Firewall on bridged network

[walter1958]

I have a proxmox 6 installation with 1 hardware network interface (eno1) and several ip addresses that are routed to vmbr(x).

auto eno1
iface eno1 inet static
address 1xx.2xx.1x.170
netmask 255.255.255.255
gateway 1xx.2xx.1x.129

auto vmbr0
iface vmbr0 inet static
address 1xx.2xx.1x.170
netmask 255.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
up ip route add 1xx.2xx.2xx.73/32 dev vmbr0

auto vmbr1
iface vmbr1 inet static
address 1xx.2xx.1x.170
netmask 255.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
up ip route add 1xx.2xx.2xx.73/32 dev vmbr1

Without activated firewall all works well.

Now I have a vm (100) with network device veth (id: net0, name: eth0, bridge: vmbr0, ip4: 1xx.2xx.2xx.73/32, gateway: 1xx.2xx.1x.129) and want to activate the firewall and accept only the following ports: ssh, http, https.

But if I activate the firewall (in the storage center, the node and an vm) all traffic is blocked. If I deactivate the firewall in the vm, all ports are open.

How to get the firewall work for this scenario?

 

[spirit]

I'm not sure with routed setup, but when you enable firewall, a new bridge is create "fwbr<vmid>i<int>".

(you can check with "brctl show")

maybe do you need to add the route to "dev fwbrXXX" directly.

 

[walter1958]

The output of "brctl show" is:

bridge name bridge id STP enabled interfaces
fwbr100i0 8000.4ecf3200c1bc no fwln100i0
vmbr0 8000.c64345cb2425 no fwpr105p0

Where do you mean to add the route? In the network interfaces?

 

[spirit]

yes,
up ip route add 1xx.2xx.2xx.73/32 dev fwbr100i0

 

[walter1958]

Unfortunately there's an error:
ifup: failed to bring up vmbr0
Failed to start Raise network interfaces.

If I make a reboot, the host is not reachable over network

 

[walter1958]

For all they have the same problem, I hope I solved the problem:
You have to set a "virtual" MAC address in the vm's network settings.