On our proxmox we're doing a bit of async routing, problem is that with the datacenter firewall enabled, the traffic is blocked at the bridge, if disabled it works as it should.
Problem is that this seems to be the invalid rule in the forward chain.
Problem is, that is a default rule so we can't disable it..
Chain PVEFW-FORWARD (1 references)
pkts bytes target prot opt in out source destination
3481 434K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 PVEFW-FWBR-IN 0 -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
0 0 PVEFW-FWBR-OUT 0 -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
202K 11M 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */
43 3296 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
How to disable such a rule? As now we need to have the dc firewall disabled which is not something I want..
Problem is that this seems to be the invalid rule in the forward chain.
Problem is, that is a default rule so we can't disable it..
Chain PVEFW-FORWARD (1 references)
pkts bytes target prot opt in out source destination
3481 434K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 PVEFW-FWBR-IN 0 -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
0 0 PVEFW-FWBR-OUT 0 -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
202K 11M 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */
43 3296 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
How to disable such a rule? As now we need to have the dc firewall disabled which is not something I want..
Doesn't seem it removed the invalid rule looking at iptables -L, but it does allow the async routing to work.