Recent content by 4920441

Proxmox Virtual Environment 9.0.11 Auf einem Proxmox Server ist sind vier Hosts konfiguriert, alle haben eine Bridge auf vmbr0.123 (also VLAN 123) VM1 fd46:2ce5:5d43::1/48 192.168.1.1/24 VM2 fd46:2ce5:5d43::2/48 192.168.1.2/24 Container CT1...

Yes I will, but I think weekend is more realistic.

Thats due to anonymizing. But I really got one (the same network) in BOTH IP Sets Overlapping - so, I'll change that ant try again.

I just checked, but for each ipset there are no overlaps.. The First IPSet (IPv6 trusted) and the second IPSet (Trusted) indeed have two overlapped ranges. Cheers,

Hi again, after winding back to iptables at least the host ipv6 net is firewalled again. But what I just reconed, that is not correct: In the webinterface input and forward is default drop, and with a ip(6)tables-save it is both set to ACCEPT.... that is not right:

for now it might be best to revert to the old firewall. thats what I thought as well :-) Thank you for your help. Cheers, 4920441

cat /etc/pve/firewall/cluster.fw [OPTIONS] enable: 1 policy_forward: DROP policy_in: DROP [IPSET internal-pub-ipv6] 2000:000:000:3f8b::/64 # host ipv6 hetzner 2000:000:000:e700::/56 # routed ipv6 [IPSET trusted-ips] 111.243.25.152/29 122.76.244.88/29 133.251.176.35 172.31.254.0/24...

No it does not work after the reboot... even worse : the firewalled /64 network is now also wide despite exactly the same rules as with iptables, all set up by the gui. My nft script did not run yet and is not merged yed after the reboot. cat /etc/pve/firewall/cluster.fw | grep -i forward...

Since nft is now installed, I added my nft script to it, and it works fine so far. Everything which is not expclitly allowed gets blocked, also to the routed networks. Since the nft script are much more readable than the old iptables-save thingies, I think this addon could survive the daily...

ok... so simply ticking the "nftables tech preview" does not do the trick alone.... Despite nftable rules are loaded, they are nothing like in the gui - do I have to convert the gui rules to nft somehow? In the datacenter firewall it says: Forward rules only take effect when the nftables...

pveversion -v proxmox-ve: 9.0.0 (running kernel: 6.14.8-2-pve) pve-manager: 9.0.3 (running version: 9.0.3/025864202ebb6109) proxmox-kernel-helper: 9.0.3 proxmox-kernel-6.14.8-2-pve-signed: 6.14.8-2 proxmox-kernel-6.14: 6.14.8-2 proxmox-kernel-6.8.12-13-pve-signed: 6.8.12-13 proxmox-kernel-6.8...

I think you meant status pve-firewall? systemctl status pve-firewall ● pve-firewall.service - Proxmox VE firewall Loaded: loaded (/usr/lib/systemd/system/pve-firewall.service; enabled; preset: enabled) Active: active (running) since Fri 2025-08-08 18:37:08 CEST; 1h 51min ago...

systemctl status proxmox-firewall Unit proxmox-firewall.service could not be found. That's kinda odd, isn't it? cat /etc/pve/firewall/cluster.fw .... FORWARD DROP -dest 2000:000:231:0700::/56 -log info # Drop-Incoming foobarbla :/56 ... there is my forward drop cat...

I am pretty shure I made in the datacenter firewall a rule for the forwarding table which drops all which was not allowes before. The funny thing is, I enabled nft but even after a reboot no nft rulest ist there? Is there something else to enable on the proxmox side? Even on the ip6tables...

Yes, correctly. I am using the proxmox host itself as a router with very easy rules. The /64 network which is (only) directly on the proxmox host itself, works with firewalling. If I allow a source ip it gets a connection, if i deny it (by not allowing it) packets gets dropped. The routed /48...