PVE 7.1-10
Kernel: Linux 5.15.19-1-pve #1 SMP PVE 5.15.19-1
I have created two vms (id 9000, ip 192.168.200.120 and 9001 IP 192.168.200.121) with ubuntu linux 20.04 on a proxmox 7.1-10 cluster.
Both vms have proxmox firewall settings enabled (see configuration below), also the cluster has firewall settings enabled (configuration also below).
If both VMs are running on a Host which is using an OVS setup (ovs bridge), the VMs are only able to Ping the Gateway (192.168.200.1), but not able to Ping each other (from 192.168.200.120->192.168.200.121 or vice versa). The VMs are unable to resolve the MAC adresses. In arp -a only the gateway ip (192.168.200.1) has a mac adress listed.
If the VMs are offline migrated to a Host without OVS using network configuration, the VMs are able to ping each other, and everything works as expected.
If I'm removing the firewall=1 setting in the network card configuration of the VMs the issue is also gone if the vms are running on a OVS-Host. But then the firewall is of course completly disabled.
VM1 (9000):
9000.fw
#######################################################################
[OPTIONS]
dhcp: 0
policy_in: ACCEPT
policy_out: ACCEPT
macfilter: 1
enable: 1
ipfilter: 1
[IPSET ipfilter-net0] # Only allow specified IPs on net0
192.168.200.120 # Assigned
::1 # Interface with no v6 IPs
VM1 (9001):
9001.fw
#######################################################################
[OPTIONS]
policy_out: ACCEPT
enable: 1
macfilter: 1
ipfilter: 1
log_level_out: nolog
log_level_in: nolog
dhcp: 0
policy_in: ACCEPT
[IPSET ipfilter-net0] # Only allow specified IPs on net0
192.168.200.121 # Assigned
::1 # Interface with no v6 IPs
cluster.fw
#######################################################################
[OPTIONS]
enable: 1
[RULES]
IN Ping(ACCEPT) -log nolog
IN NeighborDiscovery(ACCEPT) -log nolog
IN ACCEPT -p ipv6-icmp -log nolog
IN Ping(ACCEPT) -log nolog
IN SSH(ACCEPT) -log nolog
IN HTTPS(ACCEPT) -log nolog
IN ACCEPT -p tcp -dport 60000:60050 -sport 60000:60050 -log nolog # Live Migration
IN Ceph(ACCEPT) -log nolog
OUT NeighborDiscovery(ACCEPT) -log nolog
OUT Ping(ACCEPT) -log nolog
OUT ACCEPT -p ipv6-icmp -log nolog
Any ideas what I need to do to get the Firewall working with OVS?
Thanks & BR
Maik
Kernel: Linux 5.15.19-1-pve #1 SMP PVE 5.15.19-1
I have created two vms (id 9000, ip 192.168.200.120 and 9001 IP 192.168.200.121) with ubuntu linux 20.04 on a proxmox 7.1-10 cluster.
Both vms have proxmox firewall settings enabled (see configuration below), also the cluster has firewall settings enabled (configuration also below).
If both VMs are running on a Host which is using an OVS setup (ovs bridge), the VMs are only able to Ping the Gateway (192.168.200.1), but not able to Ping each other (from 192.168.200.120->192.168.200.121 or vice versa). The VMs are unable to resolve the MAC adresses. In arp -a only the gateway ip (192.168.200.1) has a mac adress listed.
If the VMs are offline migrated to a Host without OVS using network configuration, the VMs are able to ping each other, and everything works as expected.
If I'm removing the firewall=1 setting in the network card configuration of the VMs the issue is also gone if the vms are running on a OVS-Host. But then the firewall is of course completly disabled.
VM1 (9000):
9000.fw
#######################################################################
[OPTIONS]
dhcp: 0
policy_in: ACCEPT
policy_out: ACCEPT
macfilter: 1
enable: 1
ipfilter: 1
[IPSET ipfilter-net0] # Only allow specified IPs on net0
192.168.200.120 # Assigned
::1 # Interface with no v6 IPs
VM1 (9001):
9001.fw
#######################################################################
[OPTIONS]
policy_out: ACCEPT
enable: 1
macfilter: 1
ipfilter: 1
log_level_out: nolog
log_level_in: nolog
dhcp: 0
policy_in: ACCEPT
[IPSET ipfilter-net0] # Only allow specified IPs on net0
192.168.200.121 # Assigned
::1 # Interface with no v6 IPs
cluster.fw
#######################################################################
[OPTIONS]
enable: 1
[RULES]
IN Ping(ACCEPT) -log nolog
IN NeighborDiscovery(ACCEPT) -log nolog
IN ACCEPT -p ipv6-icmp -log nolog
IN Ping(ACCEPT) -log nolog
IN SSH(ACCEPT) -log nolog
IN HTTPS(ACCEPT) -log nolog
IN ACCEPT -p tcp -dport 60000:60050 -sport 60000:60050 -log nolog # Live Migration
IN Ceph(ACCEPT) -log nolog
OUT NeighborDiscovery(ACCEPT) -log nolog
OUT Ping(ACCEPT) -log nolog
OUT ACCEPT -p ipv6-icmp -log nolog
Any ideas what I need to do to get the Firewall working with OVS?
Thanks & BR
Maik
Last edited: