Wanted to share this in case others are encountering similar issues.
When trying to use Proxmox on a C220 M4 with a VIC 1227 network card, it would typically work fine while in single host mode. Once I joined it with my existing Proxmox cluster, the network would no longer work within the VMs on this host. The host network was working fine, but the VM could no longer get any TCP related packets through. The VM could ping other hosts, but could never access them using TCP packets.
I traced this down to the fact that the cluster had the firewall enabled in Proxmox. If I disabled this cluster-wide firewall setting, the VMs on the C220 host worked again. Another option was to create a virtual NIC on the VIC1227 card, and use PCI passthrough in Proxmox to give the VM direct access to this virtualized NIC, which circumvented the firewall.
Neither of these options were acceptable as I want to enforce firewall rules on my VMs.
I thought about what this Cisco VIC network card is - it is a network virtualization card. Plain and simple, you cannot use it directly as a straight up network device. By default it will create two virtual NIC devices (eth0 and eth1) that map directly to the two physical ports on the card. The virtual NIC devices will never use the same MAC address as the physical ports, they are entirely virtual.
With that in mind, I started to think about how they would accomplish this, including how they allow you to create hundreds of virtual NICs on this one card if you actually wanted to. VLANs is my best guess for how they achieve this. My guess is the card's firmware is doing some internal magic to manage these virtual NICs by using VLAN tags on the packets as they are managed internally by the VIC card.
So is there anything in Proxmox that might block VLAN tags - yup! Under the host's network section, Linux Bridge devices have a setting to make them VLAN Aware. This is disabled by default. Once I enabled VLAN aware on the bridge devices, everything worked again. So far I haven't found any issues or limitations now that Proxmox is supportive of the VLAN tags on packets.
My best guess here, is that something related to how Proxmox enables the firewall blocks the VLAN tagged packets unless you specifically tell it not to by marking your bridge devices as VLAN aware. When the cluster firewall is disabled, there is nothing to block any packets, so these VLAN tagged packets can flow without obstruction.
So in short, if you are using a Cisco VIC device for your network, and you wish to enable firewall, you'll have to check the box for VLAN aware on your network devices for this host to allow TCP packets to make it through.
When trying to use Proxmox on a C220 M4 with a VIC 1227 network card, it would typically work fine while in single host mode. Once I joined it with my existing Proxmox cluster, the network would no longer work within the VMs on this host. The host network was working fine, but the VM could no longer get any TCP related packets through. The VM could ping other hosts, but could never access them using TCP packets.
I traced this down to the fact that the cluster had the firewall enabled in Proxmox. If I disabled this cluster-wide firewall setting, the VMs on the C220 host worked again. Another option was to create a virtual NIC on the VIC1227 card, and use PCI passthrough in Proxmox to give the VM direct access to this virtualized NIC, which circumvented the firewall.
Neither of these options were acceptable as I want to enforce firewall rules on my VMs.
I thought about what this Cisco VIC network card is - it is a network virtualization card. Plain and simple, you cannot use it directly as a straight up network device. By default it will create two virtual NIC devices (eth0 and eth1) that map directly to the two physical ports on the card. The virtual NIC devices will never use the same MAC address as the physical ports, they are entirely virtual.
With that in mind, I started to think about how they would accomplish this, including how they allow you to create hundreds of virtual NICs on this one card if you actually wanted to. VLANs is my best guess for how they achieve this. My guess is the card's firmware is doing some internal magic to manage these virtual NICs by using VLAN tags on the packets as they are managed internally by the VIC card.
So is there anything in Proxmox that might block VLAN tags - yup! Under the host's network section, Linux Bridge devices have a setting to make them VLAN Aware. This is disabled by default. Once I enabled VLAN aware on the bridge devices, everything worked again. So far I haven't found any issues or limitations now that Proxmox is supportive of the VLAN tags on packets.
My best guess here, is that something related to how Proxmox enables the firewall blocks the VLAN tagged packets unless you specifically tell it not to by marking your bridge devices as VLAN aware. When the cluster firewall is disabled, there is nothing to block any packets, so these VLAN tagged packets can flow without obstruction.
So in short, if you are using a Cisco VIC device for your network, and you wish to enable firewall, you'll have to check the box for VLAN aware on your network devices for this host to allow TCP packets to make it through.
Last edited: