nftables does not work on virtual machines

gservers · Wednesday at 05:28

Hello,

I'm trying to get my nftables working on my dedicated server with Proxmox v8.4.14, and the problem I'm having is that my rules applied to the "nftable list ruleset" aren't being taken into account by the virtual machines hosted on my dedicated server. Only the Proxmox server itself (SSH, web UI) is taking them into account. For example, I've applied IP blocking rules within nftables, and it only blocks access to the Proxmox server, but when access is attempted to the virtual machines hosted on it, it allows traffic normally without applying the blocking rules set in nftables.

What could be causing this?

I've already enabled the "nftables (tech preview)" option in NODE -> FIREWALL -> OPTIONS.

I've also set Firewall to 1 in the virtual machine's network device settings within Proxmox -> Hardware.

I've also enabled Firewall on the virtual machine in Firewall -> Options -> Firewall and changed it to Yes.

I can't figure out how to get nftables working in the virtual machine so that it applies the rules set to nftables.

My dedicated server is running Linux -> Proxmox.

However, my virtual machines hosted on Proxmox are running Windows Server. Could this be the problem? Or should all my hosted virtual machines still apply the nftables rules?

By the way, I'm using vmbr0 on the virtual machine's bridge.

In summary: How do I make my virtual machines take into account the rules applied in nftables? Currently, they are only taken into account by the Proxmox server itself (SSH, web UI) and not by the virtual machines.

shanreich · Wednesday at 10:01

Did you define the rules on host layer only? Or on VM as well?
Can you post the output of the following commands?

Code:

nft list ruleset
systemctl status proxmox-firewall

cat /etc/pve/firewall/cluster.fw
cat /etc/pve/local/host.fw

and the firewall configuration for your VM (you'd need to replace the VMID in the command)

Code:

cat /etc/pve/firewall/<VMID>.fw

gservers · Wednesday at 19:41

conjunto de reglas de la lista nft

systemctl status proxmox-firewall

cat /etc/pve/firewall/cluster.fw

cat /etc/pve/local/host.fw

En la máquina virtual donde quiero habilitar nftables, solo veo iptables. ¿Cómo puedo habilitar nftables en esta máquina?

cat /etc/pve/firewall/<VMID>.fw

I only see nftables and it only works on the host node; it doesn't work on my virtual machines. How can I make these virtual machines work with nftables?

gservers · 2026-04-16T08:42:09+0200

shanreich said:
Did you define the rules on host layer only? Or on VM as well?
Can you post the output of the following commands?

Code:

nft list ruleset systemctl status proxmox-firewall cat /etc/pve/firewall/cluster.fw cat /etc/pve/local/host.fw

and the firewall configuration for your VM (you'd need to replace the VMID in the command)

Code:

cat /etc/pve/firewall/<VMID>.fw

From what I understand from the guides, what I want is for nftables to connect to vmbr0, which is the bridge and is where the connection to the Proxmox Server (SSH, web UI) passes through. Meanwhile, connections to the virtual machines don't go through vmbr0; they go from the physical network card to routers that each virtual machine has. That's how Proxmox works, as I understand it, right?

shanreich · 2026-04-16T10:06:43+0200

Can you post the VM configuraiton? It seems like there is an issue with parsing the network device property string and that leads to the firewall ruleset not being applied.

gservers · 2026-04-16T21:05:55+0200

shanreich said:
Can you post the VM configuraiton? It seems like there is an issue with parsing the network device property string and that leads to the firewall ruleset not being applied.

This happens when I activate nftables (tech preview) on the node and the firewall is already enabled on the machine, hence the message. I have to disable the firewall from the machine's network card settings and then re-enable it for the change to take effect. The reason it would change iptables to nftables when nftables is activated on the node, and since the firewall is already enabled, it causes this error. I realized this while making the changes.

spirit · 2026-04-17T08:37:42+0200

gservers said:
This happens when I activate nftables (tech preview) on the node and the firewall is already enabled on the machine, hence the message. I have to disable the firewall from the machine's network card settings and then re-enable it for the change to take effect. The reason it would change iptables to nftables when nftables is activated on the node, and since the firewall is already enabled, it causes this error. I realized this while making the changes.

the firewall checkbox on nic is enable a fwbr bridge to get iptables work, but I think it doesn't do it with nftables (because it's not needed), and maybe it's bypass nftables rules when present.

Maybe a note should be added in doc, that nftables activation need a reboot of node to be sure that no vm was running when doing the change.

shanreich · 2026-04-17T10:05:04+0200

spirit said:
Maybe a note should be added in doc, that nftables activation need a reboot of node to be sure that no vm was running when doing the change.

There already is [1]. But it could be adapted imo to explain how to do it without interrupting the firewall for any guest.

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_installation_and_usage

Search

Search

nftables does not work on virtual machines

gservers

New Member

shanreich

Proxmox Staff Member

gservers

New Member

gservers

New Member

shanreich

Proxmox Staff Member

gservers

New Member

spirit

Distinguished Member

shanreich

Proxmox Staff Member

We value your privacy