PVE Firewalls and SIP

[arubenstein]

I am having a very strange problem with firewalling a VM, which is a virtual PBX. I've spent a bit of time troubleshooting this and I simply cannot figure out what is happening. I consider myself pretty well-versed in PVE and FW, literally hundreds of VMs across a few clusters, many with complex firewall setups that work just fine. I've made this issue as basic as I can. This is a Linux VM with a VirtIO network card.

If the "Firewall" checkbox is NOT ticked on the network card, everything works fine. Calls in and out all day, no problems. Everything just works. When I tick that box, I immediately have issues sending SIP calls out from the VM to our provider. I've tried:

- Under Options, setting "Firewall" to "NO"
- Under Options, setting "Input Policy" and "Output Policy" to ACCEPT
- Adding rules with "out" and "in" set to "ACCEPT" (all IP)
- Adding rules with "out" and "in" and "Protocol UDP" to ACCEPT (all UDP)

Inbound calls from the SIP provider to the VM work fine, two-way audio is fine as well. It's just outbound calls that are of issue.

I am at a loss. any thoughts?

:tap150i0-IN - [0:0]
:tap150i0-OUT - [0:0]
-A PVEFW-FWBR-IN -m physdev --physdev-out tap150i0 --physdev-is-bridged -j tap150i0-IN
-A PVEFW-FWBR-OUT -m physdev --physdev-in tap150i0 --physdev-is-bridged -j tap150i0-OUT
-A tap150i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap150i0-IN -j ACCEPT
-A tap150i0-IN -m comment --comment "PVESIG:OFdXzqXcwmyj0szvDL/e5fRT+nI"
-A tap150i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A tap150i0-OUT -m mac ! --mac-source 4e:62:60:5f:93:de -j DROP
-A tap150i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A tap150i0-OUT -m limit --limit 1/sec -j NFLOG --nflog-prefix ":150:1:tap150i0-OUT: ACCEPT: "
-A tap150i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap150i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A tap150i0-OUT -m comment --comment "PVESIG:DIY5MgeZA0+FJEjKMorU7Qunr1Q"