Firewall Problem

C

crawrj

New Member
Feb 26, 2026
20
1
3
Hello Community. Another noob issue I am having. I am brand new to Proxmox. I have installed my first cluster using version 9.2.2, migrated machines from ESXi, and set up new servers. Everything has been working great. Today, I tried to start working on the Firewall to lock down management access. I set enable rules for the management network on ports 8006 and 22. Once I enabled the firewall, management access worked, but live migration and replication stopped working. That is all I know that broke so far. I read in the wiki that those were supposed to be allowed by default. So I am confused. My network is separated by Management, Cluster, LM, and VM networks. Maybe this is the reason? I apologize; I am such a noob that I am not sure what to post here to help with troubleshooting. I disabled the firewall for now so that everything is working again. Also, not sure if it matters, but in reading to try and figure out what went wrong, I saw where the new firewall is proxmox-firewall. I checked, and it looks like even though I am on 9.2.2, I am still using pve-firewall.

Any help is greatly appreciated!
 
I should have mentioned this, too. I thought that might be the case, so I created these rules, and it was still failing. Is it because I didn't set up a VMBR for migration and only the bond? I don't remember why I did it that way, but I was looking at tutorials when I set it up, so I got it from one of those. Everything does work without the firewall.

1781274993866.png
1781275006537.png

1781275144455.png
 
Last edited:
I have found these two lists of ports used. One from the admin guide and one from a user post. Can anyone break these down to which interface they would use?

My interfaces

vmbr0 - Management
vmbr1 - VM Network
Bond2 - Live Migration
cluster1 - Cluster Traffic
cluster2 - Cluster Traffic

I am putting what I assume underlined below

13.12. Ports used by Proxmox VE​

  • Web interface: 8006 (TCP, HTTP/1.1 over TLS) vmbr0
  • VNC Web console: 5900-5999 (TCP, WebSocket) vmbr0
  • SPICE proxy: 3128 (TCP) vmbr0
  • sshd (used for cluster actions): 22 (TCP) vmbr0
  • rpcbind: 111 (UDP) ???
  • sendmail: 25 (TCP, outgoing) Not blocking outbound
  • corosync cluster traffic: 5405-5412 UDP Cluster1 Cluster2
  • live migration (VM memory and local-disk data): 60000-60050 (TCP) Bond2

User post
  • 8007-8009: Proxmox VE cluster traffic Cluster1 Cluster2
 
Last edited:
OK, it looks like the issue was me not having a VMBR for the migration network. I created one on each host, reconfigured the firewall, and now it is working. Here is what I currently have. Cluster looks stable. Is there anything else I need to add? Want to make sure nothing else breaks, and I don't know about it.

Data Center Level
Firewall Enabled
vmbr2 (migration&replication) allow 22, 60000:60050
IPSet management

Host Level
Firewall Enabled no rules set

VM Level
Firewall off

I did an HA test by bringing down one host with one HA VM on it, and that worked successfully.
 
Last edited:
You must log in or register to reply here.
Top Bottom
Back