Recent content by Asg.Systems

That's really nice, we've opened another one on netfilter since the issue seems to be netfilter https://bugzilla.netfilter.org/show_bug.cgi?id=1644

nothing to do, also with connection tracking enable the ICMP and UDP messages are reassembled by the PVE netfilter

Just to add a clarification after the proxmox case, the reassemblation of the packets is caused by the Netfilter only if the FIrewall is enabled on the cluster I found also this, now I try if enabling conntrack (is disabled in our environment for other problem that was caused)...

Hi, after migration of a Checkpoint VSX to VSEC Appliance on Proxmox infrastructure, seems that traffic passing through this firewall present an high latency and packet loss. Here an example: 2021-09-20 08:58:34 --- 100 packets transmitted, 98 received, 2% packet loss, time 99027ms --- rtt...

Hi, the MTU on the linux bridge and the phisycal interfaces is 9000, the MTU on guest virtual machine is 1500

Yesterday we've tried to reboot the system disabling the firewall, but nothing changed, on this specific VLAN (ID 2249) we're experiencing the issue. Unfortunately we use the Jumbo MTU for some services on the VM. The strange things is the following: VM ---->...

Hi spirit, thanks for your feedback. There is fragmentation because the mtu is 1500 on the firewall appliance And even by setting it at 9000 there would be MPLS network with mtu 1500, so i have to change this behavior without any workaround There is fragmentation because packets of RADIUS...

Hi to all, we're experiencing a problem with firewall on a proxmox cluster and after few tests it seems it'a a linux bridge problem The packet capture show that fragmented packets passing through the bridge are reassembled and sent out. This is causing us some problems, even if proxmox cluster...

I think SOLVED this issue: simply enable nf_conntrack_allow_invalid: 1 in /etc/pve/nodes/<nodename>/host.fw

Solved, to avoid this without disabling the feature on the ASA or the Firewall on Proxmox it's possible to enable this feature: nf_conntrack_allow_invalid: 1 in /etc/pve/nodes/<nodename>/host.fw

I have some news, I reduced the focus on the ASA, and to be more specific on the ASA TCP sequence randomization function. Disabling it in this way https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/firewall/asa-95-firewall-config/conns-connlimits.html#ID-2068-000003ec all...

Dears, We have the following scenario: A Proxmox Cluster with version 6.3-3, kernel version 5.4.78-2 with 2 nodes: On network side we're using linux bridge with vlan awareness and configuration of one node is the following: auto lo iface lo inet loopback auto eno5 iface eno5 inet manual...

Hi, Thank you! It's very better, I didn't find it before, my mistake Best Regards

in an environment with Linux Bridge with VLAN aware configuration, I've created a bash script to use as HookScript as follow: #!/bin/bash NETID="tap$1i1" if [[ "$2" == "post-start" ]]; then echo "Configuring filter vlan for VM id: $1" IFS=',' bridge vlan...