UDP 1194 packets not reaching vmbr0

zikou

Hello everyone,

I’m running Proxmox VE on two OVH dedicated servers — an old one and a new one. Both have similar network setups with public IPs assigned on vmbr0. I am trying to run OpenVPN on UDP port 1194, using a pfSense VM behind the Proxmox host.

Setup details:

vmbr0: public IP (e.g., 142.76.x.x/24)

vmbr1: private subnet for pfSense WAN (e.g., 10.50.0.1/24)

vmbr2: private subnet for pfSense LAN (e.g., 10.60.0.1/24)

pfSense WAN IP: 10.50.0.252

pfSense LAN IP: 10.60.0.252

Issue:

On the old OVH server, UDP packets to port 1194 on the public IP reach Proxmox’s vmbr0 interface and OpenVPN works fine through DNAT to pfSense.

On the new OVH server, sending UDP packets to port 1194 on the public IP does not show any packets arriving on vmbr0 (verified via tcpdump). DNAT and firewall rules on Proxmox appear to be set up correctly, IP forwarding is enabled, and pfSense is configured the same way.

stephenw10

If they never arrive at Proxmox then pfSene can never see them. That sounds like it can only be an OVH issue. Can you pcap on the host interface directly rather than the bridge?

zikou

@stephenw10 vmbr0 ports/slaves in proxmox is enp1s0f0
even when I send packet on port 1194 or any port udp to enp1s0f0 in proxmox it doesnt show but when I try tcp it works

stephenw10

Has to be something in OVH then. If those packets never arrive at the physical NIC they must be being blocked upstream.

zikou

@stephenw10 I installed proxmox on Rise-Game-2 and I saw this in the description the server
can be the issue ddos protection

stephenw10

If they are doing any sort of filtering then that could be it.

But I've never used that and it's not a pfSense issue. You should ask OVH. Or use a different hosting provider!

zikou

@stephenw10 the issue was the firewall in ovh
I fixed it
I managed to setup openvpn in pfsense I can access the pfsense ui but when I try ssh to machine that are in LAN I cant

in proxmox I have this

Chain POSTROUTING (policy ACCEPT 2658 packets, 161K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 4037  556K MASQUERADE  0    --  *      vmbr0   10.60.0.0/24         0.0.0.0/0           
11867  889K MASQUERADE  0    --  *      vmbr0   10.50.0.0/24         0.0.0.0/0

I have this in routing

stephenw10

What IP are you using to connect to pfSense over OpenVPN?

If you have firewall rules to allow it you should be able to use the pfSense LAN address to do so.

If that works then you must have the correct route in OpenVPN and probably have the correct firewall rules.
Most likely the host VMs in the LAN are blocking connections from outside their own subnet. In which case ypu can fix the hosts to allow it or use outbound NAT in pfSense to hide the source IP.