Just SSH dropping. Everything on the VM side is ok.
And yes, the computer I’m using is on .6.X (LAN VLAN) and the VM is on .1.X (MGMT VLAN).
The management VLAN is only accessible by a couple devices and this is one of them. To get PiAlert to be able to see devices on the LAN VLAN, it has to have an interface to be able to ARP from.
Would that be similar to telling SSH to listen on only one interface? Because I did try that but it unfortunately did not resolve the issue
Edit: Found what you mean. I’ll give this a try, thanks!
Yeah, such a nightmare, lol. If I ever feel like hosting a honeypot I’ll probably DMZ it or use a VPS or something, but I’m going to change gears on projects for now.
Right. Most of my VLANs are set up that way; they’re silos. The VLAN that this is running on is the “management” VLAN that can see the other ones
Updated with the forum posts
Gotcha. I’m using a ATX 1800 with full tunnel. I figured there would be a default deny all (haven’t touched anything in the way of the firewall on that device yet), but wasn’t sure if ARP would be able to get past it from the public AP side. I guess I can always do a few experiments at home in the lab too. Thanks again!
Thanks so much for looking into it! That’s a relief
Ty!
Hey there,
Yeah I’m doing it manually, and I did try importing the config from pfsense, however it would say import successful and then “Failed” at the bottom, lol. I did end up getting it working after finding a post from the staff mentioning that you should not put a listening address on the Peer and you should set a manual MTU of like 1300 which worked for me.
Ahahahah. That’s hilarious 😂. Well that makes the choice easy, thanks.
I’m the same way. All my smart devices are on their own VLAN with no WAN access (egress or ingress). Does Bambu require that?
Hm, currently I have PFsense and my other network equipment on it’s own “management” VLAN, and I don’t allow my other VLANs access to it (except for a couple devices I whitelist). None of those can reach PFsense via the LAN IP as I expect, only by the WAN IP.
Thank you, that was the first thing I checked after having a near heart attack, haha. I thought the whole world could see my login for a second there.
Gotcha, thanks so much (to you and the others who mentioned this as well). This has been driving me crazy the last couple hours, as I can connect to any of my VLANs (some which I treat as fairly insecure) and they can all hit my firewall if I use the WAN IP.
I checked Pfsense, and I have NAT Reflection disabled everywhere I found it (System>>Advanced>>Firewall & NAT as well as in my individual NAT rules), however I can still access via the WAN IP.
So I guess all I can really do is set a rule to forward to port 80/443 to something else to avoid this, right? I was thinking of hosting a Matrix chat server which would use those ports, so maybe that’s the play.
Hm, my only NAT rule is to allow traffic to my game server on specific ports. Is there somewhere else that could be set? EDIT: I think you’re right.
That does make sense, thank you. I kind of have that started in a way, for example I have port aliases for games grouped in one alias, I have ports for crypto mining into an alias, etc. Now I guess I just need to break up the hosts more and give them the necessary (and minimum amount of) permissions
Edit: @oleorun@real.lemmy.fan made some changes to my Smart VLAN. Does this look a bit like what you mean?
Understood. Thanks so much!