Proxmox cluster with SDN Vvlan client isolation

M

Maurice Janssen

New Member
Jan 21, 2026
7
0
1
Hi,

For a POC we build a 3 node PVE cluster (Proxmox 9.1) and configure SDN. On the vnet we enabled client isolation, this works on the same host. But traffic from the other host are not isolated. So we configure the Vnet firewall to block the traffic in the vnet. But this policy is not working. We have enable nftables and reboot al the vm`s. I read a lot about this issue but not find a solution to fix my issues. Has anybody a idea ?

I don`t like to use vm firewalls, because we already use Physical Edge firewalls, and otherwise i get 2 firewall configs to maintain.
 
How does your firewall status / configuration look exactly?

Code: 
systemctl status proxmox-firewall
nft list ruleset
 
root@hm0-pve006:/# systemctl status proxmox-firewall
● proxmox-firewall.service - Proxmox nftables firewall
Loaded: loaded (/usr/lib/systemd/system/proxmox-firewall.service; enabled; preset: enabled)
Active: active (running) since Thu 2026-02-26 13:20:46 CET; 1 month 22 days ago
Invocation: 9fdbff0255f940b7aa0bed936fab33bf
Main PID: 1879 (proxmox-firewal)
Tasks: 1 (limit: 629145)
Memory: 5.5M (peak: 12.3M)
CPU: 1h 17min 16.424s
CGroup: /system.slice/proxmox-firewall.service
└─1879 /usr/libexec/proxmox/proxmox-firewall start

Notice: journal has been rotated since unit was started, output may be incomplete.
 

Attachments

Can you save the following snippet as trace.nft:

Code: 
#!/usr/sbin/nft -f
table bridge tracebridge
delete table bridge tracebridge

table bridge tracebridge {
    chain trace {
        meta l4proto icmp meta nftrace set 1
    }

    chain prerouting {
        type filter hook prerouting priority -350; policy accept;
        jump trace
    }

    chain postrouting {
        type filter hook postrouting priority -350; policy accept;
        jump trace
    }
}

Then make it executable via chmod +x trace.nft and run it once (./trace.nft)

You should then be able to trace pings via running
Code: 
nft monitor trace

then ping from the VM once:

Code: 
ping -c1 <IP OF ANOTHER VM>

And provide the output?

After everything is done, you can delete the trace chain via:
Code: 
nft delete table bridge tracebridge


Can you also provide the VM configurations, as well as the SDN config?

Code: 
cat /etc/pve/sdn/zones.cfg
cat /etc/pve/sdn/vnets.cfg
cat /etc/pve/sdn/subnets.cfg

qm config <VMID>
 
vlan: WPS
bridge vmbr1
ipam pve

vnet: WPSNL
zone WPS
isolate-ports 1
tag 1676

vnet: WPSBE
zone WPS
tag 3002

vnet: WPSUK
zone WPS
tag 3003

vnet: PUBLIC
zone WPS
alias WPS-Pulic-Subnet
tag 1813

subnet: WPS-192.168.233.0-24
vnet WPSNL
gateway 192.168.233.1


root@hm0-pve006:/# qm config 104
agent: 1
boot: order=scsi0;ide2;net0
cores: 1
cpu: x86-64-v2-AES
ide2: HM0_STCL02_N01_PER_PVEPOCVOL001:iso/debian-13.3.0-amd64-netinst__1_.iso,media=cdrom,size=754M
memory: 8192
meta: creation-qemu=10.1.2,ctime=1772142191
name: parkid-vandervalkvenlo
net0: virtio=BC:24:11:58:2F:12,bridge=WPSNL,firewall=1
numa: 0
ostype: l26
scsi0: HM0_STCL02_N01_PER_PVEPOCVOL001:104/vm-104-disk-0.qcow2,iothread=1,size=32G
scsihw: virtio-scsi-single
smbios1: uuid=1ce5dd86-6f6d-4dec-9e1b-21b2d2c7dc10
sockets: 2
vmgenid: 402885b6-2d4b-4686-83ae-e0260abaae8e
 
trace id 71b368df bridge proxmox-firewall-guests forward unknown rule handle 201205 (verdict jump bridge-WPSNL)
trace id 71b368df bridge proxmox-firewall-guests bridge-WPSNL unknown rule handle 201215 (verdict jump before-bridge)
trace id 71b368df bridge proxmox-firewall-guests before-bridge unknown rule handle 201204 (verdict accept)
trace id 71b368df inet proxmox-firewall forward packet: iif "WPSNL" oif "WPSNL" ether saddr bc:24:11:72:6f:e3 ether daddr bc:24:11:58:2f:12 ip saddr 192.168.233.10 ip daddr 192.168.233.20 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 19094 ip protocol icmp ip length 60 icmp type echo-request icmp code 0 icmp id 1 icmp sequence 13432
trace id 71b368df inet proxmox-firewall forward unknown rule handle 276976 (verdict accept)
trace id 71b368df bridge tracebridge postrouting packet: oif "fwpr104p0" ether saddr bc:24:11:72:6f:e3 ether daddr bc:24:11:58:2f:12 ip saddr 192.168.233.10 ip daddr 192.168.233.20 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 19094 ip protocol icmp ip length 60 icmp type echo-request icmp code 0 icmp id 1 icmp sequence 13432
trace id 71b368df bridge tracebridge postrouting rule jump trace (verdict jump trace)
trace id 71b368df bridge tracebridge trace rule meta l4proto icmp meta nftrace set 1 (verdict continue)
trace id 71b368df bridge tracebridge postrouting policy accept
trace id 71b368df bridge proxmox-firewall-guests vm-in packet: oif "fwpr104p0" ether saddr bc:24:11:72:6f:e3 ether daddr bc:24:11:58:2f:12 ip saddr 192.168.233.10 ip daddr 192.168.233.20 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 19094 ip protocol icmp ip length 60 icmp type echo-request icmp code 0 icmp id 1 icmp sequence 13432
trace id 71b368df bridge proxmox-firewall-guests vm-in unknown rule handle 201200 (verdict jump allow-icmp)
trace id 71b368df bridge proxmox-firewall-guests vm-in policy accept
trace id f5b3cfbc bridge tracebridge trace packet: iif "fwln104i0" ether saddr bc:24:11:72:6f:e3 ether daddr bc:24:11:58:2f:12 ip saddr 192.168.233.10 ip daddr 192.168.233.20 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 19094 ip protocol icmp ip length 60 icmp type echo-request icmp code 0 icmp id 1 icmp sequence 13432
trace id f5b3cfbc bridge tracebridge trace rule meta l4proto icmp meta nftrace set 1 (verdict continue)
trace id f5b3cfbc bridge tracebridge prerouting policy accept
trace id f5b3cfbc bridge proxmox-firewall-guests vm-out packet: iif "fwln104i0" ether saddr bc:24:11:72:6f:e3 ether daddr bc:24:11:58:2f:12 ip saddr 192.168.233.10 ip daddr 192.168.233.20 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 19094 ip protocol icmp ip length 60 icmp type echo-request icmp code 0 icmp id 1 icmp sequence 13432
trace id f5b3cfbc bridge proxmox-firewall-guests vm-out unknown rule handle 201195 (verdict jump allow-icmp)
trace id f5b3cfbc bridge proxmox-firewall-guests vm-out policy accept
trace id f5b3cfbc bridge proxmox-firewall-guests forward packet: iif "fwln104i0" oif "tap104i0" ether saddr bc:24:11:72:6f:e3 ether daddr bc:24:11:58:2f:12 ip saddr 192.168.233.10 ip daddr 192.168.233.20 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 19094 ip protocol icmp ip length 60 icmp type echo-request icmp code 0 icmp id 1 icmp sequence 13432
trace id f5b3cfbc bridge proxmox-firewall-guests forward policy accept
trace id f5b3cfbc inet proxmox-firewall forward packet: iif "fwbr104i0" oif "fwbr104i0" ether saddr bc:24:11:72:6f:e3 ether daddr bc:24:11:58:2f:12 ip saddr 192.168.233.10 ip daddr 192.168.233.20 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 19094 ip protocol icmp ip length 60 icmp type echo-request icmp code 0 icmp id 1 icmp sequence 13432
trace id f5b3cfbc inet proxmox-firewall forward unknown rule handle 276976 (verdict accept)
trace id f5b3cfbc bridge tracebridge postrouting packet: oif "tap104i0" ether saddr bc:24:11:72:6f:e3 ether daddr bc:24:11:58:2f:12 ip saddr 192.168.233.10 ip daddr 192.168.233.20 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 19094 ip protocol icmp ip length 60 icmp type echo-request icmp code 0 icmp id 1 icmp sequence 13432
trace id f5b3cfbc bridge tracebridge postrouting rule jump trace (verdict jump trace)
trace id f5b3cfbc bridge tracebridge trace rule meta l4proto icmp meta nftrace set 1 (verdict continue)
trace id f5b3cfbc bridge tracebridge postrouting policy accept
trace id f5b3cfbc bridge proxmox-firewall-guests vm-in packet: oif "tap104i0" ether saddr bc:24:11:72:6f:e3 ether daddr bc:24:11:58:2f:12 ip saddr 192.168.233.10 ip daddr 192.168.233.20 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 19094 ip protocol icmp ip length 60 icmp type echo-request icmp code 0 icmp id 1 icmp sequence 13432
trace id f5b3cfbc bridge proxmox-firewall-guests vm-in unknown rule handle 201200 (verdict jump allow-icmp)
trace id f5b3cfbc bridge proxmox-firewall-guests vm-in policy accept
trace id e3a73ddc bridge tracebridge trace packet: iif "tap104i0" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id e3a73ddc bridge tracebridge trace rule meta l4proto icmp meta nftrace set 1 (verdict continue)
trace id e3a73ddc bridge tracebridge prerouting policy accept
trace id e3a73ddc bridge proxmox-firewall-guests vm-out packet: iif "tap104i0" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id e3a73ddc bridge proxmox-firewall-guests vm-out unknown rule handle 201195 (verdict jump allow-icmp)
trace id e3a73ddc bridge proxmox-firewall-guests vm-out policy accept
trace id e3a73ddc bridge proxmox-firewall-guests forward packet: iif "tap104i0" oif "fwln104i0" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id e3a73ddc bridge proxmox-firewall-guests forward policy accept
trace id e3a73ddc inet proxmox-firewall forward packet: iif "fwbr104i0" oif "fwbr104i0" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id e3a73ddc inet proxmox-firewall forward unknown rule handle 276976 (verdict accept)
trace id e3a73ddc bridge tracebridge postrouting packet: oif "fwln104i0" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id e3a73ddc bridge tracebridge postrouting rule jump trace (verdict jump trace)
trace id e3a73ddc bridge tracebridge trace rule meta l4proto icmp meta nftrace set 1 (verdict continue)
trace id e3a73ddc bridge tracebridge postrouting policy accept
trace id e3a73ddc bridge proxmox-firewall-guests vm-in packet: oif "fwln104i0" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id e3a73ddc bridge proxmox-firewall-guests vm-in unknown rule handle 201200 (verdict jump allow-icmp)
trace id e3a73ddc bridge proxmox-firewall-guests vm-in policy accept
trace id 8a2a6309 bridge tracebridge trace packet: iif "fwpr104p0" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id 8a2a6309 bridge tracebridge trace rule meta l4proto icmp meta nftrace set 1 (verdict continue)
trace id 8a2a6309 bridge tracebridge prerouting policy accept
trace id 8a2a6309 bridge proxmox-firewall-guests vm-out packet: iif "fwpr104p0" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id 8a2a6309 bridge proxmox-firewall-guests vm-out unknown rule handle 201195 (verdict jump allow-icmp)
trace id 8a2a6309 bridge proxmox-firewall-guests vm-out policy accept
trace id 8a2a6309 bridge proxmox-firewall-guests forward packet: iif "fwpr104p0" oif "vmbr1.1676" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id 8a2a6309 bridge proxmox-firewall-guests forward unknown rule handle 201205 (verdict jump bridge-WPSNL)
trace id 8a2a6309 bridge proxmox-firewall-guests bridge-WPSNL unknown rule handle 201215 (verdict jump before-bridge)
trace id 8a2a6309 bridge proxmox-firewall-guests before-bridge unknown rule handle 201204 (verdict accept)
trace id 8a2a6309 inet proxmox-firewall forward packet: iif "WPSNL" oif "WPSNL" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id 8a2a6309 inet proxmox-firewall forward unknown rule handle 276976 (verdict accept)
trace id 8a2a6309 bridge tracebridge postrouting packet: oif "vmbr1.1676" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id 8a2a6309 bridge tracebridge postrouting rule jump trace (verdict jump trace)
trace id 8a2a6309 bridge tracebridge trace rule meta l4proto icmp meta nftrace set 1 (verdict continue)
trace id 8a2a6309 bridge tracebridge postrouting policy accept
trace id 8a2a6309 bridge proxmox-firewall-guests vm-in packet: oif "vmbr1.1676" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id 8a2a6309 bridge proxmox-firewall-guests vm-in unknown rule handle 201200 (verdict jump allow-icmp)
trace id 8a2a6309 bridge proxmox-firewall-guests vm-in policy accept
trace id 8a2a6309 bridge tracebridge postrouting packet: oif "bond3" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 vlan pcp 0 vlan dei 0 vlan id 1676 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id 8a2a6309 bridge tracebridge postrouting rule jump trace (verdict jump trace)
trace id 8a2a6309 bridge tracebridge trace rule meta l4proto icmp meta nftrace set 1 (verdict continue)
trace id 8a2a6309 bridge tracebridge postrouting policy accept
trace id 8a2a6309 bridge proxmox-firewall-guests vm-in packet: oif "bond3" ether saddr bc:24:11:58:2f:12 ether daddr bc:24:11:72:6f:e3 vlan pcp 0 vlan dei 0 vlan id 1676 ip saddr 192.168.233.20 ip daddr 192.168.233.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 27099 ip protocol icmp ip length 60 icmp type echo-reply icmp code 0 icmp id 1 icmp sequence 13432
trace id 8a2a6309 bridge proxmox-firewall-guests vm-in unknown rule handle 201200 (verdict jump allow-icmp)
trace id 8a2a6309 bridge proxmox-firewall-guests vm-in policy accept
trace id 07581a6b bridge tracebridge trace packet: iif "bond0" ether saddr 0a:02:bb:99:14:92 ether daddr bc:24:11:ad:0c:a4 ip saddr 10.255.0.134 ip daddr 10.14.92.62 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 32477 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 20512 icmp sequence 2
trace id 07581a6b bridge tracebridge trace rule meta l4proto icmp meta nftrace set 1 (verdict continue)
trace id 07581a6b bridge tracebridge prerouting policy accept
trace id 07581a6b bridge proxmox-firewall-guests vm-out packet: iif "bond0" ether saddr 0a:02:bb:99:14:92 ether daddr bc:24:11:ad:0c:a4 ip saddr 10.255.0.134 ip daddr 10.14.92.62 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 32477 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 20512 icmp sequence 2
trace id 07581a6b bridge proxmox-firewall-guests vm-out unknown rule handle 201195 (verdict jump allow-icmp)
trace id 07581a6b bridge proxmox-firewall-guests vm-out policy accept
trace id 07581a6b bridge proxmox-firewall-guests forward packet: iif "bond0" oif "tap100i0" ether saddr 0a:02:bb:99:14:92 ether daddr bc:24:11:ad:0c:a4 ip saddr 10.255.0.134 ip daddr 10.14.92.62 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 32477 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 20512 icmp sequence 2
trace id 07581a6b bridge proxmox-firewall-guests forward policy accept
trace id 07581a6b bridge tracebridge postrouting packet: oif "tap100i0" ether saddr 0a:02:bb:99:14:92 ether daddr bc:24:11:ad:0c:a4 ip saddr 10.255.0.134 ip daddr 10.14.92.62 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 32477 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 20512 icmp sequence 2
trace id 07581a6b bridge tracebridge postrouting rule jump trace (verdict jump trace)
trace id 07581a6b bridge tracebridge trace rule meta l4proto icmp meta nftrace set 1 (verdict continue)
trace id 07581a6b bridge tracebridge postrouting policy accept
trace id 07581a6b bridge proxmox-firewall-guests vm-in packet: oif "tap100i0" ether saddr 0a:02:bb:99:14:92 ether daddr bc:24:11:ad:0c:a4 ip saddr 10.255.0.134 ip daddr 10.14.92.62 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 32477 ip protocol icmp ip length 84 icmp type echo-request icmp code 0 icmp id 20512 icmp sequence 2
trace id 07581a6b bridge proxmox-firewall-guests vm-in unknown rule handle 201200 (verdict jump allow-icmp)
trace id 07581a6b bridge proxmox-firewall-guests vm-in policy accept
 
It seems like there are still firewall interfaces left over from the old firewall, which is most likely the culprit. Could you re-create the network interfaces by shutting the VMs down via the PVE Web UI and then starting them again? Alternatively you can migrate them away and then migrate them back. A reboot from inside the VM is not sufficient.
 
I reboot everything, sometimes a block is working, and sometimes it not works: i see on one host this firewall log
0 7 bridge-WPSNL 20/Apr/2026:18:23:30 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19116 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13454
0 7 bridge-WPSNL 20/Apr/2026:18:23:35 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19117 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13455
0 7 bridge-WPSNL 20/Apr/2026:18:23:40 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19118 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13456
0 7 bridge-WPSNL 20/Apr/2026:18:23:45 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19119 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13457
0 7 bridge-WPSNL 20/Apr/2026:18:23:50 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19120 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13458
0 7 bridge-WPSNL 20/Apr/2026:18:23:58 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:e8:16:24:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=52240 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13459
0 7 bridge-WPSNL 20/Apr/2026:18:24:03 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:e8:16:24:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=52241 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13460
0 7 bridge-WPSNL 20/Apr/2026:18:24:30 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:e8:16:24:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=52242 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13463
0 7 bridge-WPSNL 20/Apr/2026:18:24:35 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:e8:16:24:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=52243 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13464
0 7 bridge-WPSNL 20/Apr/2026:18:24:40 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:e8:16:24:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=52244 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13465
0 7 bridge-WPSNL 20/Apr/2026:18:24:45 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:e8:16:24:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=52245 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13466
0 7 bridge-WPSNL 20/Apr/2026:18:24:50 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:e8:16:24:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=52246 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13467
0 7 bridge-WPSNL 20/Apr/2026:18:26:10 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19121 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13539
0 7 bridge-WPSNL 20/Apr/2026:18:26:15 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19122 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13540
0 7 bridge-WPSNL 20/Apr/2026:18:26:20 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19123 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13541
0 7 bridge-WPSNL 20/Apr/2026:18:26:25 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19124 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13542
0 7 bridge-WPSNL 20/Apr/2026:18:26:30 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19125 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13543
0 7 bridge-WPSNL 20/Apr/2026:18:26:35 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19126 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13544
0 7 bridge-WPSNL 20/Apr/2026:18:26:40 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19127 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13545
0 7 bridge-WPSNL 20/Apr/2026:18:26:45 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19128 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13546
0 7 bridge-WPSNL 20/Apr/2026:18:26:50 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19129 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13547
0 7 bridge-WPSNL 20/Apr/2026:18:26:55 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19130 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13548
0 7 bridge-WPSNL 20/Apr/2026:18:27:00 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19131 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13549
0 7 bridge-WPSNL 20/Apr/2026:18:27:05 +0200 DROP: IN=WPSNL OUT=WPSNL PHYSIN=tap101i0 PHYSOUT=vmbr1.1676 MAC=bc:24:11:58:2f:12:bc:24:11:72:6f:e3:08:00 SRC=192.168.233.10 DST=192.168.233.20 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19132 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=13550




Logs
 
Maurice Janssen said:
Hi,

For a POC we build a 3 node PVE cluster (Proxmox 9.1) and configure SDN. On the vnet we enabled client isolation, this works on the same host. But traffic from the other host are not isolated. So we configure the Vnet firewall to block the traffic in the vnet. But this policy is not working. We have enable nftables and reboot al the vm`s. I read a lot about this issue but not find a solution to fix my issues. Has anybody a idea ?

I don`t like to use vm firewalls, because we already use Physical Edge firewalls, and otherwise i get 2 firewall configs to maintain.
Click to expand...
I wrote a blog article covering this a while ago, maybe it helps: https://www.croit.io/blog/microsegmentation-with-proxmox-ve
 
  • Like
Reactions: VictorSTS and UdoB
Thanks for this Link , when i changed the policy of the vnet firewall to drop, it seems to start working. I create the vnet firewall rules as in your document. I kan ping the gateway, but all the outgoing internet traffic is blocked. The gateway is a virtual palo alto firewall, and in the traffic log i don`t see the traffic, so the vnet firewal is blocking this traffic. When i create a firewall rule to allow outgoing traffic, then i also enable layer 3 traffic between the VM`s in the same subnet
 
Which rules did you add? The two mandatory marked rules allow the connection to the gateway only, but nothing more. Additional rules e. g. to your dns, proxy and so on are required to allow this type of traffic.

Would you like to share content of following files?
Code: 
/etc/pve/sdn/firewall/vnet/WPSNL.fw
/etc/pve/firewall/cluster.fw
And putting the output in code tags maintains readability.
 
cat WPSNL.fw

[OPTIONS]

policy_forward: DROP
enable: 1

[RULES]

|FORWARD ACCEPT -source +sdn/WPSNL-all -dest 0.0.0.0/0 -log nolog
FORWARD ACCEPT -source +sdn/WPSNL-gateway -dest +sdn/WPSNL-all -log nolog
FORWARD ACCEPT -source +sdn/WPSNL-all -dest +sdn/WPSNL-gateway -log nolog


cat /etc/pve/firewall/cluster.fw
[OPTIONS]

enable: 1

[RULES]

IN ACCEPT -p tcp -dport 8006 -log nolog
IN ACCEPT -p icmp -log nolog
IN SSH(ACCEPT) -log nolog

[group wpsparking]

IN SSH(ACCEPT) -dest +sdn/WPSNL-all -log emerg
 
Do you just want to block traffic within the vnet but nothing else? Seems a bit broad to me.
You will need a separate rule which drops intra-vnet traffic and it must be sorted above the rules which allow all traffic (the one which is disabled atm).
something like this
Code: 
FORWARD DROP   -source +sdn/WPSNL-no-gateway -dest +sdn/WPSNL-no-gateway -log nolog
FORWARD ACCEPT -source +sdn/WPSNL-all -dest 0.0.0.0/0      -log nolog


Code: 
[group wpsparking]

IN SSH(ACCEPT) -dest +sdn/WPSNL-all -log emerg
Assuming you want to allow access via ssh to vm in vnet WPSNL, this rule wont have the desired effect as IN is for the pve host not the VM. Put this rule into the vnet firewall instead (with FWD).
 
You must log in or register to reply here.
Top Bottom
Back