Community discussions

MikroTik App
 
d2301
just joined
Topic Author
Posts: 6
Joined: Sun Apr 24, 2022 3:50 am

Firewall to proxmox

Thu May 12, 2022 6:20 am

Hey everyone -

Had a quick question on forwarding the webgui (port 8006) that is within a Vlan to my workstation that is out of the Vlan.

Long story short, I have two routers, one that is from the ONT to the isp router and then to the mikrotik router. The mikrotik router has a Vlan that the pro mox server is located on (10.10.10.0/24, its ip is 10.10.10.250) However, the workstation that I want to access is connected to the isp router (ip of 192.168.1.60).

I went into the firewall rules and forwarded port 8006 through ether 1 (which connects from the mikrotik to the ISP router), and then went into nat and did dst-nat to 10.10.10.250 port 8006) under action. I moved the firewall rule above drop/input too.

It doesn’t seem to connect. I keep on getting “timeout” and when I torched it looks like it’s stuck at SYN. Any ideas? I followed the steps in the firewall forum and got my web server within the Vlan to work from my 192 workstation, so I’m wondering whether the https is throwing it off when trying to forward to proxmox.

Thanks for the help.
D
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall to proxmox

Thu May 12, 2022 8:11 am

Default firewall rule set has a rule similar to this one:
/ip firewall filter 
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat \
    in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

It relies on some foundations, the most crucial is maintenance of WAN interface list ... And if foundations are sound, then you only have to add DST-NAT rules to allow traffic to flow, something like:

/ip firewall nat
add action=dst-nat chain=dstnat comment="very important port forward from ISP LAN to server" \
    dst-port=8006 in-interface-list=WAN protocol=tcp src-address=192.168.1.60 to-addresses=10.10.10.250

... and of course you have to be careful to set all properties right, such as protocol (TCP or UDP). Note that all properties except to-addresses in the example shown are "selectors" ... original packet must match all the criteria in order for NAT to do the magic ... and only then DST NAT machinery will replace dst-address with value of to-addresses property (and ditto for dst-port if to-ports property is set).

If you want to get some more concrete advice, post your actual firewall settings.
 
d2301
just joined
Topic Author
Posts: 6
Joined: Sun Apr 24, 2022 3:50 am

Re: Firewall to proxmox

Thu May 12, 2022 8:58 am

Firewall menu (remember this is the second router behind my first ISP router, which doesn't allow port forwarding so I don't have a fear of WAN access).
add action=dst-nat chain=dstnat comment=ProxMox connection-type="" dst-port=\
    8006 in-interface=ether1 protocol=tcp 
and then nat menu
add action=dst-nat chain=dstnat comment=ProxMox connection-type="" dst-port=\
    8006 in-interface=ether1  protocol=tcp \
    src-port="" to-addresses=10.10.10.250 to-ports=8006
    
Just figured out how to export. Thanks. This seems to work with my webserver at a different ip. same settings just replace ip and port. Not sure why proxmox isn't working (the gui access). Is this potentially an https issue (over port 8006) since proxmox won't let it go through http?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: Firewall to proxmox

Thu May 12, 2022 6:50 pm

I'm pretty sure that the unpopulated properties (e.g. src-port, connection-type, etc.) have to be actually unset. Empty value is not "null" value.
 
d2301
just joined
Topic Author
Posts: 6
Joined: Sun Apr 24, 2022 3:50 am

Re: Firewall to proxmox

Thu May 12, 2022 8:12 pm

Wow. That worked. Appreciate it.
D

Who is online

Users browsing this forum: Amazon [Bot], anav, Google [Bot], lktompkins and 36 guests