DHCP Blocked on VM by NIC Firewall

[gilles-hl]

Hello everyone,

I’m running into a serious issue with DHCP when using the Proxmox VE firewall. I want to summarize the problem here and hopefully get confirmation or solutions from the community.

Setup:

• VM: Ubuntu 24.04
• Proxmox VE: latest stable release
• Network setup: bridged (vmbr0)
• VM network device firewall: enabled
• VM firewall: enabled (yes)
• VM firewall options:
  • DHCP: yes
  • NDP: yes
  • Router Advertisement: yes
  • MAC filtering: no
  • IP filtering: no
  • Input policy: DROP
  • Output policy: ACCEPT

Observed behavior:

• When the VM NIC firewall is enabled, the VM does not receive an IP address from the physical DHCP router.
• When the NIC firewall is disabled, DHCP works perfectly.

What has been checked / attempted:

• UDP ports 67 and 68 are allowed at all levels: Datacenter, Node, VM
• Directions: all combinations of IN/OUT, all sources and destinations
• Broadcast traffic should be passing
• Logs show DHCP packets are not blocked by the host firewall, but they never reach the VM when VM NIC firewall is enabled
• Even when firewall is set to IN ACCEPT ALL and OUT ACCEPT ALL, still no ip when VM NIC firewall is enabled.

Observations from testing:

• It appears that Proxmox NIC firewall blocks DHCP broadcasts at a low level, even when the correct ports are open.
• Even with all rules set to “ACCEPT”, DHCP fails.
• DHCP works fully if the VM NIC firewall is off, despite the same rules being applied on Node and Datacenter levels.

Important notes:

• I only want to enable the NIC firewall because when enabled, you can view the firewall logs...
  And thats important for me, i like to monitor it.

Questions:

• Has anyone experienced the same with Ubuntu VMs (or other VMs) and the Proxmox VM NIC firewall?
• Are there any known workarounds to make DHCP work without fully disabling the NIC firewall?

I hope someone can confirm this behavior or provide a reliable workaround.

 

[readyspace]

Hi, at your host firewall, can you add a rule to explicitly allow DHCP broadcasts (UDP ports 67 & 68) and see it if works?

 

[_gabriel]

HW NIC model ?
VLAN involved ?
have you tried vNIC intel instead virtio ?

 

[gilles-hl]

Thanks for the replies.
It seemed to be an bug in the "old" pve firewall.
All the checkboxes for DHCP were checked.
Yet any broadcasting was still being blocked.
Manual firewall rules could not overide this, allowing and forwarding didnt do anything.

The fix was, enabling the new nftables firewall.
And manually stopping and disabling the pve firewall.

I dont know why this issue ist being reported more widely.
This wasn't a personal configuration error since i installed the same proxmox iso (VE 9.0.5) on a new server.
This had the exact same problem.

So easy fix, if you know it.