Proxmox Hetzner virtual ip

maksakal

Hello,

I am using pfSense VM running on Proxmox on my Hetzner server. I configured the Additional IP address received from Hetzner (örneğin: xxx.xx.x.xxx) as route only on the Proxmox host and added it as Virtual IP (IP Alias) on pfSense. I configured the NAT rules correctly on pfSense and the incoming traffic reaches the pfSense WAN interface (verified with tcpdump), is routed to the VM on the LAN (for example: 10.0.9.8) by pfSense (tcpdump verified that the traffic also reaches the LAN side).

Although the pfSense NAT and Firewall rules appear correct and the traffic exits to the LAN interface, the VM cannot be accessed.

The steps I tested:

Only IP route is defined on Proxmox (IP address is not defined).

pfSense Virtual IP (IP Alias) configuration was made.

Port Forward and 1:1 NAT methods were tried, it was verified with tcpdump that traffic reached the LAN.

VM firewall is closed and default gateway is defined correctly.

How can I solve this problem or where could I have made a mistake? I would appreciate if you can help.

Thank you.

viragomann

@maksakal said in Proxmox Hetzner virtual ip:

I configured the NAT rules correctly on pfSense and the incoming traffic reaches the pfSense WAN interface (verified with tcpdump), is routed to the VM on the LAN (for example: 10.0.9.8) by pfSense (tcpdump verified that the traffic also reaches the LAN side).

If you see the packets on the LAN interface with the correct destination IP and the default gateway on the VM is set correctly, but the VM does not respond, most probably the VM blocks access from outside. So you have to configure its firewall properly.

maksakal

@viragomann

İngilizce Açıklama:
If you see the packets reaching the LAN interface with the correct destination IP and the VM's default gateway is correctly configured, yet the VM still does not respond, most likely the VM's firewall is blocking external access. Therefore, you should verify and properly configure the firewall rules on the VM.

However, according to your provided information, you've defined the 207.x.x.x IP address as a Virtual IP on pfSense, and you have created a NAT rule to forward port 587 traffic to the VM. Still, it seems this NAT rule isn't functioning properly. The packet capture clearly shows incoming requests reaching pfSense, but they aren't being forwarded by your NAT rule. This typically indicates that either your NAT configuration on pfSense isn't set correctly, or the associated firewall rule linked to the NAT rule might be incorrect or incomplete. Please recheck your NAT and firewall rules carefully.

23:58:10.952329 IP 37.27.176.207.55066 > 195.201.9.207.587: tcp 0
23:58:11.012241 IP 134.209.173.54.59626 > 195.201.9.207.4531: tcp 0
23:58:11.958798 IP 37.27.176.207.55066 > 195.201.9.207.587: tcp 0
23:58:13.974879 IP 37.27.176.207.55066 > 195.201.9.207.587: tcp 0
23:58:14.465308 IP 185.44.9.140.52357 > 195.201.9.207.445: tcp 0
23:58:18.166881 IP 37.27.176.207.55066 > 195.201.9.207.587: tcp 0

viragomann

@maksakal
This shows packet destined to the WAN IP, so obviously the capture was taken on the WAN. You were talking about a capture on the LAN before. Do you see the traffic there as well?

maksakal

@viragomann
I made a mistake in my previous message, sorry about that. Unfortunately, the traffic never reaches the LAN. If it did, the VM would already be accessible.