Proxmox firewall does not show the source ip

[soldin]

someone can tell me why Proxmox firewall does not show the source ip ?? only the IP of the node.
So I can not create rules for a specific host ..

 

[wbumiller]

It should... can you show us your network and firewall settings? (Especially custom iptables rules like masquerading)

 

[soldin]

Thanks for answering. Follow the informations..
My network has all public ips, so I do not need nat.

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

 

[soldin]

You may have something related with this error??

# pve-firewall status

Use of uninitialized value in pattern match (m //) at /usr/share/perl5/PVE/Firewall.pm line 3385.
Status: enabled/running

 

[wbumiller]

MASQUERADE all -- anywhere anywhere

Is your vm 100 on vmbr1 and uses routing? Because that iptables output shows you're masquerading all traffic, both ways... which is probably not what you want. You should at least include a source address. -s 192.168.15.0/23 (Also, does that subnet of 255.255.254.0 happen to be a typo? (If so, /24 instead of /23))

 

[soldin]

thank you!!
I had not seen the line in the script for tinc vpn cluster.

/sbin/iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE

The servers are not on the same network..I removed the rule, rebooted and everything worked perfectly!

so one more thing .. know how to remove this warning / error? on only one node it appears.

# pve-firewall status

Use of uninitialized value in pattern match (m //) at /usr/share/perl5/PVE/Firewall.pm line 3385.
Status: enabled/running

 

[wbumiller]

Are your packages up to date? What's the output of

# pveversion -v