DHCP and NDP options in VM firewall settings

K

klowet

Active Member
Jun 22, 2018
43
1
28
Hello

In the firewall options of a VM, there are the options 'DHCP' and 'NDP'. What do they do?
When eg. 'DHCP' is set to 'Yes', does the VM send out DHCP requests? Or does he instead replies to DHCP requests?

Thank you
 
klowet said:
Hello

In the firewall options of a VM, there are the options 'DHCP' and 'NDP'. What do they do?
When eg. 'DHCP' is set to 'Yes', does the VM send out DHCP requests? Or does he instead replies to DHCP requests?

Thank you
Click to expand...
HI,
with these checkboxes you can allow DHCP and NDP traffic for the VMs. The neccessary rules are then generated and applied if the firewall is active.
 
Hello

What traffic is allowed when these options are activated? Incoming or outgoing?
I don't see these rules in the firewall. Are they invisible applied in the background? If so, how can I view all firewall rules, also the invisible ones?

Another question regarding the firewall. When the firewall is activated on an interface, are the rules applied when the 'Firewall' option in 'Firewall > Options' is set to 'No'?

Same question for the logging. When a firewall rule has logging activated, is the log for that rule saved when eg. the 'log_level_in' option in 'Firewall > Options' is set to 'nolog'?

Thank you
 
Last edited:
klowet said:
Hello

What traffic is allowed when these options are activated? Incoming or outgoing?
I don't see these rules in the firewall. Are they invisible applied in the background? If so, how can I view all firewall rules, also the invisible ones?

Another question regarding the firewall. When the firewall is activated on an interface, are the rules applied when the 'Firewall' option in 'Firewall > Options' is set to 'No'?

Same question for the logging. When a firewall rule has logging activated, is the log for that rule saved when eg. the 'log_level_in' option in 'Firewall > Options' is set to 'nolog'?

Thank you
Click to expand...
You can see all the firewall rules by running iptables-save on the node. The rules are only applied if the firewall is enabled at datacenter level as well as for the VM and the corresponding NIC. Further, the log level defined for individual rules is independent of the log level set in Firewall->Options. For further details you might want to have a look at https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pve_firewall
Hope this helps!
 
For other people googling: The DHCP config flag does allow traffic for DHCP clients (so the VMs can request an IP, but cannot assign IPs to others).
Chris said:
You can see all the firewall rules by running iptables-save on the node.
Click to expand...
On our systems, Proxmox (7.4-3) adds following rules to the firewall with that flag enabled:
Code: 
-A tap120i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap120i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
 
Hello!
Is there a possibility to activate/deactivate the DHCP and NDP options via CLI?
 
Last edited:
  • Like
Reactions: ramsnerm
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom