Lost access to OPNsense Web-GUI and SSH, ~20 minutes after (re)boot

[dmgeurts]

Hi all,

Deployed OPNsense v24.7.10_2 today on Proxmox 8.3.1 on a new server.

Right from the start I noticed that I would lose access to the GUI after a little time (about 20 minutes). Connectivity to Proxmox itself is rock solid and from Proxmox I can ping the firewall VM, both on the LAN and WAN addresses.

I've now switched to OVS instead of the Linux bridge as I saw issues with neighbor solicitation. And then noticed that both ipv4 and ipv6 connectivity is lost after a little time. Turning the firewall back on, on the nic (disabled system-wide for now), restored network connectivity. What the heck is going on here?

Management of Proxmox will ultimately be behind a dedicated firewall, so I'm not too fussed about the Proxmox firewall, but why do I need to enable the firewall on the nic of a VM to restore service?!

Thanks,

[EDIT1]
And then I realise I should really post about the Proxmox firewall interference on a Proxmox forum and not here... Having done that, I still see SSH and the WebGUI inaccessible after a little time. I can reach the TCP ports but not the service listening on them.

[EDIT2]
Getting a VPN up to the firewall I just noticed that the VPN remained up and I could login to the firewall via the VPN, which is highly preferred anyway. But this allowed me to inspect the firewall logs and showed the reason for the block: "a default deny rule" Though I'm a little confused as to how a valid session ends up falling through the rule that permits it and then gets denied.

Shortly after my VPN went down and I lost connectivity again, until I reboot the firewall and can once again connect.

[dmgeurts]

It appears this was user error. Hetzner don't like virtual MAC addresses on their network. The fix is this: https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve

[meyergru]

You may find it worth reading this.

There are many setup instructions for Hetzner that show a single-IP setup, but they rely on routing because of the limitation you just found. Routing in turn has the implication that your outbound NAT will get fairly complicated (as the OpnSense WAN IP is not the "real" IP any more).

Therefore, you should consider having at least two IPv4s, one specific for a separate MAC on the WAN ip of your OpnSense.

This is unfortunate in that the IPv4 of your Proxmox host will probably not be used at all for security reasons. You could also switch MACs and use the "official" MAC for OpnSense, but that would mean that when you use a rescue system, the former OpnSense IP will then be the rescue system IP, which I find confusing.