Proxmox claiming MAC address

I did it earlier at the data center level. Now I did as you wrote and I will test. Thanks!
datacenter level only apply to hypervisors management ips, not vms, so you really need to do it at vm level.

And if I disable all firewalls does it help?
yes, sure.. (disable firewall option on vm nic option, it'll remove the fwbrX interfaces. Disabling vm firewall in vm firewall option is not enough. )
 
  • Like
Reactions: Protei
Looking for others Companies guides about proxmox networking I see that ovh official guide use the IP routed setup mode instead of bridged.

https://docs.ovh.com/gb/en/dedicated/network-bridging/
ovh support both routed && bridged mode,
but bridged mode is supported with their vrack, so you have a true vxlan for you, without any bad flooding traffic from others customers.

https://docs.ovh.com/au/en/dedicated/proxmox-network-hg-scale/


(my personnal opinion: hetzner bridged mode just sucks, because they are not filtering correctly their layer2. Use routed setup with hetzner)
 
my personnal opinion: hetzner bridged mode just sucks, because they are not filtering correctly their layer2. Use routed setup with hetzner)
that's what I've always thought about this etzner problem..

Officially also hetzner guide allow bridged mode as allowed..
 
My last mac spoofing complaint from hetzner was closed at 13.11. But it may come up again, I dont know ...
Maybe they changed their detection script a bit, but its hard to tell without any written reply with technical details.
 
Hetzner support should have sent a PCAP file of the offending packets. would go a lot quicker toward this problem resolution.

My advice would be to start a ‘tcpdump -i enp5s0 -w /tmp/capture.pcap‘ and let it run until the Hetzner support complains then peruse the PCAP with Wireshark for outlier packets, starting with sorting by MAC, filter out your KNOWN source MAC address, and repeat but with known source IP address(es).

For my homelab (pve-no-subscription), I find myself having to split my four Ethernet Port NIC into management IP, bridged (vmbr0) without an IP, and MACVLAN all connected to the switch.
 
The only way ive managed to keep my server from being locked, is to set it up routed, I put a pfsense VM as gateway in a vm, and route all traffic to vm's inside the internal bridge through it. No more IP locking, only real failsafe way i have found.
 
The only way ive managed to keep my server from being locked, is to set it up routed, I put a pfsense VM as gateway in a vm, and route all traffic to vm's inside the internal bridge through it. No more IP locking, only real failsafe way i have found.
Im pretty sure i have it setup like this and mine got locked again in august.
 
the my provided patches (disable bridge learning) are not yet released, they basically allowing to use REJECT rules in firewall.
but it should work without them if you use DROP rules.

if you are in proxmox6, for the 2 bugs:

1) rst packet bug
- don't use REJECT as default inbound rule, use DROP.
- they are a bug in default DROP, where REJECT is used for port 43, so you can block it with a DROP rule at the end of your rules.
(this is fixed in proxmox7).

2) multicast igmp report on local link plug

- echo 0 > /proc/sys/net/ipv4/igmp_link_local_mcast_reports (+ /etc/sysctl.d/pve.conf with et.ipv4.igmp_link_local_mcast_reports=0 for persistant value at reboot)
works fine for me on prox 6.4xxx(will be upgraded soon) with 7 VM/CT.

after changing from routed to bridged mode i got the network-abuse message from hetzner, made the changes above, additionally set up DROP rules for port 43 and contacted hetzner for unlocking my server -> done.

thx for being there guys;-)
 
Hi, proxmox 7.3 finally have also a new option vmbr

"bridge-disable-mac-learning"


Code:
auto vmbrx
iface vmbrx inet ...
     bridge-disable-mac-learning yes

This should avoid wrong packet coming from the hetzner network to enter to your server and forwarded to the vms,
so we firewal, REJECT rules should works without problem.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!