fbda1b4beb
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
6.1 KiB
Proxmox Firewall Access Fix
Last Updated: 2026-01-14
Status: Active Documentation
Issue: Proxmox firewall blocking access from Default network (192.168.0.0/24)
Solution: Configure firewall rules to allow Default network
Problem
Proxmox hosts may have firewall rules that block traffic from different subnets. Even though we changed the dev machine IP to 192.168.11.4, we should also fix the firewall to allow access from the Default network (192.168.0.0/24) for future flexibility.
Proxmox Hosts
| Host | IP Address | Status |
|---|---|---|
| ml110 | 192.168.11.10 | ✅ Accessible |
| r630-01 | 192.168.11.11 | ✅ Accessible |
| r630-02 | 192.168.11.12 | ✅ Accessible |
Solution: Configure Firewall Rules
Method 1: Automated Script (Recommended)
cd /home/intlc/projects/proxmox
./scripts/proxmox/fix-firewall-access.sh
What it does:
- Checks connectivity to all Proxmox hosts
- Adds firewall rule to allow
192.168.0.0/24 - Enables firewall if needed
- Compiles and restarts firewall
Method 2: Manual Configuration via Web UI
For each Proxmox host:
-
Access Web UI:
- ml110: https://192.168.11.10:8006
- r630-01: https://192.168.11.11:8006
- r630-02: https://192.168.11.12:8006
-
Navigate to Firewall:
- Datacenter → Firewall → Host Firewall
-
Add Rule:
- Click "Add" or "Create"
- Action: Accept
- Source:
192.168.0.0/24 - Protocol: All (or specific: TCP, UDP, ICMP)
- Comment: "Allow Default Network"
- Click "Create"
-
Enable Firewall (if not enabled):
- Options → Enable: Yes
- Save
Method 3: Manual Configuration via SSH/CLI
For each host, SSH and edit firewall config:
# SSH to host
ssh root@192.168.11.10 # ml110
# or
ssh root@192.168.11.11 # r630-01
# or
ssh root@192.168.11.12 # r630-02
# Edit host firewall
nano /etc/pve/firewall/host.fw
Add or update:
[OPTIONS]
enable: 1
[RULES]
# Allow Default Network (192.168.0.0/24)
IN ACCEPT -source 192.168.0.0/24 -log nocomment
Save and apply:
# Compile firewall rules
pve-firewall compile
# Restart firewall
pve-firewall restart
Firewall Rule Details
Rule Configuration
Action: ACCEPT
Direction: IN (incoming)
Source: 192.168.0.0/24
Destination: Any
Protocol: All
Port: Any
Log: No (nocomment)
Why This Rule?
- Allows Default network to access Proxmox hosts
- Maintains security - only allows specific source network
- Enables management from Default network devices
- Doesn't affect existing VLAN 11 access
Verification
Test Connectivity from Default Network
If you have a device on Default network (192.168.0.x):
# Test ping
ping -c 3 192.168.11.10 # ml110
ping -c 3 192.168.11.11 # r630-01
ping -c 3 192.168.11.12 # r630-02
# Test HTTPS (Proxmox web UI)
curl -k https://192.168.11.10:8006
curl -k https://192.168.11.11:8006
curl -k https://192.168.11.12:8006
# Test SSH
ssh root@192.168.11.10
Check Firewall Status
# On each Proxmox host
ssh root@192.168.11.10 "pve-firewall status"
ssh root@192.168.11.11 "pve-firewall status"
ssh root@192.168.11.12 "pve-firewall status"
View Firewall Rules
# View host firewall rules
ssh root@192.168.11.10 "cat /etc/pve/firewall/host.fw"
ssh root@192.168.11.11 "cat /etc/pve/firewall/host.fw"
ssh root@192.168.11.12 "cat /etc/pve/firewall/host.fw"
# View cluster firewall rules
ssh root@192.168.11.10 "cat /etc/pve/firewall/cluster.fw"
Additional Firewall Considerations
Proxmox Cluster Communication
If cluster nodes can't communicate, ensure firewall allows:
# Corosync ports (cluster communication)
IN ACCEPT -p tcp -dport 5405,5406,5407 -log nocomment
# SSH (for cluster management)
IN ACCEPT -p tcp -dport 22 -log nocomment
Web UI Access
Proxmox web UI uses port 8006 (HTTPS). Ensure it's accessible:
# Allow HTTPS access
IN ACCEPT -p tcp -dport 8006 -log nocomment
VM/Container Access
If VMs/containers need access, configure VM/container firewall rules separately.
Troubleshooting
Firewall Not Applying
-
Check firewall status:
pve-firewall status -
Verify config syntax:
pve-firewall compile -
Check logs:
journalctl -u pve-firewall -f
Still Can't Access
-
Check if firewall is enabled:
- Web UI: Datacenter → Firewall → Options
- CLI:
pve-firewall status
-
Verify rule exists:
grep "192.168.0.0/24" /etc/pve/firewall/host.fw -
Check rule order:
- Rules are processed top to bottom
- More specific rules should come first
- Block rules should come after allow rules
-
Test from different source:
- Try from VLAN 11 device
- Try from Default network device
- Check if issue is network-specific
SSH Access Issues
If SSH is blocked:
-
Add SSH rule:
IN ACCEPT -p tcp -dport 22 -log nocomment -
Or allow all from Default network:
IN ACCEPT -source 192.168.0.0/24 -log nocomment
Security Considerations
Current Configuration
- ✅ Allows access from Default network (192.168.0.0/24)
- ✅ Allows access from VLAN 11 (192.168.11.0/24)
- ⚠️ Consider restricting to specific IPs if needed
Enhanced Security (Optional)
If you want more restrictive access:
# Allow only specific IPs from Default network
IN ACCEPT -source 192.168.0.23 -log nocomment # Specific dev machine
IN ACCEPT -source 192.168.0.1 -log nocomment # UDM Pro
Or use IP sets:
# Create IP set
[IPSET ipfilter-net]
192.168.0.23
192.168.0.1
# Use in rule
IN ACCEPT -source +ipfilter-net -log nocomment
Related Documentation
- UDM_PRO_PROXMOX_CLUSTER.md - Cluster configuration
- UDM_PRO_ROUTING_ISSUE_RESOLVED.md - Routing fix
- UDM_PRO_NETWORK_ISOLATION_CHECK.md - Network isolation
Last Updated: 2026-01-14