IPSet not working for accepting cluster traffic


New Member
Jun 26, 2023

I noticed that in Proxmox 8.0.3 some functionality in cluster brokes after activating the firewall.
So I want to create an IPset `cluster-001` with `host-001`, `host-002`, `host-003` (all are alias for the cluster node ips).

When creating a rule `IN ACCEPT source +dc/cluster-001 destination +dc/cluster` and enabling it, the iptables rules won't generate.

If I create rules
`IN ACCEPT source host-001`
`IN ACCEPT source host-002`
`IN ACCEPT source host-003`

it works fine. But I don't want to make a rule for each host, I'd like to use a central edited IPSet as cluster nodes list.

How can I fix this?

Best regards,
are you seeing

value does not look like a valid IP address or CIDR network
no such alias 'xxx'

if you run pve-firewall status?

I've inserted a "die $cidr" on /usr/share/perl5/PVE/Firewall.pm:3008 and executed a "pve-firewall status" again, and it throws aliases to me. So somehow the alias resolving is *not* working.

By the way, "pve-firewall status" is nice, but if it throws errors, it would be very nice to know what the problem is, not only that there is a problem.

I think this is a major issue! Rules are not generating anymore.
Last edited:


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!