opnsense in a proxmox VM : issue with basic firewall configuration

[rt89]

Hello,

I am trying to setup a firewall in my network using promox virtual environment (pve 6.4-13) and opnsense 21.7.1
My network configuration is completely based on  the lab network  in  the book  “practical opnsense” 3rd edition available at https://practical-opnsense.github.io/network_diagram.png



I am only interested by RT-core, RT-1 and labsrv
I Installed these 3 VMs and performed some tests:

root@tr-rt-core:~ # ping -c 2 198.51.100.1 -> ok
root@tr-rt-1:~ # ping -c2 198.51.100.6 -> ok
tr-labsrv:~$ ping -c2 10.4.1.1 -> ok
root@tr-rt-1:~ # ping -c2 10.4.1.7 -> ok
root@tr-rt-1:~ # nc -vz 10.4.1.7 80
  Connection to 10.4.1.7 80 port [tcp/http] succeeded!

root@tr-rt-1:~ # curl --head http://10.4.1.7
  HTTP/1.1 200 OK
  Server: nginx/1.20.1
  Date: Tue, 02 Nov 2021 10:46:20 GMT
  Content-Type: text/html

1:1 NAT Configuration:
  1- virtual ip added in interfaces: virtual IPs: settings interface: Mode IP alias,  WAN1  @IP 198.51.100.7/24
  2- WAN1 : nat rule added in firewall:NAT:one-to-one: external network:198.51.100.7, Source 10.4.1.7/24, destination any
  3- WAN1 : firewall rule added in firewall : rules: wan1, Action: pass, Direction:in, protocol: TCP, Source: any, Destination 10.4.1.7, Destination port: HTTP, log

Test:
root@tr-rt-core:~ # curl --head http://198.51.100.7
curl: (28) Failed to connect to 198.51.100.7 port 80 after 75061 ms: Operation timed out

Log files:

root@tr-rt-1:~ # tail -f /var/log/filter/filter_20211108.log | grep tcp
Nov  9 09:06:23 tr-rt-1.mydomain.com filterlog[25220]: 82,,,4be542e5a1205456ac7c9a8d1ae07a3f,vtnet4,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,60,198.51.100.6,10.4.1.7,60013,80,0,S,1295215523,,65228,,mss;nop;wscale;sackOK;TS
Nov  9 09:06:23 tr-rt-1.mydomain.com filterlog[25220]: 94,,,11bc15649131440ccf0d0ea7ff44c37a,vtnet2,match,pass,out,4,0x0,,63,0,0,DF,6,tcp,60,198.51.100.6,10.4.1.7,60013,80,0,S,1295215523,,65228,,mss;nop;wscale;sackOK;TS

Packets are leaving DMZ interface correctly…
But nginx server is not requested:
tr-labsrv:/var/log/nginx$ sudo tail -f *.log  -> nothing

# tcpdump -i vtnet2 -c 50 -n --number
15:30:21.611152 IP 198.51.100.6.54681 > 10.4.1.7.80:Flags S,seq 2354946915, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1102083325 ecr 0], length 0

sudo tcpdump -i ens18 -c 50 -n --number
15:30:20.162696 IP 198.51.100.6.54681 > 10.4.1.7.80: Flags S,seq 2354946915, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 1102083325 ecr 0], length 0

I do not understand what happens.
Would you help please?

Thanks



Configuration: other information

OPNsense 21.7.4-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021

Proxmox :
pve 6.4-13
firewall disabled on all VMs, node and datacenter
nat table empty
cat  /proc/sys/net/ipv4/ip_forward  -> 1


VMs configuration
tr-rt-1
•   net0 -> vmbr101 -> virtio= EE:FF:9B:0C:D3:66 -> vtnet0 -> LAN -> 10.1.1.1
•   net1  -> vmbr0 -> virtio= 2E:53:9D:E9:27:FB -> vtnet1 -> ADM -> management network
•   net3 -> vmbr104 -> virtio=EA:D4:52:8F:6F:50 ->vtnet2 -> DMZ -> 10.4.1.1
•   net4 -> vmbr192 -> virtio= 42:E7:D4:C3:5B:9A -> vtnet3 -> WAN2 -> 192.0.2.1
•   net5 -> vmbr198 -> virtio= 8E:E0:99:D1:5B:08 -> vtnet4 -> WAN1 -> 198.51.100.1
tr-rt-core
•   net 0 -> vmbr198 -> virtio= 9A:A0:EB:C0:42:EF ->vtnet0 -> WAN1 -> 198.51.100.6
•   net 1-> vmbr192 -> virtio=  C2:16:AE:8D:1B:C1 ->vtnet1 -> WAN2 -> 192.0.2.6
•   net 2 -> vmbr0 -> virtio= 8E:34:13:7C:4A:F6 ->vtnet2 -> ADM -> management network
labsrv
•   nginx installed, listenning port 80
•   net 0 ->vmbr104 -> virtio= 12:F1:8A:B9:9C:4C -> 10.4.1.7
•   net1 -> vmbr0 -> virtio= 82:D2:55:AF:FD:87 management network