5 Node Cluster with Ceph, want to activate the Proxmox Firewall

[sum-it]

We have a 5 Node Proxmox Cluster with Ceph and need the Proxmox Firewall. Is Ceph (and all its needed Services) effected by the Firewall and therefore need to make exceptions for it?

We have four different networks: Ceph, Corosync, Cephpub and LAN

 

[aaron]

Yes. Create a new rule on the DC level to allow Ceph traffic before you enable the firewall. There is a Ceph Macro you can choose.
If you want to narrow it down further, you can specify the subnets used for the Ceph Public & Cluster network as the source and target networks.

Aliases can be useful so you only have to define them in one place.

If you access the cluster from a different subnet, add more rules to allow access from it on the ports needed, SSH, TCP 8006, ...

See https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pve_firewall_default_rules for the default rules automatically created.

 

[sum-it]

Thank you! 8D

 

[frede_der]

If you have changed the migration or replication network (datacenter - options) you need to added a few more rules then the documentation shows.

Allow the following between hosts
TCP 60000:60050
SSH
PING