[SOLVED] Firewall enable on different nodes's vms, one can ping, the other not, what's wrong?

H

harold

Member
May 28, 2019
4
0
21
33
Hi, I have configured firewall cluster-wide, those are my two security group:
1. vm-default: which is default for management network
2. mcsgw-sg: which is for public network

1693300518518.png1693300496420.png
on my two vms, the Firewall configurations are the same;
but I can ping one of the vm's public ip, the other cannot;
after I disable the firewall, I can ping the ip, so these's nothing wrong about my network.
vm firewall setting:
1693300784099.png

iptables-save:
Code: 
:tap109i0-IN - [0:0]
:tap109i0-OUT - [0:0]
:tap109i1-IN - [0:0]
:tap109i1-OUT - [0:0]
-A PVEFW-FWBR-IN -m physdev --physdev-out tap109i0 --physdev-is-bridged -j tap109i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out tap109i1 --physdev-is-bridged -j tap109i1-IN
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap109i0 --physdev-is-bridged -j tap109i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap109i1 --physdev-is-bridged -j tap109i1-OUT
-A tap109i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap109i0-IN -j GROUP-vm-default-IN
-A tap109i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap109i0-IN -j PVEFW-Drop
-A tap109i0-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":109:6:tap109i0-IN: policy DROP: "
-A tap109i0-IN -j DROP
-A tap109i0-IN -m comment --comment "PVESIG:e0a/GaEnf2jecKz4d1FKUbKBc7A"
-A tap109i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap109i0-OUT -m mac ! --mac-source fe:53:31:4a:46:88 -j DROP
-A tap109i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap109i0-OUT -j GROUP-vm-default-OUT
-A tap109i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap109i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap109i0-OUT -m comment --comment "PVESIG:bESsMtpDDlXYySYW2uXT0h2L6Es"
-A tap109i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap109i1-IN -j GROUP-mcsgw-sg-IN
-A tap109i1-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT
-A tap109i1-IN -j PVEFW-Drop
-A tap109i1-IN -m limit --limit 1/sec -j NFLOG --nflog-prefix  ":109:6:tap109i1-IN: policy DROP: "
-A tap109i1-IN -j DROP
-A tap109i1-IN -m comment --comment "PVESIG:RZ3eT5sDHBPvEsuPcAIY0fBqjQ4"
-A tap109i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap109i1-OUT -m mac ! --mac-source 9e:4e:97:a4:c7:99 -j DROP
-A tap109i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap109i1-OUT -j GROUP-mcsgw-sg-OUT
-A tap109i1-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A tap109i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap109i1-OUT -m comment --comment "PVESIG:ldt/mi45eEYa0gBwSa89PIicEak"
 
on network device net1, I create a bridge: br0, which has different mac address, would this affect the firewall?
 
harold said:
on network device net1, I create a bridge: br0, which has different mac address, would this affect the firewall?
Click to expand...
I deleted this bridge br0, and set public ip on the net1 device, all firewall rules works fine!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back