Hello all,
we operate a proxmox cluster with 3 nodes. The network settings look like this on all 3 nodes:
As you see the bridge ist VLAN aware. We need this, because some of our machines need access to more than 32 VLANs, but we cannot add more than 32 NICs.
So the VMs then have 1 interface without a VLAN tag on vmbr0 in Proxmox and further VLAN interfaces are then created within the VM.
Until now we did not touch any MTU settings. So VM adapters, Bridges etc. are all on default values.
With pve-firewall disabled, sending big packets works without any issues.
Now the problem. When we enable pve-firewall, this ping is not working. The Ping is done from a physical pfSense that is connected via Wireguard to a virtual pfSense inside of proxmox.
The maximum working ping size is now 1412 bytes ( + 8bytes overhead).
This means that the pve-firewall immediately stops all network traffic that is fragmented. However, we need the pve-firewall for microsegmentation of the servers.
Does anyone have a suggestion on how we can get the pve firewall to work and not have problems with fragmented packets?
There is no hint on the manpage (https://pve.proxmox.com/wiki/Firewall), that this breaks fragmented packages.
we operate a proxmox cluster with 3 nodes. The network settings look like this on all 3 nodes:
As you see the bridge ist VLAN aware. We need this, because some of our machines need access to more than 32 VLANs, but we cannot add more than 32 NICs.
So the VMs then have 1 interface without a VLAN tag on vmbr0 in Proxmox and further VLAN interfaces are then created within the VM.
Until now we did not touch any MTU settings. So VM adapters, Bridges etc. are all on default values.
With pve-firewall disabled, sending big packets works without any issues.
Code:
ping -s 1600 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 1600 data bytes
1608 bytes from 192.168.0.1: icmp_seq=0 ttl=63 time=30.469 ms
1608 bytes from 192.168.0.1: icmp_seq=1 ttl=63 time=37.518 ms
1608 bytes from 192.168.0.1: icmp_seq=2 ttl=63 time=29.932 msNow the problem. When we enable pve-firewall, this ping is not working. The Ping is done from a physical pfSense that is connected via Wireguard to a virtual pfSense inside of proxmox.
The maximum working ping size is now 1412 bytes ( + 8bytes overhead).
This means that the pve-firewall immediately stops all network traffic that is fragmented. However, we need the pve-firewall for microsegmentation of the servers.
Does anyone have a suggestion on how we can get the pve firewall to work and not have problems with fragmented packets?
There is no hint on the manpage (https://pve.proxmox.com/wiki/Firewall), that this breaks fragmented packages.