Port Forwarding issue inside Proxmox

Started by Land_Strider, December 09, 2025, 11:52:30 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 09, 2025, 11:52:30 AM Last Edit: December 09, 2025, 12:20:42 PM by Land_Strider Reason: Grammar
Hi, first post here.

I've been trying to set up a Proxmox server with OPNsense as its main firewall. Having problems with what should be simple port forwarding for various other containers.
Mainly can't reach containers from Windows PC on the same ISP router as Proxmox/OPNsense despite what looks like a correct port forwarding.

My basic network map and Proxmox network devices are below. I'll attach OPNsense port forwarding pages and logs on immediate replies.
You cannot view this attachment.
You cannot view this attachment.

All traffic for other VMs and unprivileged LXCs pass through the OPNSense VM:
WAN: vmbr0 (sole NIC eno1 slaved to it with 192.168.1.20/24 ip and 192.168.1.1 gateway)
LAN: vmbr1 (handled by OPNsense, given 192.168.20.1)

All firewalls on Proxmox webui for datacenter, node and VM/CT levels are off.
OPNsense firewall is mostly set to default pass till I figure out the port forwarding issues.
Internet access is available in all the containers and VMs.
Cloudflared tunnel works and programs on various containers are reachable through the tunnel.
If I move the containers to vmbr0 and have the visible by the ZTE router, access inside works without any problems.

Summarily, what doesn't work is direct access from my Windows PC (192.168.1.70) on the same ZTE LAN as Proxmox (192.168.1.20) and OPNsense (192.168.1.100) to the programs inside containers (on 192.168.20.x LAN network provided by OPNsense).

Incidentally, Factorio is reachable while Jellyfin or Soldat 2 is unreachable, which is even more confusing.
December 09, 2025, 11:56:01 AM #1 Last Edit: December 09, 2025, 12:17:51 PM by Land_Strider Reason: Layout clarity
DNAT/SNAT
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
You cannot view this attachment.
December 09, 2025, 12:12:46 PM #2 Last Edit: December 09, 2025, 12:18:43 PM by Land_Strider Reason: Layout clarity
Firewall logs

Factorio (working port forward):
You cannot view this attachment.
Jellyfin (not working port forward)
You cannot view this attachment.
Soldat 2 (not working port forward
You cannot view this attachment.
December 09, 2025, 02:48:34 PM #3
Possibly the services don't accept access from outside of their local subnet.

Another possible reason is that the containers are missing a default gateway.
December 09, 2025, 06:02:22 PM #4
Quote from: viragomann on December 09, 2025, 02:48:34 PMPossibly the services don't accept access from outside of their local subnet.
Jellyfin has an related option (I think) for this, but setting my router LAN subnet for it doesn't change anything, either.

You cannot view this attachment.

Quote from: viragomann on December 09, 2025, 02:48:34 PMAnother possible reason is that the containers are missing a default gateway.
DHCP ip binding and default gateways for the containers look usual:

Code Select
root@Jellyfin:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0@if29: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:cb:07:b7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.20.90/24 brd 192.168.20.255 scope global dynamic eth0
       valid_lft 61862sec preferred_lft 61862sec
    inet6 fe80::be24:11ff:fecb:7b7/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever

root@Jellyfin:~# ip route show
default via 192.168.20.1 dev eth0
192.168.20.0/24 dev eth0 proto kernel scope link src 192.168.20.90
December 09, 2025, 08:07:43 PM #5
As the live view shows, the traffic is passed through OPNsense.
To get sure, you can run a packet capture on the LAN. Presumably the packets from the PC are going out there, but nothing is coming back.
If so, it's not on OPNsense.

You can try to hairping the restive traffic on the LAN interface and see if it helps.
Today at 04:20:23 AM #6
Quote from: viragomann on December 09, 2025, 08:07:43 PMAs the live view shows, the traffic is passed through OPNsense.
To get sure, you can run a packet capture on the LAN. Presumably the packets from the PC are going out there, but nothing is coming back.
If so, it's not on OPNsense.

You can try to hairping the restive traffic on the LAN interface and see if it helps.

I tried to capture the packet traffic from both ends via Wireshark and OPNsense interface, but I'm not sure how to make sense of it at the moment.
Looks like SNAT/DNAT works, but there is some other problem causing no response to be received by PC for the packets it keeps re-sending. The ISP router could be dropping the packets, but as far as the NAT goes the packets should look requested ones, right?

Attaching the filtered pcap files.
Print
Go Up Pages1
User actions