Firewall Issue with Windows Guest

bofh

Active Member
Nov 7, 2017
126
11
38
43
Wierd issue.

Networkconfig

eth0 with publicip

vmbr0 with internal for VM
natting - outgoing traffic only

firewallconfig - block all incomming except openvpn to the host


Now to the wierd part.
if i activate the firewall on datacenter level and reboot a 2012r2 VM
the VM detects a new network after every reboot no matter what.

furter if i activate firewall in the networkcard config of the vm it also blocks all traffic regardless which rules on which level i set.

only when i deactiavte promox firewall at all it returns to nomal (reboots wont crete a new network in windows)

i suspect this is caused by the guest isolation (as every guest gets its own virtual interface on the host and maybe the mac will change everytime which i suspect)
however this happens regardless if vm fiurewall is set to active or not
 

wolfgang

Proxmox Retired Staff
Retired Staff
Oct 1, 2014
6,496
503
103
if i activate the firewall on datacenter level and reboot a 2012r2 VM
the VM detects a new network after every reboot no matter what.
Yes, this is normal because we use a separate firewall bridge.
This let the Windows network detect algorithms believe a new Network is there.

furter if i activate firewall in the networkcard config of the vm it also blocks all traffic regardless which rules on which level i set
This is also expected because NAT is configured on vmbr0 but the traffic comes from fwbr<vmid>i<portid>.
 

bofh

Active Member
Nov 7, 2017
126
11
38
43
Yes, this is normal because we use a separate firewall bridge.
This let the Windows network detect algorithms believe a new Network is there.

isnt there a way tp have those pairs beeing persistent? i mean that practically means the firewall option in promox is useless for windows guests

This is also expected because NAT is configured on vmbr0 but the traffic comes from fwbr<vmid>i<portid>.
yea yea yea,.. i feared something like that
so firewall is also not useable with nat then ?
besides would be nice to have nat as an firewall options, than those things could be setup dynamical

thing is ipv4 are getting more valuable than ever, so using nat setup to distribute different ports to different vms can actually preserve a lot of them.
while this is easy todo (i currently use firewallbuilder, but we could also use a routing instance like pfsense) it would be a bit more comforting with a build in solution
 

bofh

Active Member
Nov 7, 2017
126
11
38
43
uhh btw, it would be nice if that behaviour was documented in the firewall section.
i suspected that after seeing the new virtual bridges comming up,.. still wasnt shure because i could not find it in big red warning letters in the documentation :)

also in networking a hin at nat section to not use it with firewall or and vice versa :)
 

wolfgang

Proxmox Retired Staff
Retired Staff
Oct 1, 2014
6,496
503
103
thing is ipv4 are getting more valuable than ever, so using nat setup to distribute different ports to different vms can actually preserve a lot of them.
NAT is not a security layer. for this reason, you have a firewall or use a reverse proxy.

uhh btw, it would be nice if that behaviour was documented in the firewall section.
This is a behavior of Windows and not of ProxmoxVE.

also in networking a hin at nat section to not use it with firewall or and vice versa
NAT is a nonstandard setup in Proxmox VE commonly used by HomeLab uses.
We can't document all eventual problem with nonmainstream configuration.
For this propose, we have this forum here where you get help as you become.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!