firewall enabled in datacenter prevent bridge VM comunication on the same node
- Thread starter floryn
- Start date
I don't know if anyone concerns about this problem anymore, but there was development. It seems that in our case the cause of the problem is our central router/firewall Cisco ASA 5520 with rather old software 8.2(2)-k8. If we replace ASA with Mikrotik, everything works fine when global firewall feature is enabled. But if global firewall feature in Proxmox is disabled, then again everything works fine with ASA.
So, conditions for the problem is this:
1. Communicating virtual machines must be on the same Proxmox node. If one of machines migrated to other node, all works fine.
2. Communicating virtual machines must be in different networks, routed through external router/firewall Cisco ASA 5520 (in our case). If Cisco ASA replaced with Mikrotik, all works fine.
It's unclear what causes the problem. If we permit all traffic on Cisco ASA, the problem remains. We cannot permanently replace Cisco ASA with something else, although soon we purchase newer Cisco ASA and then we will do some tests.
If anyone experiencing the same problem - what router/firewall you are using? Is it Cisco ASA or something else?
Update:
When global firewall feature is enabled it's possible to get rid of the problem by deleting one firewall rule on Proxmox node:
iptables -D PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
But default firewall rules is hardcoded, so it's not a solution. Also I believe these rules put there for good reason. So there must be something wrong with ASA, but what can it be?
So, conditions for the problem is this:
1. Communicating virtual machines must be on the same Proxmox node. If one of machines migrated to other node, all works fine.
2. Communicating virtual machines must be in different networks, routed through external router/firewall Cisco ASA 5520 (in our case). If Cisco ASA replaced with Mikrotik, all works fine.
It's unclear what causes the problem. If we permit all traffic on Cisco ASA, the problem remains. We cannot permanently replace Cisco ASA with something else, although soon we purchase newer Cisco ASA and then we will do some tests.
If anyone experiencing the same problem - what router/firewall you are using? Is it Cisco ASA or something else?
Update:
When global firewall feature is enabled it's possible to get rid of the problem by deleting one firewall rule on Proxmox node:
iptables -D PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
But default firewall rules is hardcoded, so it's not a solution. Also I believe these rules put there for good reason. So there must be something wrong with ASA, but what can it be?
Last edited:
The cause of the problem is TCP sequence randomization http://www.cisco.com/c/en/us/td/doc...figuration/guide/config/conns_connlimits.html
I've disabled it on Cisco ASA inside interface and now TCP sessions works with Proxmox firewall switched on.
I've disabled it on Cisco ASA inside interface and now TCP sessions works with Proxmox firewall switched on.
I know this thread is quite old, however I recently started using Proxmox and I'm having the exact same problem still (on PVE 6.1-3).
My setup is quite simple, I have only one node with currently two VMs, all of which are connected through one single bridged network interface and receive private IPs from my external (menaing it's a seperate device) Router/Modem.
MariaDB/MySQL Server VM: 192.168.1.3
Test-VM: 192.168.1.4
When the datacenter firewall is active traffic works as intended between physical devices (I can ping, ssh, etc. to/from my VMs from my seperate home computer), however my test-vm cannot connect to my database vm (I'm using
However once I disable the datacenter firewall, my test-vm suddenly manages to connect to my database vm with just one hop (as I imagine it's supposed to be).
If you need any additional config just tell me, any help is greatly appreciated.
My setup is quite simple, I have only one node with currently two VMs, all of which are connected through one single bridged network interface and receive private IPs from my external (menaing it's a seperate device) Router/Modem.
MariaDB/MySQL Server VM: 192.168.1.3
Test-VM: 192.168.1.4
When the datacenter firewall is active traffic works as intended between physical devices (I can ping, ssh, etc. to/from my VMs from my seperate home computer), however my test-vm cannot connect to my database vm (I'm using
traceroute -4 -T -p 3306 192.168.1.3 to check this and it prints a lot of asterisks) through TCP, UDP and ICMP work fine.However once I disable the datacenter firewall, my test-vm suddenly manages to connect to my database vm with just one hop (as I imagine it's supposed to be).
If you need any additional config just tell me, any help is greatly appreciated.
I think SOLVED this issue:
simply enable
in /etc/pve/nodes/<nodename>/host.fw
simply enable
Code:
nf_conntrack_allow_invalid: 1in /etc/pve/nodes/<nodename>/host.fw
Solved for me too, I was facing issues between vmbr0 and vmbr1 with assimetrical packets and setting this nf_conntrack_allow_invalid: 1 solved immediatly
Proxmox 6 latest version.