Firewall Rules don´t affect Vlans

reclaim

New Member
Aug 3, 2023
6
0
1
Hello, hopefully you can help me with this issue.

My Configuration:
Firewall on Datacenter, Node and VM are turned on. Input Policy = Deny.
I have a Linux Bridge with the Option "VLANS aware = yes"
On the VM I have configured the Network Device without a VLAN Tag.
The VM has the IP 10.10.1.2 on eth0.
Additionally I have configured a Interface eth0.10 (VLAN10) inside the VM with the IP 10.10.10.2.

Now I can´t Ping 10.10.1.2 (eth0), but i can ping 10.10.10.2 (eth0.10) from outside.
It´s seems like the Firewall in Proxmox does not effect to VLANs that are assigned in the VM itself.
If I delete the Interface eth0.10 and create a second Network device on the Proxmox GUI with VLAN Tag= 10 than the Firewall blocks the Ping on both interfaces as it should.

Is this a bug or do i miss something?
 
Not sure if I understand your question,
but 10.10.1.0 and 10.10.10.0 are different subnets.
They cannot communicate with each other (unless you create a route).

And when you omit a VLAN tag (leave it blank), it will default to VLAN1. So VLAN10 will not travel through that vm.
 
Thanks,
on my router exist both Networks. There is the Route.
From my tests, it looks like a port where the VLAN tag isn't specified is a trunk port. Vlan1 as untagged and the other Vlans tagged.
That's why the VM could also obtain an IP on eth0.10 via DHCP and could be pinged.

My question is why the firewall rules set in Proxmox are not applied to eth0.10.
 
I think that eth0.10 created in the vm is unknown/invisible to the firewall daemon.
But that's my theory, I can be completely wrong about this.
 
So it´s seems like.
I have created a couple screenshots, please take a look.
To be clear i can ping 10.10.1.5 when i create a accept rule in the Proxmox VM-Firewall.
 

Attachments

  • SCR-20230804-rjby.png
    SCR-20230804-rjby.png
    188.8 KB · Views: 8
  • SCR-20230804-rjdz.png
    SCR-20230804-rjdz.png
    202.7 KB · Views: 9
  • SCR-20230804-rjhk.png
    SCR-20230804-rjhk.png
    307.8 KB · Views: 8
  • SCR-20230804-rjpv.png
    SCR-20230804-rjpv.png
    439.2 KB · Views: 9
  • SCR-20230804-rjub.png
    SCR-20230804-rjub.png
    647.7 KB · Views: 9
  • SCR-20230804-rksa.png
    SCR-20230804-rksa.png
    297.1 KB · Views: 9
Again, I'm no network expert....but isn't it common practice to configure/add VLANs at the (network)switch level,
and not in a vm.....?
 
Of course, the untagged Vlans are set at switch level.
However tagged vlans must be setup on both sides to work. In Proxmox you could alternatively add a second NIC and enter the Vlan in the GUI.
 
Hello,

look at:

https://pve.proxmox.com/wiki/Firewall

It's written there:
---------------------------------------------------------------

Default firewall rules​

The following traffic is filtered by the default firewall configuration:

Datacenter incoming/outgoing DROP/REJECT​


If the input or output policy for the firewall is set to DROP or REJECT, the following traffic is still allowed for all Proxmox VE hosts in the cluster:

...

traffic using the IGMP protocol

...
---------------------------------------------------------------

I think that's why you can ping to 10.10.10.254.

What is the IP address of the computer you are pinging from ?

Please show me the output of commands on this computer.

Code:
arp -a

ifconfig | grep "inet " | grep -v 127.0.0.1


Vlodek
 
Thanks,

? (10.6.10.1) at 74:ac:b9:5e:ff:53 on en0 ifscope [ethernet]
? (10.6.10.46) at (incomplete) on en0 ifscope [ethernet]
? (10.6.10.141) at a6:d2:d0:64:80:52 on en0 ifscope [ethernet]
? (10.6.10.185) at 50:de:6:74:1b:4a on en0 ifscope [ethernet]
? (10.6.10.241) at 24:e8:53:26:da:b4 on en0 ifscope [ethernet]
? (10.6.10.249) at 2a:9b:d6:e7:2f:7d on en0 ifscope [ethernet]
? (10.6.10.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]
? (224.0.0.251) at 1:0:5e:0:0:fb on en0 ifscope permanent [ethernet]
? (239.255.255.250) at 1:0:5e:7f:ff:fa on en0 ifscope permanent [ethernet]
broadcasthost (255.255.255.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]

inet 10.6.10.157 netmask 0xffffff00 broadcast 10.6.10.255

If the input or output policy for the firewall is set to DROP or REJECT, the following traffic is still allowed for all Proxmox VE hosts in the cluster:

...

traffic using the IGMP protocol

...
---------------------------------------------------------------

I think that's why you can ping to 10.10.10.254.

I think this only apply on the Nodes/the VM-Hosts, not the VM itself.

I can ping 10.10.1.5 if i create a accept rule in the VM-Firewall.

Another Example:
When i create a Webserver on this VM, i can access the site "http://10.10.10.254" but I can´t access "http://10.10.1.5" until I make a firewall accept rule.
 
Hello

Can you ping from 10.6.10.157 to 10.10.1.5 if you turn off the firewall on VM-Firewall?

Can you draw a simple network diagram, where is the VM-Firewall, where is the debian VM with addresses 10.10.1.5 and 10.10.10.254?
What are the network settings on VM-Firewall and where is the host with address 10.6.10.157 you are pinging from?

Vlodek
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!