Nethsecurity proxmox vm hangs on boot in the VM console, last shell prompt displaying “8021q: adding vlan 0 to hw filter on device eth1”.
I have a couple Linux bridges created in proxmox. I’ve added them to the VM’s hardware. The one for WAN is linked to the physical nic and the second one (for LAN) is not linked. So, vmbr1 bridged to nic1 and vrmb2 not bridged.
I can ping the public IP address, but cannot access the web gui for Nethsecurity, probably because the boot process is hanging up. Any ideas from someone who has a working installation.
I plan on installing a Debian 13 VM and then Nethserver 8 on that, and accessing it remotely thru the Nethsecurity gateway. I want to use Nextcloud on NS8, to replace our current outdated NS7 server.
Thanks Markus! I did that before, but since I can’t access the web gui, I figured the hang up was the issue. How would I go about switching which the roles from the command line? You can see my ip a results in the proxmox console for the vm.
You will need to access on your lan port of Nethsecurity.
Until you finish setup (you need webgui for that) you need LAN access. On the setup steps you’ll be asked if you want to grant access through WAN. And past that step then you can use the “public” ip you mentioned.
Well, I imported an nethsecurity-8.7.2-x86-64-generic-squashfs-combined-efi.img file downloaded from nethsecurity.org, so I followed the import instructions for proxmox from the nethsecurity docs. There was no configuration setup when starting the vm from its proxmox console; it just goes to command line. Logging in with the default credentials gets me to where I can do uci commands at shell to change the wan and lan addresses to static protocol and then specifically to my static public and private IP addresses. I can ping the public IP from a remote computer and also from a Debian 13 VM I created on the same proxmox server. I can only ping the local from the Debian VM. I can’t access the nethsecurity UI from either browser using either IP address, adding :9090 to the IP address. uci show network.wan.device shows up as eth1. uci show network.lan.device shows up as br-lan. br-lan’s IP is the local static address and eth1’s IP is the public static address.
Hello! Just giving some inputs to try and figure out the issue
At first boot, port 9090 is reachable from both WAN and LAN, so if both addresses are unreachable something else might be blocking the traffic.
NethSecurity takes the initial behaviour directly from OpenWRT:
first interface it founds is added as a LAN, a dummy bridge is created and the IP 192.168.1.1/24 is given. A DHCP server is then spawned if none other are found in the same network
second interface its catalogued WAN and it’s configured to get config from DHCP
Every configuration then can be safely changed, even removing the bridge directly from the UI. But from the
Once first login has been made, a wizard will guide you into securing access to the firewall
There are no wizards from the command line. That’s all I can access at this point, in the proxmox console of the Nethsecurity VM. It looks like the UI can be access via WAN and port 9090, at least in the firewall rules.
Have two input rules in the proxmox firewall, and I’ve tried using the nic1 as the interface in the rules, and also vrmb1 as the interface, since it’s the vlan bridge to nic1.
Also enabled the firewall for the Nethsecurity VM in its proxmox firewall options. One thing to note: If I do pve-firewall status at my proxmox’s node shell, I get disabled/running, even though it’s set to enabled in its proxmox firewall options. I don’t know how to make it change to enabled/running?
When I use nmap to check the WAN side open ports of a fresh NethSecurity VM it looks like
Starting Nmap 7.94 ( https://nmap.org ) at 2026-04-02 18:16 CEST
Nmap scan report for 192.168.3.157
Host is up (0.00041s latency).
PORT STATE SERVICE
22/tcp closed ssh
443/tcp open https
9090/tcp open zeus-admin
Pretty sure they’re assigned right. vrmb0 is bridged to nic0 and plugged into our office LAN, and assigned a static LAN IP, which allows me to access the proxmox GUI. I’m not using it on any VMs. vrmb1 is bridged to nic1 and plugged into our broadband modem, which is assigned a static public IP (from our ISP). vrmb2 is bridged to nothing and assigned a static LAN IP to match what “ip a” spits back for BR-LAN. I had originally left this blank, but populated or blank it still doesn’t work.
The nethsecurity vm has two network devices, net0 bridged to vrmb1 and net1 bridged to vrmb2. Firewall is disabled on both.
I tried to connect to your WAN IP and found that the Proxmox server is responding (on port 8006) and not the NethSec VM.
Maybe there’s a port forwarding/DMZ host enabled on your router, pointing to the Proxmox?
EDIT:
I’m not sure about vmbr2, it’s not needed.
Usually in the NethSecurity VM you use net0 for LAN (vmbr0) and net1 for WAN (vmbr1)
Sometimes it needs to be reversed (net0 → vmbr1, net1 → vmbr0)
I figured it out !! Thanks for all the advice that kept me thinking. Your latest comments, Markus, got me wondering why I was able to access the proxmox gui, but not the nethsecurity vm’s using the public IP.
My proxmox network has nic0 plugged into my office LAN and nic1 plugged into my modem. It also has vrmb0 assigned a LAN IP and bridged to nic0. It had vrmb1 assigned the public IP and bridged to nic1. It has vrmb2 assigned no IP and bridged to nothing.
So, I first removed the public IP from the linux bridge vrmb1, but left its bridge port as nic1, because I figured the IP was already assigned as the WAN IP address in nethsec.I wanted the public IP to only be directed to the nethsec WAN. When doing just that didn’t work, I did ‘ip a’ one more time from the nethsec shell and was seeing the public IP address assigned to the MAC address given to vrmb2, not the MAC address given to vrmb1. So, I removed the bridge port from vrmb1 and assigned nic1 as the bridge port of vrmb2. Afterwards, I applied the configuration in the proxmox network settings.
I then used <public_IP:9090> in a remote browser and it took me into the nethsec gui ! Once I logged in, I was taken to the setup wizard. I may be posting additional questions as I get into the wizard and later try to access the debian 13 vm I’m going to use for ns8.
