I will do some testing end of july and report back. In the meantime thanks a lot to both of you ! 
1 Like
Did some testing. First creating two vmbr in proxmox alone did not help. Neither did adding a second nethwork card, as long as these were connected both to the same switch of our internal lan. I had the same symptoms with shorewall erros in and out on eth1.
What did help though, was to put red before the switch so the wiring looked like:
internet-modem - zywall firewall - nethfirewall-red - and then from nethfirewall green to internal switch
No more errors while using teamviewer that way.
But I had not enough time to adapt everything, and the result was that from outside to inside the connections, auth and everything worked. But from inside I could not reach our external nethmailserver, nextcloud and so on. So I re-wired everything as it was before the testing.
Unfortunately the openvpn tunnel that I had created has left some cruft that was now blocking accesses due to obsolete routing entries, but I could fix that too.
As soon as I will have some more time, I will correct my network setup. Just thought, I should report and thank you for your help 
Does this mean that this setup can not be done with only one physical nic and wone big switch? I was under the impression that with two different logical networks this should have worked, and so I was quite surprised that I had the same errors with two nics when both were connected to two ports in the same switch.
Tonight we finally found the time to separate our networks and get rid of the “special configuration” of a segmented network, where both virtual nethserver/proxmox nics were sitting on the samge vmbr0 bridge, thus we now have a standard setup:
wan -> in eth1 red on nethfirewall (and on vmbr1 in ProxMox) -> out eth0 green on nethfirewall (and on vmbr0 in ProxMox) -> switch -> clients and as mrmarkuz had mentioned, teamviewer works fine now that nethserver acting as firewall really is between wan and switch thus is able to control its networks, whereas before aparently the firewall got confused from time to time, and produced strange blocked entries in firewall log, where IN was eth1 and out eth1 too.
Thanks again to @mrmarkuz for having taken the time to understand my prob, my setup and reproduce it to give me a good advice that helped me solve our network problems.
1 Like
May I ask one thing on firewall log?
I see entries of the type:
Sep 11 09:02:58 nethfirewall-hostname kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=xx:yy:zz SRC=ip-address-windows-client DST=ipadress-nethfirewall-hostname LEN=30 TOS=0x00 PREC=0x00 TTL=128 ID=26917 PROTO=UDP SPT=52809 DPT=5351 LEN=10.
As the port 5351 is registered for NAT Port Mapping I would like to know where to change what setting in order to get rid of this entries.
Another thing I would like to eliminate is:
Sep 11 09:06:43 nethfirewall-hostname kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=XX:YY:ZZ SRC=ip adress d-link-access-point DST=ip-address nethfirewall LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=36500 DPT=137 LEN=58
Apparently Port 137 is registered for NETBIOS Name Service - so again, where would I have to change what setting to get rid of those entries ?