Transfer network between two virtual firewalls is beeing blocked

Started by clerint, October 31, 2025, 09:07:47 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 31, 2025, 09:07:47 AM
Hello everyone,

I'm new here and currently working with a Proxmox environment running on a UCS system.
I have one external VM and one internal VM, each located in a different firewall zone. However, I'm having trouble connecting the two firewalls communication between the zones doesn't work, and traffic seems to be blocked somewhere.
Does anyone know how to properly connect or configure these firewalls in Proxmox so that both zones can communicate without being blocked?

October 31, 2025, 11:23:43 AM #1
So your created specific interfaces for the transfer network on both firewalls, you don't use WAN on either side?

Did you add proper routes on both?

Did you add firewall rules to allow communication?
October 31, 2025, 01:10:53 PM #2
Just a quick reminder: OpnSense does not work right out of the box with Proxmox. See this: https://forum.opnsense.org/index.php?topic=44159.0
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
November 03, 2025, 08:56:32 AM #3
Quote from: viragomann on October 31, 2025, 11:23:43 AMSo your created specific interfaces for the transfer network on both firewalls, you don't use WAN on either side?

Did you add proper routes on both?

Did you add firewall rules to allow communication?

A dedicated transfer network (VLAN 99) was configured between the two OPNsense firewalls — ITLAB-FW01 (internal) and ITLAB-FW02 (external).
The WAN interface is not used for inter-firewall communication.
Configuration details:

   • VLAN: 99 (Transfer)
   • Subnet: 192.168.99.0/30
   • ITLAB-FW01 (Internal): 192.168.99.253/30
   • ITLAB-FW02 (External): 192.168.99.254/30
   
Static Routes:
   • On ITLAB-FW01, a static route was added to reach the external networks (192.168.41.0/24, 192.168.2.0/24) via gateway 192.168.99.254.
   • On ITLAB-FW02, a static route was added to reach the internal networks (192.168.70.0/24, 192.168.1.0/24) via gateway 192.168.99.253.
   
Firewall Rules:
An "Allow any" rule was configured on the Transfer interface of both firewalls to permit all traffic (any → any → any) for testing and management purposes.
This setup ensures unrestricted communication between both sides of the lab environment through VLAN 99 without relying on the WAN interface.


November 03, 2025, 02:14:45 PM #4
So basically the communication should work.

As you wrote, the traffic is blocked, do you see any blocks in the firewall log?
In Firewall: Settings: Advanced under "Logging" check "Default block" and "Private networks" and try to connect to the devicebehind the other firewall.

For further investigation use Interfaces: Diagnostics: Packet Capture to sniff the traffic on the involved interfaces on both firewalls.
Print
Go Up Pages1
User actions