[SOLVED] Firewall always blocks everything on LXC. IBM x3650 M2 w. onboard NIC


New Member
Dec 8, 2019

Brief description: LXC firewall always blocks everything (outgoing as well as incoming). No problems with VMs.

Hardware: IBM X3650 M2 w. onboard NIC
Proxmox version 6.1

Network configuration:
Bridge w. 1 onboard ethernet port.
Gateway is a run of the mill home router (Asus RT-N12D1)
One sigle /24-address range
Proxmox VE static ip
VMs and LXCs have either static ip or use DHCP
No internal firewalls on the VMs or LXCs

Installed on Debian Buster by following these instructions

systemctl status pve-firewall gives no error messeges.

Everytime I run pve-firewall compile it ends with

iptables table raw cmdlist:

ip6tables table raw cmdlist:
detected changes

Note "detected changes". Is this normal?

Any ideas? Help appreciated

Thanks to the Proxmox team for this wonderfor piece of software!
Last edited:
To get help, please share your firewall config and container config.
Cluster firewall

enable: 1


reserved-private1 # IANA/IETF reserved address space
xclustnet # IP range of local network @ xclust
reserved-private2 # IANA/IETF reserved address space
vpndailin # IP range of vpn dail-in


IN SSH(ACCEPT) -log nolog

Host firewall

IN SSH(ACCEPT) -log nolog
IN ACCEPT -source -log nolog
IN REJECT -p tcp -dport 8006 -log nolog

Container firewall

enable: 1


IN SSH(ACCEPT) -log nolog

Container config
arch: amd64
cores: 1
hostname: test-lxc
memory: 512
net0: bridge=vmbr0,name=eth0,ip=,gw=,firewall=1
ostype: ubuntu
rootfs: local:105/vm-105-disk-0.raw,size=8G
swap: 512
unprivileged: 1

Tank you
After running apt upgrade and systemctl reload pve-firewall, the problem went away. I don't understand how the update might have helped since pve-firewall was not among the packages being upgraded. Neither do I understand how systemctl reload might have helped, since complete reboots hasn't help in the past.

Anyway, problem solved!

Edit: Scratch that. It's back. Sorry for spamming
Last edited:
I noticed the MAC-address field in the "Network" tab of the CT:s where empty ("auto"). After setting it, the firewall started working correctly.

Former bug? New CT:s get a MAC address assigned if field is left empty/"auto". Also, changing any other setting on the problematic NICs now gives it a MAC-address.

Problem solved. Have a nice day


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!