Hi everyone, I have recently created a cluster of 2 nodes that I use to host local media (jellyfin, kubernetes, open media vault and such). I have never used firewalls before and I thought that this might be the perferct opportunity to test it out. I have set up most of the firewall (basic HTTPS, SSH and similar rules) and I have left it over night.
However, In the morning, I noticed that nothing works, I can't access anything, I can't ping anything. After some digging I found out that my VMs and containers can't get new IPs from the DHCP server. I realised that I had to allow inbound from those ports too (67 and 68) and I tried it again. Again, dhclient won't resolve, can't ping the gateway but I noticed that the traffic is leaving the container (throught verbose dhclient) and contacting the main node (pve1) through tcpdump.
The output, from container, looks like this:
And tcp dump from the node (which has network interface):
I have tried everything that I found online, restart the interface, restart the container,... And the only thing that worked eventually is restarting the node itself. Just to verify that I am not going insane, I have did the same procedure:
- Ping the wireguard container (192.168.98.27)
- Observe the pings
- Turn datacenter firewall
- Pings stop eventually
- Disable datacenter firewall
- Try to ping - fail
- Try to manually get the IP - fail
I can easily disable the firewall and move on with this but I am really interested in what is going on here, why does the restart fix it and what do I need to do to restart the dhcp client without restarting the node (I am mostly away from the PC). Also I don't understand why disabling the firewall doesn't "undo" everything.
Any advice will be greatly appreciated.
Pve01/node/192.168.98.9 network:
Container/wireguard/192.168.98.27 network (configured to listen to vmbr0):
Best regards,
Almir
EDIT 1:
- Removing and adding the interface back doesn't work
- I have added a new container, same issue, same output in journalctl as the failed dhclient command
- sudo ifdown vmbr0 && sudo ifup vmbr0 on host doesn't work
However, In the morning, I noticed that nothing works, I can't access anything, I can't ping anything. After some digging I found out that my VMs and containers can't get new IPs from the DHCP server. I realised that I had to allow inbound from those ports too (67 and 68) and I tried it again. Again, dhclient won't resolve, can't ping the gateway but I noticed that the traffic is leaving the container (throught verbose dhclient) and contacting the main node (pve1) through tcpdump.
The output, from container, looks like this:
Code:
root@wireguard:~# ifdown eth0 && ifup eth0
Killed old client process
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth0/bc:24:11:c4:bd:1e
Sending on LPF/eth0/bc:24:11:c4:bd:1e
Sending on Socket/fallback
DHCPRELEASE of 192.168.98.27 on eth0 to 192.168.98.1 port 67
send_packet: Network is unreachable
send_packet: please consult README file regarding broadcast address.
dhclient.c:3124: Failed to send 300 byte long packet over fallback interface.
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/eth0/bc:24:11:c4:bd:1e
Sending on LPF/eth0/bc:24:11:c4:bd:1e
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 15
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 15
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 17
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6
No DHCPOFFERS received.
No working leases in persistent database - sleeping.And tcp dump from the node (which has network interface):
Code:
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
00:28:08.732842 veth101i0 B IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:c4:bd:1e, length 300
00:28:14.034167 veth101i0 B IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:c4:bd:1e, length 300
00:28:27.834191 veth101i0 B IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:c4:bd:1e, length 300I have tried everything that I found online, restart the interface, restart the container,... And the only thing that worked eventually is restarting the node itself. Just to verify that I am not going insane, I have did the same procedure:
- Ping the wireguard container (192.168.98.27)
- Observe the pings
- Turn datacenter firewall
- Pings stop eventually
- Disable datacenter firewall
- Try to ping - fail
- Try to manually get the IP - fail
I can easily disable the firewall and move on with this but I am really interested in what is going on here, why does the restart fix it and what do I need to do to restart the dhcp client without restarting the node (I am mostly away from the PC). Also I don't understand why disabling the firewall doesn't "undo" everything.
Any advice will be greatly appreciated.
Pve01/node/192.168.98.9 network:
Code:
auto lo
iface lo inet loopback
iface eno1 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.98.9/24
gateway 192.168.98.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
source /etc/network/interfaces.d/*Container/wireguard/192.168.98.27 network (configured to listen to vmbr0):
Code:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcpBest regards,
Almir
EDIT 1:
- Removing and adding the interface back doesn't work
- I have added a new container, same issue, same output in journalctl as the failed dhclient command
- sudo ifdown vmbr0 && sudo ifup vmbr0 on host doesn't work
Last edited: