Firewall Issues in 8.2.7?

L

lclements0

Member
Oct 12, 2021
19
4
8
36
Recently upgraded a Proxmox Cluster to 8.2.7 and am seeing some odd behiavour with the firewall even if all traffic is allowed. When firewall is on, pings to the firewall'd VM stop responding after between 30 and 60 seconds. Disabling the firewall allows pings to flow again, as does a live migration to another host - though with the live migration the pings drop again 30-60 seconds after the migration is complete.

Is this a known issue with 8.2.7 from the no-subscription train? For clarity, running OpenvSwitch on this cluster as well.

Code: 
proxmox-ve: 8.2.0 (running kernel: 6.8.12-2-pve)
pve-manager: 8.2.7 (running version: 8.2.7/3e0176e6bb2ade3b)
proxmox-kernel-helper: 8.1.0
pve-kernel-6.2: 8.0.5
proxmox-kernel-6.8: 6.8.12-2
proxmox-kernel-6.8.12-2-pve-signed: 6.8.12-2
proxmox-kernel-6.8.8-4-pve-signed: 6.8.8-4
proxmox-kernel-6.8.4-3-pve-signed: 6.8.4-3
proxmox-kernel-6.5.13-6-pve-signed: 6.5.13-6
proxmox-kernel-6.5: 6.5.13-6
proxmox-kernel-6.5.13-5-pve-signed: 6.5.13-5
proxmox-kernel-6.5.11-7-pve-signed: 6.5.11-7
proxmox-kernel-6.2.16-20-pve: 6.2.16-20
proxmox-kernel-6.2: 6.2.16-20
proxmox-kernel-6.2.16-15-pve: 6.2.16-15
pve-kernel-6.2.16-3-pve: 6.2.16-3
ceph: 18.2.4-pve3
ceph-fuse: 18.2.4-pve3
corosync: 3.1.7-pve3
criu: 3.17.1-2
frr-pythontools: 8.5.2-1+pve1
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx9
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-4
libknet1: 1.28-pve1
libproxmox-acme-perl: 1.5.1
libproxmox-backup-qemu0: 1.4.1
libproxmox-rs-perl: 0.3.4
libpve-access-control: 8.1.4
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.0.7
libpve-cluster-perl: 8.0.7
libpve-common-perl: 8.2.3
libpve-guest-common-perl: 5.1.4
libpve-http-server-perl: 5.1.1
libpve-network-perl: 0.9.8
libpve-rs-perl: 0.8.10
libpve-storage-perl: 8.2.5
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.4.0-4
openvswitch-switch: 3.1.0-2+deb12u1
proxmox-backup-client: 3.2.7-1
proxmox-backup-file-restore: 3.2.7-1
proxmox-firewall: 0.5.0
proxmox-kernel-helper: 8.1.0
proxmox-mail-forward: 0.2.3
proxmox-mini-journalreader: 1.4.0
proxmox-widget-toolkit: 4.2.3
pve-cluster: 8.0.7
pve-container: 5.2.0
pve-docs: 8.2.3
pve-edk2-firmware: 4.2023.08-4
pve-esxi-import-tools: 0.7.2
pve-firewall: 5.0.7
pve-firmware: 3.13-2
pve-ha-manager: 4.0.5
pve-i18n: 3.2.3
pve-qemu-kvm: 9.0.2-3
pve-xtermjs: 5.3.0-3
qemu-server: 8.2.4
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.2.6-pve1
 
Can you post the output of the following commands:
Code: 
cat /etc/network/interfaces
iptables-save

As well as the configuration of the VM:
Code: 
qm config <vmid>

Can you also indicate from where (IP Address) you are trying to ping the VM?
 
Sure thing.

/etc/network/interfaces:

Code: 
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto eno49np0
iface eno49np0 inet manual
        mtu 9216

iface eno1 inet manual

iface eno2 inet manual

iface eno3 inet manual

iface eno4 inet manual

auto eno50np1
iface eno50np1 inet manual
        mtu 9216

auto vlan138
iface vlan138 inet static
        address X
        gateway X
        ovs_type OVSIntPort
        ovs_bridge vmbr0
        ovs_mtu 9216
        ovs_options tag=138

iface vlan138 inet6 static
        address X
        gateway X

auto vlan137
iface vlan137 inet static
        address X
        ovs_type OVSIntPort
        ovs_bridge vmbr0
        ovs_mtu 9216
        ovs_options tag=137

auto vlan139
iface vlan139 inet static
        address X
        ovs_type OVSIntPort
        ovs_bridge vmbr0
        ovs_mtu 9216
        ovs_options tag=139

auto bond0
iface bond0 inet manual
        bond-slaves eno49np0 eno50np1
        bond-miimon 100
        bond-mode 802.3ad
        bond-xmit-hash-policy layer3+4
        mtu 9216

auto vmbr0
iface vmbr0 inet manual
        ovs_type OVSBridge
        ovs_ports vlan138 vlan137 vlan139
        ovs_mtu 9216
        post-up ovs-vsctl add-port vmbr0 bond0

source /etc/network/interfaces.d/*

qm config:

Code: 
agent: 1
bios: ovmf
boot: order=scsi0;ide2;net0
ciuser: root
cores: 4
cpu: host
efidisk0: POOL0:vm-100008-disk-0,efitype=4m,size=528K
hookscript: ISO:snippets/node_update_hook.pl
ide0: POOL0:vm-100008-cloudinit,media=cdrom,size=4M
ide2: none,media=cdrom
ipconfig0: ip=10.0.1.201/24,gw=10.0.1.1
machine: q35
memory: 16384
meta: creation-qemu=8.0.2,ctime=1697114569
name: test22
nameserver: 10.0.1.253 10.0.1.254
net0: virtio=BC:24:11:BF:41:A6,bridge=vmbr0,firewall=1,tag=2848
numa: 1
ostype: l26
scsi0: POOL0:vm-100008-disk-1,iothread=1,size=320G
scsihw: virtio-scsi-single
searchdomain: domain.com
smbios1: X
sockets: 1
sshkeys: X
vmgenid: 8a9b2739-1ad2-4efc-a396-ebdec2cd40a4


Pings are coming from 10.0.1.253 and 10.0.1.254, also a VM with tag 2848. 10.0.1.253 and 10.0.1.254 are VRRP routers, and provide an HA gateway 10.0.1.1, and pings from both the router and an internet based host via a dnat fail after the same period.

iptables-save coming in a seperate post.
 
Last edited:
Code: 
# Generated by iptables-save v1.8.9 on Thu Oct 10 12:30:44 2024

*raw

:PREROUTING ACCEPT [132072475:245391862579]

:OUTPUT ACCEPT [129063838:215113980053]

COMMIT

# Completed on Thu Oct 10 12:30:44 2024

# Generated by iptables-save v1.8.9 on Thu Oct 10 12:30:44 2024

*filter

:INPUT ACCEPT [529:31564]

:FORWARD ACCEPT [1574:127420]

:OUTPUT ACCEPT [1057:69212]

:GROUP-pveaccess-IN - [0:0]

:GROUP-pveaccess-OUT - [0:0]

:GROUP-pvemigrate-IN - [0:0]

:GROUP-pvemigrate-OUT - [0:0]

:GROUP-sg-fd21c743e8b1-IN - [0:0]

:GROUP-sg-fd21c743e8b1-OUT - [0:0]

:GROUP-ns_internal-IN - [0:0]

:GROUP-ns_internal-OUT - [0:0]

:GROUP-ns_outside-IN - [0:0]

:GROUP-ns_outside-OUT - [0:0]

:PVEFW-Drop - [0:0]

:PVEFW-DropBroadcast - [0:0]

:PVEFW-FORWARD - [0:0]

:PVEFW-FWBR-IN - [0:0]

:PVEFW-FWBR-OUT - [0:0]

:PVEFW-HOST-IN - [0:0]

:PVEFW-HOST-OUT - [0:0]

:PVEFW-INPUT - [0:0]

:PVEFW-OUTPUT - [0:0]

:PVEFW-Reject - [0:0]

:PVEFW-SET-ACCEPT-MARK - [0:0]

:PVEFW-logflags - [0:0]

:PVEFW-reject - [0:0]

:PVEFW-smurflog - [0:0]

:PVEFW-smurfs - [0:0]

:PVEFW-tcpflags - [0:0]

:tap100008i0-IN - [0:0]

:tap100008i0-OUT - [0:0]

:tap100011i0-IN - [0:0]

:tap100011i0-OUT - [0:0]

:tap5003i0-IN - [0:0]

:tap5003i0-OUT - [0:0]

:tap5003i1-IN - [0:0]

:tap5003i1-OUT - [0:0]

-A INPUT -j PVEFW-INPUT

-A FORWARD -j PVEFW-FORWARD

-A OUTPUT -j PVEFW-OUTPUT

-A GROUP-pveaccess-IN -j MARK --set-xmark 0x0/0x80000000

-A GROUP-pveaccess-IN -s X -m set --match-set PVEFW-0-pve_az-v4 dst -g PVEFW-SET-ACCEPT-MARK

-A GROUP-pveaccess-IN -m set --match-set PVEFW-0-dmvpn_spokes-v4 src -m set --match-set PVEFW-0-pve_az-v4 dst -g PVEFW-SET-ACCEPT-MARK

-A GROUP-pveaccess-IN -m set --match-set PVEFW-0-pa_vpn-v4 src -m set --match-set PVEFW-0-pve_az-v4 dst -g PVEFW-SET-ACCEPT-MARK

-A GROUP-pveaccess-IN -m comment --comment "PVESIG:RbLV9ZF0U/NkZo8gigmlnSj+Ujg"

-A GROUP-pveaccess-OUT -j MARK --set-xmark 0x0/0x80000000

-A GROUP-pveaccess-OUT -m comment --comment "PVESIG:SK6m3N5KZoddTNXPCjWysGpu1Iw"

-A GROUP-pvemigrate-IN -j MARK --set-xmark 0x0/0x80000000

-A GROUP-pvemigrate-IN -m set --match-set PVEFW-0-pve_az-v4 src -m set --match-set PVEFW-0-pve_az-v4 dst -g PVEFW-SET-ACCEPT-MARK

-A GROUP-pvemigrate-IN -m comment --comment "PVESIG:pYH37RT95ahpT93eTKEg60QDSTI"

-A GROUP-pvemigrate-OUT -j MARK --set-xmark 0x0/0x80000000

-A GROUP-pvemigrate-OUT -m set --match-set PVEFW-0-pve_az-v4 src -m set --match-set PVEFW-0-pve_az-v4 dst -g PVEFW-SET-ACCEPT-MARK

-A GROUP-pvemigrate-OUT -m comment --comment "PVESIG:bf1rrDkPJHK+eQnsh4Doeu1kBiY"

-A GROUP-sg-fd21c743e8b1-IN -j MARK --set-xmark 0x0/0x80000000

-A GROUP-sg-fd21c743e8b1-IN -p tcp -m set --match-set PVEFW-0-ipl-6c8ad013-v4 src -m tcp --dport 22 -g PVEFW-SET-ACCEPT-MARK

-A GROUP-sg-fd21c743e8b1-IN -p icmp -m set --match-set PVEFW-0-ipl-6c8ad013-v4 src -g PVEFW-SET-ACCEPT-MARK

-A GROUP-sg-fd21c743e8b1-IN -m comment --comment "PVESIG:dC0xzxgULYMYs5hIMGsQv7sr7Yg"

-A GROUP-sg-fd21c743e8b1-OUT -j MARK --set-xmark 0x0/0x80000000

-A GROUP-sg-fd21c743e8b1-OUT -m comment --comment "PVESIG:kpIFTk+dC6ghrmmQyXQWSloNnkk"

-A GROUP-ns_internal-IN -j MARK --set-xmark 0x0/0x80000000

-A GROUP-ns_internal-IN -p icmp -m icmp --icmp-type 8 -g PVEFW-SET-ACCEPT-MARK

-A GROUP-ns_internal-IN -p udp -m udp --dport 53 -g PVEFW-SET-ACCEPT-MARK

-A GROUP-ns_internal-IN -p tcp -m tcp --dport 53 -g PVEFW-SET-ACCEPT-MARK

-A GROUP-ns_internal-IN -p tcp -m tcp --dport 443 -g PVEFW-SET-ACCEPT-MARK

-A GROUP-ns_internal-IN -p tcp -m tcp --dport 22 -g PVEFW-SET-ACCEPT-MARK

-A GROUP-ns_internal-IN -m comment --comment "PVESIG:7YfEXS1THNE+9l4UVkfSphSiFjQ"

-A GROUP-ns_internal-OUT -j MARK --set-xmark 0x0/0x80000000

-A GROUP-ns_internal-OUT -m comment --comment "PVESIG:+BxOgXyJVWtdPVgb0IHPMmz+zyE"

-A GROUP-ns_outside-IN -j MARK --set-xmark 0x0/0x80000000

-A GROUP-ns_outside-IN -p udp -m udp --dport 53 -g PVEFW-SET-ACCEPT-MARK

-A GROUP-ns_outside-IN -p tcp -m tcp --dport 53 -g PVEFW-SET-ACCEPT-MARK

-A GROUP-ns_outside-IN -m comment --comment "PVESIG:kmcs+JMZNEkLh71w8IxYuUm7/zg"

-A GROUP-ns_outside-OUT -j MARK --set-xmark 0x0/0x80000000

-A GROUP-ns_outside-OUT -m comment --comment "PVESIG:15WzJv6Ld3C09MfpIUpha1LZspQ"

-A PVEFW-Drop -j PVEFW-DropBroadcast

-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP

-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP

-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP

-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP

-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP

-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP

-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP

-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"

-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP

-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP

-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP

-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP

-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"

-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP

-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN

-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT

-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"

-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs

-A PVEFW-FWBR-IN -m physdev --physdev-out tap100008i0 --physdev-is-bridged -j tap100008i0-IN

-A PVEFW-FWBR-IN -m physdev --physdev-out tap100011i0 --physdev-is-bridged -j tap100011i0-IN

-A PVEFW-FWBR-IN -m physdev --physdev-out tap5003i0 --physdev-is-bridged -j tap5003i0-IN

-A PVEFW-FWBR-IN -m physdev --physdev-out tap5003i1 --physdev-is-bridged -j tap5003i1-IN

-A PVEFW-FWBR-IN -m comment --comment "PVESIG:toBkaJvBRJr7WF9Jxeqee8UAvTM"

-A PVEFW-FWBR-OUT -m physdev --physdev-in tap100008i0 --physdev-is-bridged -j tap100008i0-OUT

-A PVEFW-FWBR-OUT -m physdev --physdev-in tap100011i0 --physdev-is-bridged -j tap100011i0-OUT

-A PVEFW-FWBR-OUT -m physdev --physdev-in tap5003i0 --physdev-is-bridged -j tap5003i0-OUT

-A PVEFW-FWBR-OUT -m physdev --physdev-in tap5003i1 --physdev-is-bridged -j tap5003i1-OUT

-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:mkBfxjBKbVLOur+qtzT49v+CUb4"

-A PVEFW-HOST-IN -i lo -j ACCEPT

-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP

-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs

-A PVEFW-HOST-IN -p igmp -j RETURN

-A PVEFW-HOST-IN -i vlan139 -j GROUP-pvemigrate-IN

-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN

-A PVEFW-HOST-IN -i vlan138 -j GROUP-pveaccess-IN

-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN

-A PVEFW-HOST-IN -i vlan138 -j GROUP-pvemigrate-IN

-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN

-A PVEFW-HOST-IN -i vlan137 -j GROUP-pvemigrate-IN

-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN

-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN

-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN

-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN

-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN

-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN

-A PVEFW-HOST-IN -s X -d X -p udp -m udp --dport 5404:5405 -j RETURN

-A PVEFW-HOST-IN -s X -d X -p udp -m udp --dport 5404:5405 -j RETURN

-A PVEFW-HOST-IN -s X -d X -p udp -m udp --dport 5404:5405 -j RETURN

-A PVEFW-HOST-IN -s X -d X -p udp -m udp --dport 5404:5405 -j RETURN

-A PVEFW-HOST-IN -j PVEFW-Drop

-A PVEFW-HOST-IN -j DROP

-A PVEFW-HOST-IN -m comment --comment "PVESIG:okYLgQP5LFG+UXEkQcXZYUuaRrc"

-A PVEFW-HOST-OUT -o lo -j ACCEPT

-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP

-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A PVEFW-HOST-OUT -p igmp -j RETURN

-A PVEFW-HOST-OUT -o vlan139 -j GROUP-pvemigrate-OUT

-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN

-A PVEFW-HOST-OUT -o vlan138 -j GROUP-pveaccess-OUT

-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN

-A PVEFW-HOST-OUT -o vlan138 -j GROUP-pvemigrate-OUT

-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN

-A PVEFW-HOST-OUT -o vlan137 -j GROUP-pvemigrate-OUT

-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN

-A PVEFW-HOST-OUT -d X -p tcp -m tcp --dport 8006 -j RETURN

-A PVEFW-HOST-OUT -d X -p tcp -m tcp --dport 22 -j RETURN

-A PVEFW-HOST-OUT -d X -p tcp -m tcp --dport 5900:5999 -j RETURN

-A PVEFW-HOST-OUT -d X -p tcp -m tcp --dport 3128 -j RETURN

-A PVEFW-HOST-OUT -s X -d X -p udp -m udp --dport 5404:5405 -j RETURN

-A PVEFW-HOST-OUT -s X -d X -p udp -m udp --dport 5404:5405 -j RETURN

-A PVEFW-HOST-OUT -s X -d X -p udp -m udp --dport 5404:5405 -j RETURN

-A PVEFW-HOST-OUT -s X -d X -p udp -m udp --dport 5404:5405 -j RETURN

-A PVEFW-HOST-OUT -j RETURN

-A PVEFW-HOST-OUT -m comment --comment "PVESIG:3RAWC5GicWOx89pCtNkL4emiq6s"

-A PVEFW-INPUT -j PVEFW-HOST-IN

-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"

-A PVEFW-OUTPUT -j PVEFW-HOST-OUT

-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"

-A PVEFW-Reject -j PVEFW-DropBroadcast

-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT

-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP

-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject

-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject

-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject

-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject

-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP

-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP

-A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"

-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000

-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"

-A PVEFW-logflags -j DROP

-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"

-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP

-A PVEFW-reject -s 224.0.0.0/4 -j DROP

-A PVEFW-reject -p icmp -j DROP

-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset

-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable

-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable

-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited

-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"

-A PVEFW-smurflog -j DROP

-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"

-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN

-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog

-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog

-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"

-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags

-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags

-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags

-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags

-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags

-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"

-A tap100008i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A tap100008i0-IN -j GROUP-sg-fd21c743e8b1-IN

-A tap100008i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT

-A tap100008i0-IN -j PVEFW-Drop

-A tap100008i0-IN -j DROP

-A tap100008i0-IN -m comment --comment "PVESIG:WFSVxHyyDIeeZ+Sw+AoO76WCCyE"

-A tap100008i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK

-A tap100008i0-OUT -m mac ! --mac-source bc:24:11:bf:41:a6 -j DROP

-A tap100008i0-OUT -m set ! --match-set PVEFW-6AA33807 src -j DROP

-A tap100008i0-OUT -j MARK --set-xmark 0x0/0x80000000

-A tap100008i0-OUT -j GROUP-sg-fd21c743e8b1-OUT

-A tap100008i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN

-A tap100008i0-OUT -g PVEFW-SET-ACCEPT-MARK

-A tap100008i0-OUT -m comment --comment "PVESIG:AL73G/v/VIUqFe8GINmlS+/vqaY"

-A tap100011i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A tap100011i0-IN -j GROUP-sg-fd21c743e8b1-IN

-A tap100011i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT

-A tap100011i0-IN -j PVEFW-Drop

-A tap100011i0-IN -j DROP

-A tap100011i0-IN -m comment --comment "PVESIG:bmlThXbw4qJwlFnCRjcG88+f6pc"

-A tap100011i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK

-A tap100011i0-OUT -m mac ! --mac-source bc:24:11:c4:0f:3c -j DROP

-A tap100011i0-OUT -m set ! --match-set PVEFW-56C4B4F9 src -j DROP

-A tap100011i0-OUT -j MARK --set-xmark 0x0/0x80000000

-A tap100011i0-OUT -j GROUP-sg-fd21c743e8b1-OUT

-A tap100011i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN

-A tap100011i0-OUT -g PVEFW-SET-ACCEPT-MARK

-A tap100011i0-OUT -m comment --comment "PVESIG:I62ZDyEITADXyKxOF6dN5SV/SKA"

-A tap5003i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A tap5003i0-IN -j GROUP-ns_internal-IN

-A tap5003i0-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT

-A tap5003i0-IN -j PVEFW-Drop

-A tap5003i0-IN -j DROP

-A tap5003i0-IN -m comment --comment "PVESIG:z0iviFLZzRpqPZ5dxzLTxBn2fnA"

-A tap5003i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK

-A tap5003i0-OUT -m mac ! --mac-source bc:24:11:03:21:d3 -j DROP

-A tap5003i0-OUT -m set ! --match-set PVEFW-7CEB02C8 src -j DROP

-A tap5003i0-OUT -j MARK --set-xmark 0x0/0x80000000

-A tap5003i0-OUT -j GROUP-ns_internal-OUT

-A tap5003i0-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN

-A tap5003i0-OUT -g PVEFW-SET-ACCEPT-MARK

-A tap5003i0-OUT -m comment --comment "PVESIG:fm6TZBOACi8EvyiBJHtDBKHWf3Y"

-A tap5003i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A tap5003i1-IN -j GROUP-ns_outside-IN

-A tap5003i1-IN -m mark --mark 0x80000000/0x80000000 -j ACCEPT

-A tap5003i1-IN -j PVEFW-Drop

-A tap5003i1-IN -j DROP

-A tap5003i1-IN -m comment --comment "PVESIG:vTtVKJV5CgrIx3CNRJ4AQjzXjWA"

-A tap5003i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK

-A tap5003i1-OUT -m mac ! --mac-source bc:24:11:4a:a7:9b -j DROP

-A tap5003i1-OUT -m set ! --match-set PVEFW-691AAB9D src -j DROP

-A tap5003i1-OUT -j MARK --set-xmark 0x0/0x80000000

-A tap5003i1-OUT -j GROUP-ns_outside-OUT

-A tap5003i1-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN

-A tap5003i1-OUT -g PVEFW-SET-ACCEPT-MARK

-A tap5003i1-OUT -m comment --comment "PVESIG:YZh6merOuKom1d3KE7uMyBMNEiU"

COMMIT

# Completed on Thu Oct 10 12:30:44 2024
 
While I do not orient myself in custom PVE tables, I would suggest not to rely on pve-firewall and use e.g. dedicated appliance:
https://bugzilla.proxmox.com/show_bug.cgi?id=5759

The other thing is:
lclements0 said:
When firewall is on, pings to the firewall'd VM stop responding after between 30 and 60 seconds. Disabling the firewall allows pings to flow again, as does a live migration to another host - though with the live migration the pings drop again 30-60 seconds after the migration is complete.
Click to expand...

I would check journalctl if anything other happens there at the said moments. What is also bizzare is that it sounds like you have some inadvertent rule to drop ICMP, but it only kicks in 30+ seconds after start... If that was a rule you mean to have, how good that would be?
 
lclements0 said:
Hey @shanreich, just checking in to see if you had any thoughts here?
Click to expand...
Does this also happen with another VM on the same node on the same bridge?
Can you send me the VM configuration of the Router VMs as well?
How does the IPset look that is referenced in the rules of the security group?

Some other things one can check:
What are the subnets of the the VLAN interfaces? Are there any overlaps?
Have you checked for duplicate IPs in your network?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back