DNS, while OPNsense can. It can nslookup though.
I added a 192.168.2.2 to any rule in LAN assuming the Proxmox host on 192.168.2.2) would be able to ping, but it can't.

Code Select
root@pve1:~# nslookup 8.8.8.8
8.8.8.8.in-addr.arpa    name = dns.google.

Authoritative answers can be found from:

root@pve1:~# ping -c3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2059ms

root@pve1:~# ss -tuln | grep :8006
tcp  LISTEN 0      4096              *:8006            *:* 
root@pve1:~# iptables -L -v -n
Chain INPUT (policy ACCEPT 49678 packets, 21M bytes)
pkts bytes target    prot opt in    out    source              destination       

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target    prot opt in    out    source              destination       

Chain OUTPUT (policy ACCEPT 35490 packets, 23M bytes)
pkts bytes target    prot opt in    out    source              destination       


I would kindly invite some help, hints. pointers on what I am missing or where to go. I am happy to provide further information to aid trouble-shooting, but there is lots of it (and I don't know where to start).
Pages1