Help on Firewall configuration

jmsalomr

New Member
Jul 4, 2019
7
1
3
49
Hi,

I'm experiencing a very weird behavior with the PVE-Firewall and the VMs reachability to Internet:

- If pve-firewall is disabled, both my LXCs and my VMs can reach Internet.
- If I enable the pve-firewall, suddenly, all the LXCs and VMs lose its access to Internet. They just can reach the gateway (10.0.0.1).
- If I disable again the pve-firewall, the LXCs and VMs still don't reach Internet. I have to reboot the host to have them access again to Internet.

I want to use pve-firewall, but I haven't find the way to.

My versions:

Code:
Debian GNU/Linux 9.9 (stretch)
pve-manager/5.4-10/9603c337 (running kernel: 4.15.18-17-pve)

My /etc/network/interfaces file:

Code:
auto lo
iface lo inet loopback

auto enp1s0f0
iface enp1s0f0 inet static
    address  163.172.x.x
    netmask  255.255.255.0
    gateway  163.172.x.x
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up echo 1 > /proc/sys/net/ipv4/conf/enp1s0f0/proxy_arp

iface enp1s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
    address  10.0.0.1
    netmask  255.255.255.0
    bridge_ports none
    bridge_stp off
    bridge_fd 0

    post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o enp1s0f0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o enp1s0f0 -j MASQUERADE

    #these rules forward traffic on port 8888 to port 8888 on the VM at IP 10.0.0.2

    post-up iptables -t nat -A PREROUTING -i enp1s0f0 -p tcp --dport 8888 -j DNAT --to 10.0.0.2:8888
    post-up iptables -t nat -A PREROUTING -i enp1s0f0 -p tcp --dport 22000 -j DNAT --to 10.0.0.2:22
    post-down iptables -t nat -D PREROUTING -i enp1s0f0 -p tcp --dport 8888 -j DNAT --to 10.0.0.2:8888
    post-down iptables -t nat -D PREROUTING -i enp1s0f0 -p tcp --dport 22000 -j DNAT --to 10.0.0.2:22

The network configuration of one of the LXCs:

Code:
IP address: 10.0.0.2
Netmask: 255.255.255.0
Gateway: 10.0.0.1

What I'm doing wrong?

How could I solve the problem?

Best regards.
 
What about your FW settings? Did you enable it on all needed levels?
 
What do you mean?

I have enabled it at Datacenter level, at Host level and at VM/Container level. I've tried different options, but no way. Every time I enable it at Datacenter level, I lose the connection at VM level. And I have to disable it and reboot the Host to gain again connectivity.

By the way. The OUTPUT policy is ACCEPT at all levels. The only one with DROP is INPUT.

I haven't found anyway to modify FORWARD.
 
This sounds very much like the issue I and another have. It appears the firewall is broken in the latest versions as it used to work fine for me.