PVE Firewall on cluster level block incoming traffic from vpses on same hypervisor

pschonmann

Member
Sep 9, 2021
34
2
13
39
Prague
schonmann.eu
Hi i have strange problem.
On hypervisor 1 i have config in /etc/pve/firewall/cluster.fw

Code:
[OPTIONS]
enable: 1
ebtables: 1

[IPSET custom_ips_allow]
5.182.XXX.0/24 # NETWORK-infrastructure
5.182.YYY.0/24 # NETWORK-smtp1


[RULES]
IN ACCEPT -source +custom_ips_allow -log debug

On this hypervisor are some vpses.
VPS1 have one
virtio1 - public ip
virtio1 has ip from range 5.182.XXX.0

VPS2 have two ifaces
virtio1 + virtio2 ( both have public ip)
virtio1 has ip from range 5.182.XXX.0
virtio2 has ip from range 5.182.YYY.0

When firewall is turned off on cluster level ( we have no cluster, only one node ) everythings work fine.
But when FW is on, im not unable ping from VPS1 to VPS2 virtio2 iface ( virtio1 is fine )
Another ips from remote site is ping and connect to VPS2 virtio2 fine in both cases.

Here are pve versions
Code:
proxmox-ve: 7.2-1 (running kernel: 5.15.35-1-pve)
pve-manager: 7.2-4 (running version: 7.2-4/ca9d43cc)
pve-kernel-5.15: 7.2-3
pve-kernel-helper: 7.2-3
pve-kernel-5.11: 7.0-10
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-4-pve: 5.11.22-9
ceph-fuse: 14.2.21-1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: residual config
ifupdown2: 3.1.0-1+pmx3
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.1-8
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-1
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-2
libpve-storage-perl: 7.2-4
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.12-1
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.1-1
proxmox-backup-file-restore: 2.2.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-1
pve-container: 4.2-1
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.4-2
pve-ha-manager: 3.3-4
pve-i18n: 2.7-2
pve-qemu-kvm: 6.2.0-7
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!