After doing a nmap on the router’s IP, I can’t see the ports that I’ve opened in the web gui.
This is the result:
22/tcp open ssh
53/tcp open domain
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
2049/tcp open nfs
32777/tcp open sometimes-rpc17
32778/tcp open sometimes-rpc19
32780/tcp open sometimes-rpc23
This is the config done by me on the web gui and what I see in Luci:
Ping is ICMP, but you forwarded TCP and UDP. This one work.
Ping sends an ICMP package to the given host, the host will answer with a ICMP pong. No port in here.
Further you are redirecting 53/TCP … But DNS is per default UDP. This also wont work.
Please do yourself a favour, create a nginx reverse proxy at Proxmox-2, forward all TCP/80 to this nginx and configure the forward.
Setup the main DNS near the ISP router, and als from inside out, as the route to the internet have to be established already.
Thank you very much for your suggestion, it sounds a bit too technical for me, but I’ll take a look.
I apologize for my poor knowledge… I thought that having a Sophos firewall as main gateway behind the ISP router and opening some ports (and doing port forwards rules) in the GL.iNet router should be enough to see my VMs in the two subnets.
OP, do yourself a favor: make sure that ISP ‘link’ is a modem, just a modem; not one of these goddamn ‘all in one’ modem/router/access point POS. Contact your ISP & swap it out for a straight modem if you have to. Otherwise dig into its settings & look to put the Sophos device/router proper on the DMZ if you can’t set the ISP unit into ‘bridged mode.’
You’ll save yourself headaches in the years to come.
No need to apologise. We all started at some time.
That’s why I suggested the Nginx Reverse Proxy. There are a lot of good howtos, how to do this in the internet.
But some kind of too complex/specialized for for this forum, maybe we’re seeing us in a proxmox forum as well
Nginx is not the problem here. It is the integration in Proxmox and the data flow plus the security.
I recommend https://nginxproxymanager.com/ for starters. But at one point it will not work for a specific task. Than you want to know how the config files work…
At start it is a good help for forward the Proxmox management frontend and other services.
If you want to manage bin http traffic, like DNS, there are routers like OPNSense as container in Proxmox. Or even a DDWRT or OpenWrt, to be nearer at Gl-Inet… Depends on the future needs.
Just keep in mind how the traffic flows. Then configure your LAN with Jumboframes (huge MTU)… So much theory.
I was thinking about all the stuff discussed in this post, I understand everything and appreciate the info, specially all the security concerns.
However, there’s one thing that I don’t understand. In the router’s web gui there are two tabs: Port Forwards and Open Ports on Router.
Literally, this is what we can read:
If you have servers in your LAN subnet and want them be accessible from the WAN side,
you need to set up port forward to these servers, identified by IP addresses and ports.
Open Ports on Router:
For security reasons, the services that you install on the device are only opened to its LAN network.
If you want them to be accessible from the WAN network, you need to open ports for these services on the WAN
In my case, I only need to access from the wan side to my Pi-hole, monitor some VMs with Chechmk and do some backups from Proxmox Backup Server.
However, I don’t understand if I have configured accordingly the instructions (screenshots above), why it doesn’t work: DNS doesn’t resolve and I can’t configure a backup datastore…
I wouldn’t expose ports or port forward to the WAN → LAN in this case. The traffic will be unencrypted on the Public Internet when it hits WAN. You’d be better off setting up a S2S over WireGuard. Ensure you set a Preshared Key (PSK) for maximum security.
This assumes your Public Internet IP is not behind CG-NAT. If your ISP confirms that’s the case, this will not work.
Side note: I would really diagram your current & desired topology if only to help those following along at home.
My public IP is in the ISP router, the typical all-in-one which acts as modem-router-switch-acces point, with no open ports and a firewall layer 4.
Behind this I have a Sophos firewall, Home Edition, and, finally, behind the GL.iNet router.
When I say “WAN”, I mean the external side of the GL.iNet router, which really is behind the mentioned before. In this subnet I have two or three VM from that I need to course some traffic to the LAN side of the GL.iNet router.
I followed the instructions, it should work but it doesn’t do. This is what I don’t understand…
I could use also Tailscale, but, if it’s possible, I prefer no to do so. Unencrypted traffic, I’ve configured https for my internal servers.
Port forwarding means the port is taken from WAN and forwarded to another client on the LAN side. This port does not need to be the same. You could forward [external IP]:1234 to [Lan client IP]:80 …
It is a routing thing. The WAN client dies not know about port 80 on the service, the LAN service don’t know about the use of port 1234 from the WAN.
You can’t switch from UDP to TCP, it needs to be the same on both ends.
Open ports on router is a GL-Inet thing and means the firewall on WAN will be opened to services on the router.
As the Admin panel is available at LAN:80, with open port 80 on router, the service (admin panel) will be available on WAN:80.