Pakets sometimes landing on wrong interface?

Z

zeropage

Member
Feb 6, 2022
20
0
21
35
In my Proxmox VE instance, IP packets are rejected by the firewall. According to the log, they are not assigned to the correct interface. This happens randomly. I would also like to mention that part of the connection runs through a WireGuard site-to-site tunnel and is then routed from an OPNsense to the PVE host.

remote_host (10.8.3.1) -> wireguard -> OPNSense (10.8.2.1) -> PVE (192.168.5.21, vmbr0) -> vm_202 (192.168.10.69, veth202i0)

Here is an excerpt from the log. The last of the 5 lines shows how it should be correct.

Code: 
104 6 tap104i0-IN 05/Mar/2026:16:00:02 +0100 policy REJECT: IN=fwbr104i0 OUT=fwbr104i0 PHYSIN=fwln104i0 PHYSOUT=tap104i0 MAC=bc:24:11:ee:de:e3:00:0d:b9:4e:de:5c:08:00 SRC=10.8.3.1 DST=192.168.10.69 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=64972 DF PROTO=TCP SPT=39098 DPT=8300 SEQ=861552363 ACK=0 WINDOW=64860 SYN
252 6 veth252i0-IN 05/Mar/2026:16:00:02 +0100 policy REJECT: IN=fwbr252i0 OUT=fwbr252i0 PHYSIN=fwln252i0 PHYSOUT=veth252i0 MAC=bc:24:11:ee:de:e3:00:0d:b9:4e:de:5c:08:00 SRC=10.8.3.1 DST=192.168.10.69 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=64972 DF PROTO=TCP SPT=39098 DPT=8300 SEQ=861552363 ACK=0 WINDOW=64860 SYN
255 6 veth255i0-IN 05/Mar/2026:16:00:02 +0100 policy REJECT: IN=fwbr255i0 OUT=fwbr255i0 PHYSIN=fwln255i0 PHYSOUT=veth255i0 MAC=bc:24:11:ee:de:e3:00:0d:b9:4e:de:5c:08:00 SRC=10.8.3.1 DST=192.168.10.69 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=64972 DF PROTO=TCP SPT=39098 DPT=8300 SEQ=861552363 ACK=0 WINDOW=64860 SYN
201 5 veth201i0-IN 05/Mar/2026:16:00:02 +0100 policy DROP: IN=fwbr201i0 OUT=fwbr201i0 PHYSIN=fwln201i0 PHYSOUT=veth201i0 MAC=bc:24:11:ee:de:e3:00:0d:b9:4e:de:5c:08:00 SRC=10.8.3.1 DST=192.168.10.69 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=64972 DF PROTO=TCP SPT=39098 DPT=8300 SEQ=861552363 ACK=0 WINDOW=64860 SYN
202 6 veth202i0-IN 05/Mar/2026:16:13:25 +0100 ACCEPT: IN=fwbr202i0 OUT=fwbr202i0 PHYSIN=fwln202i0 PHYSOUT=veth202i0 MAC=bc:24:11:ee:de:e3:00:0d:b9:4e:de:5c:08:00 SRC=10.8.3.1 DST=192.168.10.69 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=56394 DF PROTO=TCP SPT=49814 DPT=8300 SEQ=3254910460 ACK=0 WINDOW=64860 SYN

- Proxmox VE 8.4.16
- OPNsense 25.7.11

Any help is welcome.
 

Attachments

  • Screenshot 2026-03-05 165541.png
    Screenshot 2026-03-05 165541.png
    10.3 KB · Views: 4
Last edited:
Hello again,

I now see that it's not just IP packets routed through Wireguard that are affected. My reverse proxy is also affected. I run a reverse proxy on a Proxmox VM (ID=101) using Apache HTTPd. This can be accessed from the internet via OPNsense and NAT.
Even with this configuration, the PVE host log shows SYN that are not delivered to the correct VM (103). I may have an error in the VLAN configuration here. Strangely, the error seems to occur randomly. Most files are delivered correctly...

Code: 
103 6 tap103i0-IN 06/Mar/2026:07:03:07 +0100 policy REJECT: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=fa:01:18:cd:75:5a:00:0d:b9:4e:de:5c:08:00 SRC=44.220.185.64 DST=192.168.20.65 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=17754 DF PROTO=TCP SPT=45114 DPT=7001 SEQ=1173853270 ACK=0 WINDOW=64240 SYN
103 6 tap103i0-IN 06/Mar/2026:07:03:07 +0100 policy REJECT: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=fa:01:18:cd:75:5a:00:0d:b9:4e:de:5c:08:00 SRC=44.220.185.64 DST=192.168.20.65 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=58480 DF PROTO=TCP SPT=45126 DPT=7001 SEQ=3729049294 ACK=0 WINDOW=64240 SYN
103 6 tap103i0-IN 06/Mar/2026:07:03:08 +0100 policy REJECT: IN=fwbr103i0 OUT=fwbr103i0 PHYSIN=fwln103i0 PHYSOUT=tap103i0 MAC=fa:01:18:cd:75:5a:00:0d:b9:4e:de:5c:08:00 SRC=44.220.185.64 DST=192.168.20.65 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=30277 DF PROTO=TCP SPT=45132 DPT=7001 SEQ=1061668699 ACK=0 WINDOW=64240 SYN

Or did I misunderstood anything here...?
 
Last edited:
...and even from one VM to another:

Code: 
201 6 veth201i0-IN 07/Mar/2026:01:46:31 +0100 policy REJECT: IN=fwbr201i0 OUT=fwbr201i0 PHYSIN=fwln201i0 PHYSOUT=veth201i0 MAC=bc:24:11:ee:de:e3:00:0d:b9:4e:de:5c:08:00 SRC=192.168.20.65 DST=192.168.10.69 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=44895 DF PROTO=TCP SPT=39840 DPT=8300 SEQ=2643749701 ACK=0 WINDOW=64240 SYN
201 6 veth201i0-IN 07/Mar/2026:01:46:32 +0100 policy REJECT: IN=fwbr201i0 OUT=fwbr201i0 PHYSIN=fwln201i0 PHYSOUT=veth201i0 MAC=bc:24:11:ee:de:e3:00:0d:b9:4e:de:5c:08:00 SRC=192.168.20.65 DST=192.168.10.69 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=44896 DF PROTO=TCP SPT=39840 DPT=8300 SEQ=2643749701 ACK=0 WINDOW=64240 SYN
201 6 veth201i0-IN 07/Mar/2026:01:46:34 +0100 policy REJECT: IN=fwbr201i0 OUT=fwbr201i0 PHYSIN=fwln201i0 PHYSOUT=veth201i0 MAC=bc:24:11:ee:de:e3:00:0d:b9:4e:de:5c:08:00 SRC=192.168.20.65 DST=192.168.10.69 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=44897 DF PROTO=TCP SPT=39840 DPT=8300 SEQ=2643749701 ACK=0 WINDOW=64240 SYN

Destination VM should be 202, log messages starting with "201",
 
Last edited:
In the meantime, I have understood that these log messages are a consequence of the firewall policy REJECT and MAC learning. To better diagnose my failed connections, I set bridge-disable-mac-learning 1. I also looked at the contents of the bridge forwarding database. However, I cannot judge the accuracy of the extensive list.
 
I still have MAC learning enabled. Then I took the following steps:

- Completely restarted PVE
- Logged in to LXC 202 via SSH
- I find 3 entries for the MAC of LXC 202:

Code: 
$ bridge fdb show |grep -i BC:24:11:EE:DE:E3
bc:24:11:ee:de:e3 dev fwln104i0 master fwbr104i0
bc:24:11:ee:de:e3 dev veth202i0 master fwbr202i0
bc:24:11:ee:de:e3 dev fwpr202p0 vlan 10 master vmbr0

I'm not sure if the first of the 3 entries is correct. Unfortunately, I still haven't been able to solve my problem myself.
 
You must log in or register to reply here.
Top Bottom
Back