Help on Firewall configuration


New Member
Jul 4, 2019

I'm experiencing a very weird behavior with the PVE-Firewall and the VMs reachability to Internet:

- If pve-firewall is disabled, both my LXCs and my VMs can reach Internet.
- If I enable the pve-firewall, suddenly, all the LXCs and VMs lose its access to Internet. They just can reach the gateway (
- If I disable again the pve-firewall, the LXCs and VMs still don't reach Internet. I have to reboot the host to have them access again to Internet.

I want to use pve-firewall, but I haven't find the way to.

My versions:

Debian GNU/Linux 9.9 (stretch)
pve-manager/5.4-10/9603c337 (running kernel: 4.15.18-17-pve)

My /etc/network/interfaces file:

auto lo
iface lo inet loopback

auto enp1s0f0
iface enp1s0f0 inet static
    address  163.172.x.x
    gateway  163.172.x.x
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up echo 1 > /proc/sys/net/ipv4/conf/enp1s0f0/proxy_arp

iface enp1s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    post-up iptables -t nat -A POSTROUTING -s '' -o enp1s0f0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '' -o enp1s0f0 -j MASQUERADE

    #these rules forward traffic on port 8888 to port 8888 on the VM at IP

    post-up iptables -t nat -A PREROUTING -i enp1s0f0 -p tcp --dport 8888 -j DNAT --to
    post-up iptables -t nat -A PREROUTING -i enp1s0f0 -p tcp --dport 22000 -j DNAT --to
    post-down iptables -t nat -D PREROUTING -i enp1s0f0 -p tcp --dport 8888 -j DNAT --to
    post-down iptables -t nat -D PREROUTING -i enp1s0f0 -p tcp --dport 22000 -j DNAT --to

The network configuration of one of the LXCs:

IP address:

What I'm doing wrong?

How could I solve the problem?

Best regards.
What about your FW settings? Did you enable it on all needed levels?
What do you mean?

I have enabled it at Datacenter level, at Host level and at VM/Container level. I've tried different options, but no way. Every time I enable it at Datacenter level, I lose the connection at VM level. And I have to disable it and reboot the Host to gain again connectivity.

By the way. The OUTPUT policy is ACCEPT at all levels. The only one with DROP is INPUT.

I haven't found anyway to modify FORWARD.
This sounds very much like the issue I and another have. It appears the firewall is broken in the latest versions as it used to work fine for me.


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!