DHCP Blocked by Server Firewall (DC is ok)

[jamest65]

Hi All,

I recently upgraded to 7.2-4. I suddenly started having issues with my DHCP server and VM's Containers were not getting ip addresses. I installed DNSMASQ on the host using vmbr0, for some bizarre reason the server firewall under the Data centre level blocks my dhcp server from giving out ip addresses.

Is there a change to 7.2-4 that changes where the dhcp server should reside? I can only get it to work when i disable the firewall at the server level. My setup worked fine under the previous release.

Any guidance or ideas appreciated.

 

[shrdlicka]

Hi,

form which version did you upgrade? and what options are set in the firewall settings?

 

[jamest65]

Hi,

form which version did you upgrade? and what options are set in the firewall settings?

Hi I upgraded from 7.1-2. The options I had previoulsy and still in place for NAT out to the web. Previously the DHCP server would be picked up by VM's and Containers. I have no firewall on VM and containers locally just at DC and Server level.

I can see in my PVEFW iptables it is set to hard drop port 53 not sure if that is what is causing it? at DC/Server levels I tried to put in an accept and made no difference. i also have an alias for the local lan clients.

Chain PVEFW-Drop (2 references)
target prot opt source destination
PVEFW-DropBroadcast all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
DROP udp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1900
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53
all -- 0.0.0.0/0 0.0.0.0/0 /* PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8 */

Thanks for any assistance

 

[shrdlicka]

Hi,

I tried this now with 7.0-11, 7.1-7 and 7.2-4. In all cases, if I activate the firewall while having dnsmasq dhcp server running on my proxmox host I don't get a DHCP assignment in the VM on all three versions. You can just add a rule to the firewall for the local node to accept the dhcp broadcast traffic.

 

[jamest65]

Hi,

I tried this now with 7.0-11, 7.1-7 and 7.2-4. In all cases, if I activate the firewall while having dnsmasq dhcp server running on my proxmox host I don't get a DHCP assignment in the VM on all three versions. You can just add a rule to the firewall for the local node to accept the dhcp broadcast traffic.

View attachment 37643

Thanks that worked for me .... I realised I did migrate from 6.4-14.

 

[justinclift]

Weirdly enough, I'm having this same problem (DHCP blocked by firewall) with simple SDN networks when using Promox 8.2.x.

The VM I was testing it on already has the "DHCP" option enabled, which is apparently supposed to allow DHCP traffic for picking up an initial address. But it clearly doesn't.

The above firewall rule shown by @shrdlicka allows for the VM to pick up a DHCP addresses, and a similar rule for DNS allows DNS requests to the gateway (ie dnsmask) to work as well.

That was a real pain to get working.

---

In my case, instead of adding a rule to the local node I've instead added the same rule at the datacenter level, but with the network set to the simple SDN network the test VM is running in.