Search results

Proxmox Virtual Environment 9.0.11 Auf einem Proxmox Server ist sind vier Hosts konfiguriert, alle haben eine Bridge auf vmbr0.123 (also VLAN 123) VM1 fd46:2ce5:5d43::1/48 192.168.1.1/24 VM2 fd46:2ce5:5d43::2/48 192.168.1.2/24 Container CT1...

Yes I will, but I think weekend is more realistic.

Thats due to anonymizing. But I really got one (the same network) in BOTH IP Sets Overlapping - so, I'll change that ant try again.

I just checked, but for each ipset there are no overlaps.. The First IPSet (IPv6 trusted) and the second IPSet (Trusted) indeed have two overlapped ranges. Cheers,

Hi again, after winding back to iptables at least the host ipv6 net is firewalled again. But what I just reconed, that is not correct: In the webinterface input and forward is default drop, and with a ip(6)tables-save it is both set to ACCEPT.... that is not right:

for now it might be best to revert to the old firewall. thats what I thought as well :-) Thank you for your help. Cheers, 4920441

cat /etc/pve/firewall/cluster.fw [OPTIONS] enable: 1 policy_forward: DROP policy_in: DROP [IPSET internal-pub-ipv6] 2000:000:000:3f8b::/64 # host ipv6 hetzner 2000:000:000:e700::/56 # routed ipv6 [IPSET trusted-ips] 111.243.25.152/29 122.76.244.88/29 133.251.176.35 172.31.254.0/24...

No it does not work after the reboot... even worse : the firewalled /64 network is now also wide despite exactly the same rules as with iptables, all set up by the gui. My nft script did not run yet and is not merged yed after the reboot. cat /etc/pve/firewall/cluster.fw | grep -i forward...

Since nft is now installed, I added my nft script to it, and it works fine so far. Everything which is not expclitly allowed gets blocked, also to the routed networks. Since the nft script are much more readable than the old iptables-save thingies, I think this addon could survive the daily...

ok... so simply ticking the "nftables tech preview" does not do the trick alone.... Despite nftable rules are loaded, they are nothing like in the gui - do I have to convert the gui rules to nft somehow? In the datacenter firewall it says: Forward rules only take effect when the nftables...

pveversion -v proxmox-ve: 9.0.0 (running kernel: 6.14.8-2-pve) pve-manager: 9.0.3 (running version: 9.0.3/025864202ebb6109) proxmox-kernel-helper: 9.0.3 proxmox-kernel-6.14.8-2-pve-signed: 6.14.8-2 proxmox-kernel-6.14: 6.14.8-2 proxmox-kernel-6.8.12-13-pve-signed: 6.8.12-13 proxmox-kernel-6.8...

I think you meant status pve-firewall? systemctl status pve-firewall ● pve-firewall.service - Proxmox VE firewall Loaded: loaded (/usr/lib/systemd/system/pve-firewall.service; enabled; preset: enabled) Active: active (running) since Fri 2025-08-08 18:37:08 CEST; 1h 51min ago...

systemctl status proxmox-firewall Unit proxmox-firewall.service could not be found. That's kinda odd, isn't it? cat /etc/pve/firewall/cluster.fw .... FORWARD DROP -dest 2000:000:231:0700::/56 -log info # Drop-Incoming foobarbla :/56 ... there is my forward drop cat...

I am pretty shure I made in the datacenter firewall a rule for the forwarding table which drops all which was not allowes before. The funny thing is, I enabled nft but even after a reboot no nft rulest ist there? Is there something else to enable on the proxmox side? Even on the ip6tables...

Yes, correctly. I am using the proxmox host itself as a router with very easy rules. The /64 network which is (only) directly on the proxmox host itself, works with firewalling. If I allow a source ip it gets a connection, if i deny it (by not allowing it) packets gets dropped. The routed /48...

I just enabled it (I think it's enough to do this on the PVE Host itself and then its 'activated'?) Do I have to use the /etc/nft config or do you think it could work out of the webinterface with "technology preview nft"? I just tried it out: makes no differece if nftables is activated or not...

Hi, that makes sense . But what is meant with "forward" when the rule is configured? Only the local forward table? Can I use nftables and iptables in parallel on proxmox? Because, some features (like masquarading with dynamic IP addresses) are still not really implemented in nftables...

Hi, I just set up another PVE with IPv6 routing and (simple, portbased) firewaling on the PVE host itself. IPv4 works as expected, IPv6 not so much.... Despite having the same setup in IPv6 as in IPv4, the IPv6 firewalling does not work - everything goes trough the fw and not even a log...

this is no news at all.... don't feel special about it. it is only very inappropriate to post something like this in the Proxmox forum directly and - whats even worse - be proud of it..... Remeber: EVERYTHING IS OPEN SOURCE, so any idiot can patch that out if he wants to - so, don't feel too...

Hi, i talked to some collegues which had the same task as a POC but with newer NICs from Mellanox (100G) and they said to me, it is not really worth the effort if you don't need severel 100 Gig througput on modern Epyc Hardware. The Issues and potentical Problem - especially across a...