[SOLVED] Proxmox Firewall and Hetzner vSwitch - VLAN

mnws · Oct 23, 2019

Hi,

We have a cluster with two servers @ hetzner. Each one with it's uplink for WAN, let's say eno3 on each one.
We also have another two interfaces connected to a switch, so each server will communicate to each other over the LAN.

eno3 --- bridge --> vmbr0 (WAN Internet access)
eno 1 & eno2 -- connected to switch ---> bond0 on proxmox server (active-backup)
vmbr1 --> bridge for bond0 -- access to LAN

We also have a vSwitch from Hetzner with a /29 subnet IPs associated over a VLAN (first ip from /29 is the gateway from Hetzner -- different from the main IP which is on eno3 interface).

We configured eno3.VLANID interface with no IP address on it and then created vmbr2 (no ip address assigned) bridge for eno3.VLAN

On one of our VM created on the Host, we added an interface eno1 -- from vmbr2 and assigned a public IP address from that /29 subnet.
Everything is working well, we are able to access the internet from the VM with that IP, and we can be reached from the internet using that IP.

The problem is when we try to enable the Firewall from Proxmox interface, we can be accesed from outside, but we're not able to access anything outside from that VM.

We tried the following:
1.1. Enable Firewall on Data center:
Input Policy: DROP
Output Policy: ACCEPT
1.2. Enable Firewall on host level:
1.3. Enable Firewall on VM interface:
Input Policy: DROP
Output Policy: ACCEPT
Using this config we're unable to access the VM from outside (which should be ok), but we are also not able to access the internet from the VM.

The second test we made was:
Input Policy: ACCEPT on all levels (datacenter, VM)
Output Policy: ACCEPT on all levels.

We can be accessed from the internet, but we are still unable to access the internet from VM.

After reading some other posts on this forum, I tried to disable ebtables and reboot the host..but the results are still the same.

We installed proxmox using the Proxmox VE 6.0 ISO Installer.

/etc/network/interfaces

Code:

auto lo
iface lo inet loopback

auto eno3
iface eno3 inet manual

iface eno4 inet manual

iface eno1 inet manual

iface eno2 inet manual

auto eno3.4010
iface eno3.4010 inet manual

auto bond0
iface bond0 inet manual
    bond-slaves eno1 eno2
    bond-miimon 100
    bond-mode active-backup
#active-backup 10G

auto vmbr0
iface vmbr0 inet static
    address  XX.XX.XX.170
    netmask  25
    gateway  XX.XX.XX.129
    bridge-ports eno3
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
#WAN Interface

auto vmbr1
iface vmbr1 inet static
    address  YY.YY.YY.10
    netmask  24
    bridge-ports bond0
    bridge-stp off
    bridge-fd 0
#LAN Interface

auto vmbr2
iface vmbr2 inet manual
    bridge-ports eno3.4010
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
#VLAN Interface for vSwitch

Anyone any ideea ?
Thanks in advance!

mnws · Oct 23, 2019

This is the output of pve-firewall compile
first part:

Code:

ipset cmdlist:

exists PVEFW-0-management-v4 (x6Efc3RddK7x3fujaWNAqO/HTL8)

    create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64

    add PVEFW-0-management-v4 YY.YY.YY.0/24

exists PVEFW-0-management-v6 (H5WO/Pkuyz4e7OLB2uiMpG0Bsn0)

    create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64

exists PVEFW-100-ipfilter-net0-v4 (dUO9lc2tLZZK5TxfoPrblDRgzwU)

    create PVEFW-100-ipfilter-net0-v4 hash:net family inet hashsize 64 maxelem 64

exists PVEFW-100-ipfilter-net0-v6 (Roikozp8HoOmPXXrSUa45k/m28A)

    create PVEFW-100-ipfilter-net0-v6 hash:net family inet6 hashsize 64 maxelem 64

    add PVEFW-100-ipfilter-net0-v6 fe80::/10 nomatch

    add PVEFW-100-ipfilter-net0-v6 fe80::65:d2ff:fe1c:ba1



pve-firewall compile

iptables cmdlist:

exists PVEFW-Drop (WDy2wbFe7jNYEyoO3QhUELZ4mIQ)

    -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject

    -A PVEFW-Drop  -j PVEFW-DropBroadcast

    -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT

    -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT

    -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP

    -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP

    -A PVEFW-Drop -p udp --dport 137:139 -j DROP

    -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP

    -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP

    -A PVEFW-Drop -p udp --dport 1900 -j DROP

    -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

    -A PVEFW-Drop -p udp --sport 53 -j DROP

exists PVEFW-DropBroadcast (NyjHNAtFbkH7WGLamPpdVnxHy4w)

    -A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP

    -A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP

    -A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP

    -A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP

exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)

    -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP

    -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN

    -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT

exists PVEFW-FWBR-IN (/naDZxJ06t8Dx9DQtmus9NvdHEA)

    -A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs

    -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN

exists PVEFW-FWBR-OUT (wA3mj3VIKyC/rlY95PCFN7paR5s)

    -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT

exists PVEFW-HOST-IN (QFCdciKfOtGrRfMSaYm0RffXq3w)

    -A PVEFW-HOST-IN -i lo -j ACCEPT

    -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP

    -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs

    -A PVEFW-HOST-IN -p igmp -j RETURN

    -A PVEFW-HOST-IN -s 0.0.0.0/0 -d 0.0.0.0/0 -j RETURN

    -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN

    -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN

    -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN

    -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN

    -A PVEFW-HOST-IN -d YY.YY.YY.10 -s YY.YY.YY.20 -p udp --dport 5404:5405 -j RETURN

    -A PVEFW-HOST-IN -d YY.YY.YY.10 -s YY.YY.YY.30 -p udp --dport 5404:5405 -j RETURN

    -A PVEFW-HOST-IN  -j RETURN

exists PVEFW-HOST-OUT (LdKqjeOI5BQ6+vWyM2XLKMFqbJY)

    -A PVEFW-HOST-OUT -o lo -j ACCEPT

    -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP

    -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A PVEFW-HOST-OUT -p igmp -j RETURN

    -A PVEFW-HOST-OUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j RETURN

    -A PVEFW-HOST-OUT -d YY.YY.YY.0/24 -p tcp --dport 8006 -j RETURN

    -A PVEFW-HOST-OUT -d YY.YY.YY.0/24 -p tcp --dport 22 -j RETURN

    -A PVEFW-HOST-OUT -d YY.YY.YY.0/24 -p tcp --dport 5900:5999 -j RETURN

    -A PVEFW-HOST-OUT -d YY.YY.YY.0/24 -p tcp --dport 3128 -j RETURN

    -A PVEFW-HOST-OUT -s YY.YY.YY.10 -d YY.YY.YY.20 -p udp --dport 5404:5405 -j RETURN

    -A PVEFW-HOST-OUT -s YY.YY.YY.10 -d YY.YY.YY.30 -p udp --dport 5404:5405 -j RETURN

    -A PVEFW-HOST-OUT  -j RETURN

exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)

    -A PVEFW-INPUT -j PVEFW-HOST-IN

exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)

    -A PVEFW-OUTPUT -j PVEFW-HOST-OUT

exists PVEFW-Reject (CZJnIN6rAdpu+ej59QPr9+laMUo)

    -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject

    -A PVEFW-Reject  -j PVEFW-DropBroadcast

    -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT

    -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT

    -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP

    -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject

    -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject

    -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject

    -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject

    -A PVEFW-Reject -p udp --dport 1900 -j DROP

    -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

    -A PVEFW-Reject -p udp --sport 53 -j DROP

exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)

    -A PVEFW-SET-ACCEPT-MARK  -j MARK --set-mark 0x80000000/0x80000000

exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)

    -A PVEFW-logflags  -j DROP

exists PVEFW-reject (Jlkrtle1mDdtxDeI9QaDSL++Npc)

    -A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP

    -A PVEFW-reject -s 224.0.0.0/4 -j DROP

    -A PVEFW-reject -p icmp -j DROP

    -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset

    -A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable

    -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable

    -A PVEFW-reject  -j REJECT --reject-with icmp-host-prohibited

exists PVEFW-smurflog (2gfT1VMkfr0JL6OccRXTGXo+1qk)

    -A PVEFW-smurflog  -j DROP

exists PVEFW-smurfs (HssVe5QCBXd5mc9kC88749+7fag)

    -A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN

    -A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog

    -A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog

exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)

    -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags

    -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags

    -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags

    -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags

    -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags

exists tap100i0-IN (otk+O7vzcmn0T7Fm0FaEkkYwq5k)

    -A tap100i0-IN -p udp --sport 67 --dport 68 -j ACCEPT

    -A tap100i0-IN -s 0.0.0.0/0 -j ACCEPT

    -A tap100i0-IN -s YY.YY.YY.0/24 -j ACCEPT

    -A tap100i0-IN  -j ACCEPT

exists tap100i0-OUT (i+IbZThxlIWiOeazuAEfjS3nrn4)

    -A tap100i0-OUT -p udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK

    -A tap100i0-OUT -m mac ! --mac-source 02:65:ZZ:ZZ:ZZ:ZZ -j DROP

    -A tap100i0-OUT -m set ! --match-set PVEFW-100-ipfilter-net0-v4 src -j DROP

    -A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000

    -A tap100i0-OUT  -g PVEFW-SET-ACCEPT-MARK

mnws · Oct 23, 2019

and the second part

Code:

ip6tables cmdlist:

exists PVEFW-Drop (Jb79Uw7z1vZglIcV7QXA5uY/nbk)

    -A PVEFW-Drop -p tcp --dport 43 -j PVEFW-reject

    -A PVEFW-Drop  -j PVEFW-DropBroadcast

    -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT

    -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT

    -A PVEFW-Drop -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT

    -A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP

    -A PVEFW-Drop -p udp --match multiport --dports 135,445 -j DROP

    -A PVEFW-Drop -p udp --dport 137:139 -j DROP

    -A PVEFW-Drop -p udp --sport 137 --dport 1024:65535 -j DROP

    -A PVEFW-Drop -p tcp --match multiport --dports 135,139,445 -j DROP

    -A PVEFW-Drop -p udp --dport 1900 -j DROP

    -A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

    -A PVEFW-Drop -p udp --sport 53 -j DROP

exists PVEFW-DropBroadcast (8Krk5Nh8pDZOOc7BQAbM6PlyFSU)

    -A PVEFW-DropBroadcast -d ff00::/8 -j DROP

exists PVEFW-FORWARD (qnNexOcGa+y+jebd4dAUqFSp5nw)

    -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP

    -A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-in fwln+ -j PVEFW-FWBR-IN

    -A PVEFW-FORWARD -m physdev --physdev-is-bridged --physdev-out fwln+ -j PVEFW-FWBR-OUT

exists PVEFW-FWBR-IN (wjGAwD1weFxDIbPrFybsxrVCysU)

    -A PVEFW-FWBR-IN -m physdev --physdev-is-bridged --physdev-out tap100i0 -j tap100i0-IN

exists PVEFW-FWBR-OUT (wA3mj3VIKyC/rlY95PCFN7paR5s)

    -A PVEFW-FWBR-OUT -m physdev --physdev-is-bridged --physdev-in tap100i0 -j tap100i0-OUT

exists PVEFW-HOST-IN (UhuVO/gntMD/m956wVkmfSZOK28)

    -A PVEFW-HOST-IN -i lo -j ACCEPT

    -A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP

    -A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-solicitation -j RETURN

    -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type router-advertisement -j RETURN

    -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN

    -A PVEFW-HOST-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN

    -A PVEFW-HOST-IN -p igmp -j RETURN

    -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN

    -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN

    -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN

    -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN

    -A PVEFW-HOST-IN  -j RETURN

exists PVEFW-HOST-OUT (br2bPbA9ZjuHOMNhV8tfLRw1mAs)

    -A PVEFW-HOST-OUT -o lo -j ACCEPT

    -A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP

    -A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type router-solicitation -j RETURN

    -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -j RETURN

    -A PVEFW-HOST-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -j RETURN

    -A PVEFW-HOST-OUT -p igmp -j RETURN

    -A PVEFW-HOST-OUT  -j RETURN

exists PVEFW-INPUT (+5iMmLaxKXynOB/+5xibfx7WhFk)

    -A PVEFW-INPUT -j PVEFW-HOST-IN

exists PVEFW-OUTPUT (LjHoZeSSiWAG3+2ZAyL/xuEehd0)

    -A PVEFW-OUTPUT -j PVEFW-HOST-OUT

exists PVEFW-Reject (aL1nrxJk/u3XmTb3Am2eaM/3yCM)

    -A PVEFW-Reject -p tcp --dport 43 -j PVEFW-reject

    -A PVEFW-Reject  -j PVEFW-DropBroadcast

    -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -j ACCEPT

    -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type time-exceeded -j ACCEPT

    -A PVEFW-Reject -p icmpv6 -m icmpv6 --icmpv6-type packet-too-big -j ACCEPT

    -A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP

    -A PVEFW-Reject -p udp --match multiport --dports 135,445 -j PVEFW-reject

    -A PVEFW-Reject -p udp --dport 137:139 -j PVEFW-reject

    -A PVEFW-Reject -p udp --sport 137 --dport 1024:65535 -j PVEFW-reject

    -A PVEFW-Reject -p tcp --match multiport --dports 135,139,445 -j PVEFW-reject

    -A PVEFW-Reject -p udp --dport 1900 -j DROP

    -A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP

    -A PVEFW-Reject -p udp --sport 53 -j DROP

exists PVEFW-SET-ACCEPT-MARK (Hg/OIgIwJChBUcWU8Xnjhdd2jUY)

    -A PVEFW-SET-ACCEPT-MARK  -j MARK --set-mark 0x80000000/0x80000000

exists PVEFW-logflags (MN4PH1oPZeABMuWr64RrygPfW7A)

    -A PVEFW-logflags  -j DROP

exists PVEFW-reject (etEECUYcgUdzuuO+LDP83pu0S8Y)

    -A PVEFW-reject -p icmpv6 -j DROP

    -A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset

    -A PVEFW-reject -p udp -j REJECT --reject-with icmp6-port-unreachable

    -A PVEFW-reject  -j REJECT --reject-with icmp6-adm-prohibited

exists PVEFW-tcpflags (CMFojwNPqllyqD67NeI5m+bP5mo)

    -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags

    -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags

    -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags

    -A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags

    -A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags

exists tap100i0-IN (LARAytZtaYqk01PSUfaYSZ4rtJk)

    -A tap100i0-IN -p udp --sport 547 --dport 546 -j ACCEPT

    -A tap100i0-IN -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT

    -A tap100i0-IN -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT

    -A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT

    -A tap100i0-IN -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT

    -A tap100i0-IN  -j ACCEPT

exists tap100i0-OUT (tckraBUar8UnM6Lm0A4jrw+3AwI)

    -A tap100i0-OUT -p udp --sport 546 --dport 547 -g PVEFW-SET-ACCEPT-MARK

    -A tap100i0-OUT -m mac ! --mac-source 02:65:RR:RR:RR:RR -j DROP

    -A tap100i0-OUT -p icmpv6 --icmpv6-type router-advertisement -j DROP

    -A tap100i0-OUT -m set ! --match-set PVEFW-100-ipfilter-net0-v6 src -j DROP

    -A tap100i0-OUT -j MARK --set-mark 0x00000000/0x80000000

    -A tap100i0-OUT -p icmpv6 --icmpv6-type router-solicitation -g PVEFW-SET-ACCEPT-MARK

    -A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-solicitation -g PVEFW-SET-ACCEPT-MARK

    -A tap100i0-OUT -p icmpv6 --icmpv6-type neighbor-advertisement -g PVEFW-SET-ACCEPT-MARK

    -A tap100i0-OUT  -g PVEFW-SET-ACCEPT-MARK



ebtables cmdlist:

ignore FORWARD (2jmj7l5rSw0yVb/vlWAYkK/YBwk)

ignore INPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)

ignore OUTPUT (2jmj7l5rSw0yVb/vlWAYkK/YBwk)

no changes

mnws · Oct 24, 2019

Moderator can close this thread. There was a misconfiguration on the testing vm.
No Proxmox issue.

Thanks.

Stoiko Ivanov · Oct 24, 2019

You can mark the thread as 'SOLVED' yourself (klick on edit thread above the first post and select the 'SOLVED' prefix.

Just for next time - I'll gladly mark this one as solved

Search

Search

[SOLVED] Proxmox Firewall and Hetzner vSwitch - VLAN

mnws

New Member

mnws

New Member

mnws

New Member

mnws

New Member

Stoiko Ivanov

Proxmox Staff Member

We value your privacy