IPSet not applying as expected / Alias alone working however


New Member
Aug 22, 2023
Hi everyone,

I am trying to grant access to the Proxmox node via SSH based on some ACCEPT firewall rules on the node level on this single host setup.

What already worked have been the following two rules referencing previously defined Aliases:


Since this looked like a redundancy issue I will have with other interfaces as well (WebUI/API, PBS, ...), I wanted to go ahead and group those two aliases to a reusable IpSet on Datacenter level:


Subsequently I replaced the former two rules to allow SSH-access with a single rule referencing the IpSet:

The issue is, now SSH access doesn't work anymore from neither of the both Aliases (one is a single host, the other being a network segment).

Any idea what I am missing?
Am I misunderstanding the purpose or functionality of IpSets?

--- EDIT ---

Experimented a little bit more today: creating the IpSet based on plain CIDR notation instead of referencing Aliases works fine.
1. Not Working:

2. Working:

Can Aliases NOT be used to define an IpSet? Why is the UI prompting me to do so?

-- EDIT END ---

Attached the cluster.fw and host.fw contents:

root@pve-dev01:~# cat /etc/pve/firewall/cluster.fw

enable: 1


c4t-services # C4T-Services SSN network segment
tmussnadmin # JumpHost from R&S Networks to SSN

[IPSET developeraccess] # Host/Networks used for management purposes



IN ACCEPT -log nolog

root@pve-dev01:/etc/pve/nodes/pve-dev01# cat host.fw

enable: 1


IN SSH(ACCEPT) -source +dc/developeraccess -log nolog
IN ACCEPT -source dc/c4t-services -p tcp -dport 8006 -log nolog # Allow API/UI Proxmox Server from C4T-Services network
IN ACCEPT -source dc/tmussnadmin -p tcp -dport 8006 -log nolog # Allow API/UI Proxmox Server from TMUSSNADMIN
IN ACCEPT -source dc/c4t-services -p tcp -dport 8007 -log nolog # Allow API/UI Proxmox Backup Server from C4T-Services network
IN ACCEPT -source dc/tmussnadmin -p tcp -dport 8007 -log nolog # Allow API/UI Proxmox Backup Server from TMUSSNADMIN
IN DROP -log info
Last edited:


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!