Proxmox claiming MAC address

Protei said:
I did it earlier at the data center level. Now I did as you wrote and I will test. Thanks!
Click to expand...
datacenter level only apply to hypervisors management ips, not vms, so you really need to do it at vm level.

Protei said:
And if I disable all firewalls does it help?
Click to expand...
yes, sure.. (disable firewall option on vm nic option, it'll remove the fwbrX interfaces. Disabling vm firewall in vm firewall option is not enough. )
 
  • Like
Reactions: Protei
openaspace said:
Looking for others Companies guides about proxmox networking I see that ovh official guide use the IP routed setup mode instead of bridged.

https://docs.ovh.com/gb/en/dedicated/network-bridging/
Click to expand...
ovh support both routed && bridged mode,
but bridged mode is supported with their vrack, so you have a true vxlan for you, without any bad flooding traffic from others customers.

https://docs.ovh.com/au/en/dedicated/proxmox-network-hg-scale/


(my personnal opinion: hetzner bridged mode just sucks, because they are not filtering correctly their layer2. Use routed setup with hetzner)
 
spirit said:
my personnal opinion: hetzner bridged mode just sucks, because they are not filtering correctly their layer2. Use routed setup with hetzner)
Click to expand...
that's what I've always thought about this etzner problem..

Officially also hetzner guide allow bridged mode as allowed..
 
My last mac spoofing complaint from hetzner was closed at 13.11. But it may come up again, I dont know ...
Maybe they changed their detection script a bit, but its hard to tell without any written reply with technical details.
 
Hetzner support should have sent a PCAP file of the offending packets. would go a lot quicker toward this problem resolution.

My advice would be to start a ‘tcpdump -i enp5s0 -w /tmp/capture.pcap‘ and let it run until the Hetzner support complains then peruse the PCAP with Wireshark for outlier packets, starting with sorting by MAC, filter out your KNOWN source MAC address, and repeat but with known source IP address(es).

For my homelab (pve-no-subscription), I find myself having to split my four Ethernet Port NIC into management IP, bridged (vmbr0) without an IP, and MACVLAN all connected to the switch.
 
The only way ive managed to keep my server from being locked, is to set it up routed, I put a pfsense VM as gateway in a vm, and route all traffic to vm's inside the internal bridge through it. No more IP locking, only real failsafe way i have found.
 
DragonL80 said:
The only way ive managed to keep my server from being locked, is to set it up routed, I put a pfsense VM as gateway in a vm, and route all traffic to vm's inside the internal bridge through it. No more IP locking, only real failsafe way i have found.
Click to expand...
Im pretty sure i have it setup like this and mine got locked again in august.
 
spirit said:
the my provided patches (disable bridge learning) are not yet released, they basically allowing to use REJECT rules in firewall.
but it should work without them if you use DROP rules.

if you are in proxmox6, for the 2 bugs:

1) rst packet bug
- don't use REJECT as default inbound rule, use DROP.
- they are a bug in default DROP, where REJECT is used for port 43, so you can block it with a DROP rule at the end of your rules.
(this is fixed in proxmox7).

2) multicast igmp report on local link plug

- echo 0 > /proc/sys/net/ipv4/igmp_link_local_mcast_reports (+ /etc/sysctl.d/pve.conf with et.ipv4.igmp_link_local_mcast_reports=0 for persistant value at reboot)
Click to expand...
works fine for me on prox 6.4xxx(will be upgraded soon) with 7 VM/CT.

after changing from routed to bridged mode i got the network-abuse message from hetzner, made the changes above, additionally set up DROP rules for port 43 and contacted hetzner for unlocking my server -> done.

thx for being there guys;-)
 
Hi, proxmox 7.3 finally have also a new option vmbr

"bridge-disable-mac-learning"


Code: 
auto vmbrx
iface vmbrx inet ...
     bridge-disable-mac-learning yes

This should avoid wrong packet coming from the hetzner network to enter to your server and forwarded to the vms,
so we firewal, REJECT rules should works without problem.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!
Community platform by XenForo® © 2010-2023 XenForo Ltd.
Top Bottom
Back