Hi all,
I'm not able to get the firewall for single VMs working as desired. I would like to configure the firewalls for VMs to granularly restrict access to each VM. But as soon as I enable the firewall for VMs in the network device settings of the VM, I'm not able to connect to any services on the internet anymore from these VMs, even though the firewalls are configured to let the traffic out.
My Proxmox server is having a single public IPv4. The server and all VMs and containers need to work with this single IP for accessing any public systems on the internet, e.g. repository servers. To allow this for the VMs, I have enabled masquerading (see iptables rules below).
Some of systems are reachable via this IPv4 through port forwarding (see iptables rules below).
The public facing network device of the server is enp41s0.
There is one bridge configured, vmbr0. All VMs and the Proxmox host are connected to it. IP of Proxmox is 10.20.30.1.
The output of
(I'm using fake IP 50.60.70.80 as public IP of the server here to not expose the actual IP)
The output of
On datacenter level, the firewall settings look like this:
On VM level, the firewall settings look like this:
I have created a rule in the firewall on datacenter level and on VM level to make sure that it's not due to a missing rule.
Datacenter:
VM:
Example, VM gui1 (10.20.30.50/24, Gateway 10.20.30.1)
If I disable the firewall in the network device settings of the VM, I'm able to connect to https://www.wikipedia.org (using Lubuntu with Firefox).
As soon as I enable the firewall in the network device settings, the connection times out. The entries I see in the firewall log of the client all look like this:
Similar to that, the firewall logs on the host look like that:
I also tried nmap instead of Firefox to port 443 of www.wikipedia.org. Same behaviour.
Rebooted Proxmox server, but same behaviour.
Sending pings to other systems on vmbr0 is working from that VM. Only the masqueraded traffic to "the outside world" is not actually going out.
Am I missing anything?
Many thanks in advance!
I'm not able to get the firewall for single VMs working as desired. I would like to configure the firewalls for VMs to granularly restrict access to each VM. But as soon as I enable the firewall for VMs in the network device settings of the VM, I'm not able to connect to any services on the internet anymore from these VMs, even though the firewalls are configured to let the traffic out.
My Proxmox server is having a single public IPv4. The server and all VMs and containers need to work with this single IP for accessing any public systems on the internet, e.g. repository servers. To allow this for the VMs, I have enabled masquerading (see iptables rules below).
Some of systems are reachable via this IPv4 through port forwarding (see iptables rules below).
The public facing network device of the server is enp41s0.
There is one bridge configured, vmbr0. All VMs and the Proxmox host are connected to it. IP of Proxmox is 10.20.30.1.
The output of
iptables -L -t nat:
Code:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT 6 -- 0.0.0.0/0 50.60.70.80 tcp dpt:1234 to:10.20.30.53:1234
DNAT 6 -- 0.0.0.0/0 50.60.70.80 tcp dpt:23456 to:10.20.30.53:80
DNAT 6 -- 0.0.0.0/0 50.60.70.80 tcp dpt:5432 to:10.20.30.49:22
DNAT 17 -- 0.0.0.0/0 50.60.70.80 udp dpt:12121 to:10.20.30.54:12121
DNAT 17 -- 0.0.0.0/0 50.60.70.80 udp dpt:21212 to:10.20.30.56:21212
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 -- 10.20.30.0/24 0.0.0.0/0(I'm using fake IP 50.60.70.80 as public IP of the server here to not expose the actual IP)
The output of
sysctl net.ipv4.ip_forward:net.ipv4.ip_forward = 1On datacenter level, the firewall settings look like this:
On VM level, the firewall settings look like this:
I have created a rule in the firewall on datacenter level and on VM level to make sure that it's not due to a missing rule.
Datacenter:
VM:
Example, VM gui1 (10.20.30.50/24, Gateway 10.20.30.1)
If I disable the firewall in the network device settings of the VM, I'm able to connect to https://www.wikipedia.org (using Lubuntu with Firefox).
As soon as I enable the firewall in the network device settings, the connection times out. The entries I see in the firewall log of the client all look like this:
101 7 tap101i0-OUT 23/Nov/2025:15:45:37 +0100 ACCEPT: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=tap101i0 PHYSOUT=fwln101i0 MAC=ce:7c:f2:1e:36:8b:bc:24:11:d0:74:9f:08:00 SRC=10.20.30.50 DST=185.15.59.224 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52378 DF PROTO=TCP SPT=50104 DPT=443 SEQ=1709342584 ACK=0 WINDOW=64240 SYN Similar to that, the firewall logs on the host look like that:
101 7 tap101i0-OUT 23/Nov/2025:15:49:55 +0100 ACCEPT: IN=fwbr101i0 OUT=fwbr101i0 PHYSIN=tap101i0 PHYSOUT=fwln101i0 MAC=ce:7c:f2:1e:36:8b:bc:24:11:d0:74:9f:08:00 SRC=10.20.30.50 DST=185.15.59.224 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=64707 DF PROTO=TCP SPT=37422 DPT=443 SEQ=752345675 ACK=0 WINDOW=64240 SYN I also tried nmap instead of Firefox to port 443 of www.wikipedia.org. Same behaviour.
Rebooted Proxmox server, but same behaviour.
Sending pings to other systems on vmbr0 is working from that VM. Only the masqueraded traffic to "the outside world" is not actually going out.
Am I missing anything?
Many thanks in advance!