Hi,
on a PVE 7.4 cluster, with vmbr0 (vlan aware, stp off), connected to bond0 (2 physical interfaces), with firewall enabled at the cluster level, I have an issue when first opening connections.
a VM protected (100) has a firewall policy in REJECT (so that connection errors are explicit)
a VM client (159) on the same host has no firewall enabled and tries to reach server (a service outside the cluster)
Here is what happens:
on a PVE 7.4 cluster, with vmbr0 (vlan aware, stp off), connected to bond0 (2 physical interfaces), with firewall enabled at the cluster level, I have an issue when first opening connections.
a VM protected (100) has a firewall policy in REJECT (so that connection errors are explicit)
a VM client (159) on the same host has no firewall enabled and tries to reach server (a service outside the cluster)
Here is what happens:
- after some inactivity, when the connection from client to server is attempted the client gets connection refused.
Observing with tcpdump -a any, I see the SYN packet to open the connection on client's tap159i0, then on bond0, then on physical interface enp25s0f1np1.
This is all well and good. - But I also see the SYN packet duplicated on all other interfaces connected to the bridge.
In particular it is sent to the protected interface fwpr100p0 then fwln100i0.
The REJECT rule creates a TCP RST packet by the firewall on the protected interface. - The REJECT packet arrives to the client and it severs the connection.
- Then the SYN,ACK from the actual server arrives, but it's too late, the connection is closed, so the client emits a RST.
- should I never use input policy REJECT on VMs and always specify the destination address if I want a REJECT rule?
- should I disable MAC learning on bridge vmbr0?
- is it some bug in a (combination of) version(s) and upgrading will solve it?
