Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
FW block rule still allowing traffic to Proxmox host
« previous
next »
Print
Pages: [
1
]
Author
Topic: FW block rule still allowing traffic to Proxmox host (Read 2115 times)
imothep77
Newbie
Posts: 5
Karma: 0
FW block rule still allowing traffic to Proxmox host
«
on:
January 11, 2024, 11:10:25 pm »
Hi all,
I've been struggling with the below for the whole day.
Didn't find any related topic here, so here I am -
I have 2 Proxmox physical machines, on each one of them, I have an OpnSense VM (both Opns run in HA).
All 4 machines live in the same "management" VLAN, let's say 10.0.10.0/24.
I have defined the following rules on the MGMT interface (VLAN 10):
allow any IPv4 - TCP/UDP traffic from MGMT net to OPNsense VIP on port 53 (DNS)
allow any IPv4 traffic to non RFC1918+bogon networks (allow all machines on the MGMT net to access the Internet)
allow any IPv4 traffic from ManagementPCs (alias) to any
block IPv4+IPv6 traffic from any to any (I guess this one is not necessary, but I like to be explicit)
Now from a ManagementPC, I get the exact behaviour I want, basically, I have access to anything.
However, still on the MGMT interface, when connecting from my laptop (which receives an IP that is not listed in the Management PCs alias), I have a weird behavior related to rule 4:
I can ping/access the internet both 8.8.8.8 and google.com - this is expected through rules 1 and 2
I cannot ping any of my OpnSense VMs nor any of my other VMs for that matter - this is expected through rule 4 as I'm not a Management PC
BUT
I still CAN ping and actually log into the web GUI of both my Proxmox hosts.
Not expected.
I'm actually trying to restrict access to my Servers web interfaces/SSH/etc, to only my Management PCs which again, my laptop is not yet.
I'm sure one of the geniuses right here can help me sort this out.
Until then, thanks for the great support and fruitful discussions here.
Logged
imothep77
Newbie
Posts: 5
Karma: 0
Re: FW block rule still allowing traffic to Proxmox host
«
Reply #1 on:
January 13, 2024, 11:27:36 am »
no one ?
Logged
meyergru
Hero Member
Posts: 1706
Karma: 167
IT Aficionado
Re: FW block rule still allowing traffic to Proxmox host
«
Reply #2 on:
January 13, 2024, 11:51:14 am »
Traffic on the same interface/subnet is not passing OpnSense at all, so it can't block it.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
imothep77
Newbie
Posts: 5
Karma: 0
Re: FW block rule still allowing traffic to Proxmox host
«
Reply #3 on:
January 19, 2024, 09:54:23 am »
Thanks for your reply.
In that case, how come I'm getting the expected behavior - i.e not able to connect to my Opnsense webgui when I'm not a Management_PC?
Logged
cookiemonster
Hero Member
Posts: 1823
Karma: 95
Re: FW block rule still allowing traffic to Proxmox host
«
Reply #4 on:
January 19, 2024, 10:13:15 am »
Put the network setup inside the firewalls at one side for a moment.
Show how they are physically connected here, to have an idea of what is happening at the different layers.
Logged
meyergru
Hero Member
Posts: 1706
Karma: 167
IT Aficionado
Re: FW block rule still allowing traffic to Proxmox host
«
Reply #5 on:
January 19, 2024, 10:27:39 am »
You initially wanted to limit access to your Proxmox web GUI, which seems to be directly attached to your VM's network, now you ask for the OpnSense weg GUI - that is a different story.
You could potentially limit traffic in these places:
1. In your Proxmox host for its web gui (I do not know how this would be possible).
2. In your OpnSense host for its web gui by creating a rule on the interface to allow only certain IPs.
3. In your Proxmox VE for a specific machine by using the Proxmox firewall to block traffic to certain IPs - this is complicated, though.
4. Separate your network infrastructure (i.e. OpnSense and Proxmox hosts in a separate management VLAN) and define specific rules for a management group of IPs in the normal LAN to be able to access that VLAN.
For a consistent approach, use the last one.
«
Last Edit: January 24, 2024, 08:51:37 pm by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
imothep77
Newbie
Posts: 5
Karma: 0
Re: FW block rule still allowing traffic to Proxmox host
«
Reply #6 on:
January 24, 2024, 04:50:39 pm »
Thank you guys for your replies.
I know there are some other ways of limiting access to my Proxmox GUI, but the intent of this post is to understand why a PC is able to connect to one machine (my Proxmox host) when I have specific rules on my firewall explicitly blocking traffic to the whole network range except to the DNS server / port, when I'm not a "ManagementPC". The rule seems to be working, as I'm not able to access the Opnsense WebGUI - again, this is the expected behaviour - but I'm still able to log into my Proxmox WebGUI.
To cookiemonster's question, here's my setup:
--------------------
| Proxmox Host |-------------- Managed Switch --------------- PC
| ------------------|
| Opnsense is a |
| VM here | LAN
| |
--------------------
Proxmox host has a static IP on the Management VLAN
PC is connected to Management VLAN and gets it's IP from Opnsense in the management VLAN
OpnSense is a VM using
native Proxmox LAN as its LAN interface
a specific WAN interface on a WAN VLAN as the WAN interface
a specific pfsync interface on a specific VLAN as OPT1 interface
all other VLANs (including Management VLAN, main LAN VLAN and guest VLAN for instance) are set up inside Opnsense
Logged
Patrick M. Hausen
Hero Member
Posts: 6848
Karma: 575
Re: FW block rule still allowing traffic to Proxmox host
«
Reply #7 on:
January 24, 2024, 06:02:01 pm »
If Proxmox, OPNsense and the PC in question all share the same LAN (VLAN, broadcast domain, whatever you name it ...) then traffic from the PC to Proxmox does not go
through
OPNsense so no firewall rules apply.
Device on a single network communicate directly with each other without an intermediate router. That's what ARP (or ND for IPv6) is for.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
imothep77
Newbie
Posts: 5
Karma: 0
Re: FW block rule still allowing traffic to Proxmox host
«
Reply #8 on:
January 29, 2024, 05:13:43 pm »
Crystal clear, conclusion I was moving towards....
However, why does enabling this rule in OPNSense prevent me from accessing any of my other servers inside the same network, BUT my Proxmox Webgui....
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
FW block rule still allowing traffic to Proxmox host