I have a 3 node cluster setup in production. Recently we discovered a problem where fragmented UDP packets
were being dropped somewhere along the way from our vm's. Finally we tracked to culprit down, and it
was the fact that proxmox had set
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
so our fragmented packets were being reconstructed by the firewall before leaving the host. /etc/sysctl.d/pve.conf
has both variables set to 0 so it seems that the fact that we turned on the firewall in proxmox set both variables.
We only use the firewall to filter traffic to the proxmox hosts themselves, we have external routers and firewalls and
firewalls running inside the vm's, so I've turned off the datacenter and per-vm firewalls but kept it on for the hosts.
If I set the tunables back to 0, will Proxmox reset them to 1 on the next reboot since we have the firewall enabled on
the hosts?
were being dropped somewhere along the way from our vm's. Finally we tracked to culprit down, and it
was the fact that proxmox had set
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
so our fragmented packets were being reconstructed by the firewall before leaving the host. /etc/sysctl.d/pve.conf
has both variables set to 0 so it seems that the fact that we turned on the firewall in proxmox set both variables.
We only use the firewall to filter traffic to the proxmox hosts themselves, we have external routers and firewalls and
firewalls running inside the vm's, so I've turned off the datacenter and per-vm firewalls but kept it on for the hosts.
If I set the tunables back to 0, will Proxmox reset them to 1 on the next reboot since we have the firewall enabled on
the hosts?
