Hi, I've been dealing for too many days with an odd issue in my homelab Proxmox VE standalone node setup. I have a K3s Kubernetes cluster running in three VMs which runs fine but, for some reason, the Proxmox firewall drops the packets that go towards any of these nodes during undetermined periods of time. To illustrate this issue better, let me give you a couple of examples.
In all these cases I've seen reported DROP warnings in the Proxmox VE firewall logs like the following:
0 6 PVEFW-HOST-IN 01/Nov/2021:13:33:16 +0100 policy DROP: IN=pve_inband MAC=a3:0e:ec:6f:c8:23:64:5d:86:5a:1c:cf:08:00 SRC=192.168.0.2 DST=192.168.0.7 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=47464 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11
311 6 tap311i1-IN 01/Nov/2021:13:33:45 +0100 policy DROP: IN=fwbr311i1 OUT=fwbr311i1 PHYSIN=fwln311o1 PHYSOUT=tap311i1 MAC=82:fe:1e:cd:f0:86:64:5d:4b:1c:5a:cf:08:00 SRC=192.168.0.2 DST=192.168.0.41 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=51387 DF PROTO=TCP SPT=51468 DPT=443 SEQ=1651316079 ACK=0 WINDOW=64240 SYN
My Proxmox VE is on version 7.0-13 and I've used OpenVSwitch v2.15 to set up the internal networking with an ovs bridge, mainly following the indications. The current /etc/network/interfaces of my Proxmox node is the one below.
auto lo
iface lo inet loopback
auto enp2s0
iface enp2s0 inet manual
ovs_type OVSPort
ovs_bridge vmbr0
iface wlp3s0 inet manual
auto pve_inband
iface pve_inband inet static
address 192.168.0.7/24
gateway 192.168.0.1
ovs_type OVSIntPort
ovs_bridge vmbr0
#PVE's in-band management port
auto vlan1
iface vlan1 inet manual
ovs_type OVSIntPort
ovs_bridge vmbr0
ovs_options tag=1
#First VLAN
auto vlan2
iface vlan2 inet manual
ovs_type OVSIntPort
ovs_bridge vmbr0
ovs_options tag=2
#Second VLAN
auto vmbr0
iface vmbr0 inet manual
ovs_type OVSBridge
ovs_ports enp2s0 pve_inband vlan1 vlan2
On the other hand, the rules my firewall has are the default ones set up by Proxmox VE itself, plus some I've added just to open the ports I needed for a number of services.
Also now that all my VMs have two network interfaces, one used for external communications and other used exclusively for internal cluster communications. The internal ones are connected through the VLAN 1, and this doesn't show any issues since the Kubernetes cluster itself works. The issue here is about reaching the external interfaces on the VMs and even the one of the Proxmox VE itself sometimes.
Furthermore, it seems I haven't been the only one with exactly the same issue. I've also read several other threads and other articles but I still don't know what to do to fix this problem. So I hope this forum can give me some hint to a solution for this problem omegleazar.
Thanks
- Let's say I have two apps running on my Kubernetes cluster, a Traefik Dashboard and a Nextcloud instance. Sometimes I'll be able to access the Traefik Dashboard but not Nextcloud, others the opposite will happen, and in some other times I won't be able to access any of them at all.
- Usually I can open a shell through SSH to my VMs or even my Proxmox VE system, but it has also happened that I've been unable to connect to some of them.
In all these cases I've seen reported DROP warnings in the Proxmox VE firewall logs like the following:
0 6 PVEFW-HOST-IN 01/Nov/2021:13:33:16 +0100 policy DROP: IN=pve_inband MAC=a3:0e:ec:6f:c8:23:64:5d:86:5a:1c:cf:08:00 SRC=192.168.0.2 DST=192.168.0.7 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=47464 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=11
311 6 tap311i1-IN 01/Nov/2021:13:33:45 +0100 policy DROP: IN=fwbr311i1 OUT=fwbr311i1 PHYSIN=fwln311o1 PHYSOUT=tap311i1 MAC=82:fe:1e:cd:f0:86:64:5d:4b:1c:5a:cf:08:00 SRC=192.168.0.2 DST=192.168.0.41 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=51387 DF PROTO=TCP SPT=51468 DPT=443 SEQ=1651316079 ACK=0 WINDOW=64240 SYN
My Proxmox VE is on version 7.0-13 and I've used OpenVSwitch v2.15 to set up the internal networking with an ovs bridge, mainly following the indications. The current /etc/network/interfaces of my Proxmox node is the one below.
auto lo
iface lo inet loopback
auto enp2s0
iface enp2s0 inet manual
ovs_type OVSPort
ovs_bridge vmbr0
iface wlp3s0 inet manual
auto pve_inband
iface pve_inband inet static
address 192.168.0.7/24
gateway 192.168.0.1
ovs_type OVSIntPort
ovs_bridge vmbr0
#PVE's in-band management port
auto vlan1
iface vlan1 inet manual
ovs_type OVSIntPort
ovs_bridge vmbr0
ovs_options tag=1
#First VLAN
auto vlan2
iface vlan2 inet manual
ovs_type OVSIntPort
ovs_bridge vmbr0
ovs_options tag=2
#Second VLAN
auto vmbr0
iface vmbr0 inet manual
ovs_type OVSBridge
ovs_ports enp2s0 pve_inband vlan1 vlan2
On the other hand, the rules my firewall has are the default ones set up by Proxmox VE itself, plus some I've added just to open the ports I needed for a number of services.
Also now that all my VMs have two network interfaces, one used for external communications and other used exclusively for internal cluster communications. The internal ones are connected through the VLAN 1, and this doesn't show any issues since the Kubernetes cluster itself works. The issue here is about reaching the external interfaces on the VMs and even the one of the Proxmox VE itself sometimes.
Furthermore, it seems I haven't been the only one with exactly the same issue. I've also read several other threads and other articles but I still don't know what to do to fix this problem. So I hope this forum can give me some hint to a solution for this problem omegleazar.
Thanks
Last edited:
