Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Proxmox Hetzner virtual ip

    Scheduled Pinned Locked Moved Virtualization
    5 Posts 2 Posters 2.9k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      maksakal
      last edited by

      Hello,

      I am using pfSense VM running on Proxmox on my Hetzner server. I configured the Additional IP address received from Hetzner (örneğin: xxx.xx.x.xxx) as route only on the Proxmox host and added it as Virtual IP (IP Alias) on pfSense. I configured the NAT rules correctly on pfSense and the incoming traffic reaches the pfSense WAN interface (verified with tcpdump), is routed to the VM on the LAN (for example: 10.0.9.8) by pfSense (tcpdump verified that the traffic also reaches the LAN side).

      Although the pfSense NAT and Firewall rules appear correct and the traffic exits to the LAN interface, the VM cannot be accessed.

      The steps I tested:

      Only IP route is defined on Proxmox (IP address is not defined).

      pfSense Virtual IP (IP Alias) configuration was made.

      Port Forward and 1:1 NAT methods were tried, it was verified with tcpdump that traffic reached the LAN.

      VM firewall is closed and default gateway is defined correctly.

      How can I solve this problem or where could I have made a mistake? I would appreciate if you can help.

      Thank you.

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @maksakal
        last edited by

        @maksakal said in Proxmox Hetzner virtual ip:

        I configured the NAT rules correctly on pfSense and the incoming traffic reaches the pfSense WAN interface (verified with tcpdump), is routed to the VM on the LAN (for example: 10.0.9.8) by pfSense (tcpdump verified that the traffic also reaches the LAN side).

        If you see the packets on the LAN interface with the correct destination IP and the default gateway on the VM is set correctly, but the VM does not respond, most probably the VM blocks access from outside. So you have to configure its firewall properly.

        M 1 Reply Last reply Reply Quote 0
        • M Offline
          maksakal @viragomann
          last edited by

          @viragomann

          7de94345-302c-4965-9d71-0810ff25f922-image.png

          İngilizce Açıklama:
          If you see the packets reaching the LAN interface with the correct destination IP and the VM's default gateway is correctly configured, yet the VM still does not respond, most likely the VM's firewall is blocking external access. Therefore, you should verify and properly configure the firewall rules on the VM.

          However, according to your provided information, you've defined the 207.x.x.x IP address as a Virtual IP on pfSense, and you have created a NAT rule to forward port 587 traffic to the VM. Still, it seems this NAT rule isn't functioning properly. The packet capture clearly shows incoming requests reaching pfSense, but they aren't being forwarded by your NAT rule. This typically indicates that either your NAT configuration on pfSense isn't set correctly, or the associated firewall rule linked to the NAT rule might be incorrect or incomplete. Please recheck your NAT and firewall rules carefully.

          23:58:10.952329 IP 37.27.176.207.55066 > 195.201.9.207.587: tcp 0
          23:58:11.012241 IP 134.209.173.54.59626 > 195.201.9.207.4531: tcp 0
          23:58:11.958798 IP 37.27.176.207.55066 > 195.201.9.207.587: tcp 0
          23:58:13.974879 IP 37.27.176.207.55066 > 195.201.9.207.587: tcp 0
          23:58:14.465308 IP 185.44.9.140.52357 > 195.201.9.207.445: tcp 0
          23:58:18.166881 IP 37.27.176.207.55066 > 195.201.9.207.587: tcp 0

          V 1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @maksakal
            last edited by

            @maksakal
            This shows packet destined to the WAN IP, so obviously the capture was taken on the WAN. You were talking about a capture on the LAN before. Do you see the traffic there as well?

            M 1 Reply Last reply Reply Quote 0
            • M Offline
              maksakal @viragomann
              last edited by

              @viragomann
              I made a mistake in my previous message, sorry about that. Unfortunately, the traffic never reaches the LAN. If it did, the VM would already be accessible.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.