ARP resolution not working while using Firewall and OVS

maik83

New Member
Apr 16, 2021
3
0
1
41
PVE 7.1-10
Kernel: Linux 5.15.19-1-pve #1 SMP PVE 5.15.19-1

I have created two vms (id 9000, ip 192.168.200.120 and 9001 IP 192.168.200.121) with ubuntu linux 20.04 on a proxmox 7.1-10 cluster.

Both vms have proxmox firewall settings enabled (see configuration below), also the cluster has firewall settings enabled (configuration also below).

If both VMs are running on a Host which is using an OVS setup (ovs bridge), the VMs are only able to Ping the Gateway (192.168.200.1), but not able to Ping each other (from 192.168.200.120->192.168.200.121 or vice versa). The VMs are unable to resolve the MAC adresses. In arp -a only the gateway ip (192.168.200.1) has a mac adress listed.

If the VMs are offline migrated to a Host without OVS using network configuration, the VMs are able to ping each other, and everything works as expected.

If I'm removing the firewall=1 setting in the network card configuration of the VMs the issue is also gone if the vms are running on a OVS-Host. But then the firewall is of course completly disabled.



VM1 (9000):

9000.fw
#######################################################################
[OPTIONS]

dhcp: 0
policy_in: ACCEPT
policy_out: ACCEPT
macfilter: 1
enable: 1
ipfilter: 1

[IPSET ipfilter-net0] # Only allow specified IPs on net0

192.168.200.120 # Assigned
::1 # Interface with no v6 IPs


VM1 (9001):

9001.fw
#######################################################################
[OPTIONS]

policy_out: ACCEPT
enable: 1
macfilter: 1
ipfilter: 1
log_level_out: nolog
log_level_in: nolog
dhcp: 0
policy_in: ACCEPT

[IPSET ipfilter-net0] # Only allow specified IPs on net0
192.168.200.121 # Assigned
::1 # Interface with no v6 IPs


cluster.fw
#######################################################################
[OPTIONS]

enable: 1

[RULES]

IN Ping(ACCEPT) -log nolog
IN NeighborDiscovery(ACCEPT) -log nolog
IN ACCEPT -p ipv6-icmp -log nolog
IN Ping(ACCEPT) -log nolog
IN SSH(ACCEPT) -log nolog
IN HTTPS(ACCEPT) -log nolog
IN ACCEPT -p tcp -dport 60000:60050 -sport 60000:60050 -log nolog # Live Migration
IN Ceph(ACCEPT) -log nolog
OUT NeighborDiscovery(ACCEPT) -log nolog
OUT Ping(ACCEPT) -log nolog
OUT ACCEPT -p ipv6-icmp -log nolog


Any ideas what I need to do to get the Firewall working with OVS?

Thanks & BR
Maik
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!