Hi counity!
After much much pain (even after reading some of the posts on these forums) I have to finally give up on using pve-firewall to act as firewall for my virtual routers... :-( .... the problem (well, mine in reality) is that I love pve-firewall! it is an amazing feature that makes my life a lot easier... so easy to manage... it is bitter to have to give up on this .
Basically, as some have already experienced, the firewall simply (and silently) drops traffic in scenarios where asymetric traffic happens...
It turns out that asymmetric routing occurs when using routing protocols and multiple paths actually exist for redundance.
By using tcpdump, (and having a 'just ACCEPT all' rule) I can state traffic arriving at fwbrxxx interface never reaching tapxxxx interface... it is silently dropped (this only happens for asymetric/returning traffic, the rest work normally)... disable firewall and tada! it passes.
In my case, we use OVH, and their vRack feature allows for interconnecting at layer2 our little cluster nodes at separate geographical datacenters.... so by setting up redundant VPN links to different virtual routers at different cluster nodes, from a single location, we achieve a nice redundant / load-balanced connection, and works nicely! ... as long as I completely disable pve-firewall for those VM/routers or, at least, on its interfaces (a mixed situation I don't like)
It would be great if, on the interfaces setup, at GUI, we got two firewall checkboxes, instead of one, on for layer2 and another for layer3 firewalling :-D
Best regards!
After much much pain (even after reading some of the posts on these forums) I have to finally give up on using pve-firewall to act as firewall for my virtual routers... :-( .... the problem (well, mine in reality) is that I love pve-firewall! it is an amazing feature that makes my life a lot easier... so easy to manage... it is bitter to have to give up on this .
Basically, as some have already experienced, the firewall simply (and silently) drops traffic in scenarios where asymetric traffic happens...
It turns out that asymmetric routing occurs when using routing protocols and multiple paths actually exist for redundance.
By using tcpdump, (and having a 'just ACCEPT all' rule) I can state traffic arriving at fwbrxxx interface never reaching tapxxxx interface... it is silently dropped (this only happens for asymetric/returning traffic, the rest work normally)... disable firewall and tada! it passes.
In my case, we use OVH, and their vRack feature allows for interconnecting at layer2 our little cluster nodes at separate geographical datacenters.... so by setting up redundant VPN links to different virtual routers at different cluster nodes, from a single location, we achieve a nice redundant / load-balanced connection, and works nicely! ... as long as I completely disable pve-firewall for those VM/routers or, at least, on its interfaces (a mixed situation I don't like)
It would be great if, on the interfaces setup, at GUI, we got two firewall checkboxes, instead of one, on for layer2 and another for layer3 firewalling :-D
Best regards!
