anyone can confirm that this works, with manual verification from the datacenter support?3) echo 0 >/proc/sys/net/ipv4/igmp_link_local_mcast_reports + add in /etc/sysctl.d/pve.conf
"net.ipv4.igmp_link_local_mcast_reports = 0"
anyone can confirm that this works, with manual verification from the datacenter support?3) echo 0 >/proc/sys/net/ipv4/igmp_link_local_mcast_reports + add in /etc/sysctl.d/pve.conf
"net.ipv4.igmp_link_local_mcast_reports = 0"
It doesn't. Well at least it never worked for me. I applied this and msged DC support - they said it's fine and they don't see any wrong MAC traffic, but after a few days - same story. So the issue comes and goes.anyone can confirm that this works, with manual verification from the datacenter support?
so, just to be sure, do you apply all theses fixes:It doesn't. Well at least it never worked for me. I applied this and msged DC support - they said it's fine and they don't see any wrong MAC traffic, but after a few days - same story. So the issue comes and goes.
Today they even locked my server (!!!). I applied a firewall rule as suggested here and it was unblocked. Again traffic is said as clean. We'll see how it goes now...
1) never use REJECT rules for inbound rules, and use DROP as default action.
2) if you are still on proxmox6, add an extra DROP for tcp/43 for inbound rule. (this is fixed in proxmox7 pve-firewall_4.2-3 )
3) echo 0 >/proc/sys/net/ipv4/igmp_link_local_mcast_reports + add in /etc/sysctl.d/pve.conf
"net.ipv4.igmp_link_local_mcast_reports = 0"
Code:1) never use REJECT rules for inbound rules, and use DROP as default action. 2) if you are still on proxmox6, add an extra DROP for tcp/43 for inbound rule. (this is fixed in proxmox7 pve-firewall_4.2-3 ) 3) echo 0 >/proc/sys/net/ipv4/igmp_link_local_mcast_reports + add in /etc/sysctl.d/pve.conf "net.ipv4.igmp_link_local_mcast_reports = 0"
It seems to be random different MACs all the time, here are examples of abuse messages:?
do you have any logs from hetzner about the wrong mac or ip ?
(I would like to known if the mac is a mac of a specific device on proxmox (tap,fwbr,...), and if ip is an ip from proxmox host too)
#1011951 (138.201.52.41)
Allowed MACs:
00:50:56:15:24:cc
00:50:56:15:24:9b
90:1b:0e:91:c2:ba
00:50:56:00:4d:d0
00:50:56:00:3f:4e
00:50:56:00:2b:66
00:50:56:00:37:8a
Unallowed MACs:
46:0c:af:0e:36:55
c6:81:b4:a8:ad:21
datacenter rules only apply to host firewall , not vm firewall.2. I have this as the default rule on datacenter level:
View attachment 30792
I still run Proxmox 6. On the mentioned host it's only one VM running with the following configuration of the firewall:datacenter rules only apply to host firewall , not vm firewall.
do you have drop input policy on every vm firewall option ?
and if yes, do you use proxmox7 with last pve-firewall updates ? or if proxmox6, do you have added a "drop port 43" for every vm ?
if you are on proxmox6, you need to add a rule to drop port tcp 43 direction in, at the end of your vms rules (for each vm where is firewall is enabled).I still run Proxmox 6. On the mentioned host it's only one VM running with the following configuration of the firewall:
View attachment 30802
SMALL UPDATE: For the sake of completeness... The host has two VMs that have Firewall disabled, but those VMs are being used as a template for other hosts and were never up. I don't believe it can be an issue.
no one of all proposed solutions works for me. I have switched to AWS for critical live streaming application. but is too expensive.i have the same issue with hetzner, did the command above solved the issue for you?
it's not good choice to go aws/azure they are very expensiveno one of all proposed solutions works for me. I have switched to AWS for critical live streaming application. but is too expensive.
I need to use an hardware server with flat network.
if both solutions (iptables drop port 43 + drop default action (and no reject rules) + sysctl to drop igmp local link) don't work, maybe it's another bug.no one of all proposed solutions works for me. I have switched to AWS for critical live streaming application. but is too expensive.
I need to use an hardware server with flat network.
ebtables -I OUTPUT -o <phyiscal intertace> --among-src ! <mac1,mac2,mac3....> --log-level info --log-prefix "MAC-FLOOD-O" --log-ip -j CONTINUE
ebtables -I FORWARD -o <physical interface> --among-src ! <mac1,mac2,mac3....> --log-level info --log-prefix "MAC-FLOOD-F" --log-ip -j CONTINUE
did you ask for manual MAC verification from network support? i also went weeks without warnings .. then asking for manual scan .. the problem was always there ..I was helped by the solutions that Spirit provided. Messages from Hetzner had never been received again for three weeks. Thanks!