Received packet on fwln interface with own address as source address

kristian.kirilov

Active Member
Nov 17, 2016
52
1
28
37
Hello,
I know this topic is already discussed thousens times here in the forum, but it seems that my issue is somehow different..
The moment I activate a firewall interface for any of my guests I start receiving so called "alarms" like this one:

Bash:
Oct 01 10:19:26 proxmox-node-1.home.lan kernel: fwbr121i0: received packet on fwln121o0 with own address as source address (addr:0e:ae:47:f8:df:6e, vlan:0)

Oct 01 10:19:26 proxmox-node-1.home.lan kernel: fwbr114i0: received packet on fwln114o0 with own address as source address (addr:06:a4:b4:da:0b:6c, vlan:0)

Oct 01 10:19:26 proxmox-node-1.home.lan kernel: fwbr111i0: received packet on fwln111o0 with own address as source address (addr:1e:ab:e1:b7:f7:a3, vlan:0)

Oct 01 10:19:26 proxmox-node-1.home.lan kernel: fwbr112i0: received packet on fwln112o0 with own address as source address (addr:5e:0e:9e:25:64:4d, vlan:0)

Oct 01 10:19:31 proxmox-node-1.home.lan kernel: fwbr121i0: received packet on fwln121o0 with own address as source address (addr:0e:ae:47:f8:df:6e, vlan:0)

Oct 01 10:19:31 proxmox-node-1.home.lan kernel: fwbr114i0: received packet on fwln114o0 with own address as source address (addr:06:a4:b4:da:0b:6c, vlan:0)

Oct 01 10:19:31 proxmox-node-1.home.lan kernel: fwbr111i0: received packet on fwln111o0 with own address as source address (addr:1e:ab:e1:b7:f7:a3, vlan:0)

Oct 01 10:19:31 proxmox-node-1.home.lan kernel: fwbr112i0: received packet on fwln112o0 with own address as source address (addr:5e:0e:9e:25:64:4d, vlan:0)

Oct 01 10:19:36 proxmox-node-1.home.lan kernel: fwbr121i0: received packet on fwln121o0 with own address as source address (addr:0e:ae:47:f8:df:6e, vlan:0)

Oct 01 10:19:36 proxmox-node-1.home.lan kernel: fwbr114i0: received packet on fwln114o0 with own address as source address (addr:06:a4:b4:da:0b:6c, vlan:0)

Oct 01 10:19:36 proxmox-node-1.home.lan kernel: fwbr111i0: received packet on fwln111o0 with own address as source address (addr:1e:ab:e1:b7:f7:a3, vlan:0)

Oct 01 10:19:36 proxmox-node-1.home.lan kernel: fwbr112i0: received packet on fwln112o0 with own address as source address (addr:5e:0e:9e:25:64:4d, vlan:0)

What I'm trying to say it is not related to physical interface but the virtual ones - fwln(VMID)i/o - which means in and out interface for that particular VM/CT.
So I don't suppose network misconfiguration or something like that.. but maybe I'm wrong.
Any help is appreciated.
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,551
1,101
164
34
Vienna
can you post your network config?
 

kristian.kirilov

Active Member
Nov 17, 2016
52
1
28
37
Sure, nothing special from my point of view.
Here it is:

netconf_node_1.JPG

A brief explanation: I have 3 physical interfaces, eth0 is set as trunk port which allow all VLAN's except vlan 35 which is set as native (because I have shared this between the OS and management), eth1 and eth0 allow all VLANs and are part of LAGG, which is configured to talk over LACP.

Here is the configuration from switch perspective:

netconf_switch_eth0.JPG

netconf_switch_eth1_and_eth2.JPG
netconf_unifi_port_profiles.JPG

If additional information is needed, just ping me back.
Thanks in advance.
 

dcsapak

Proxmox Staff Member
Staff member
Feb 1, 2016
8,551
1,101
164
34
Vienna
sorry, it seems i missed your answer...

how does the network config look like inside the vms? (the ones popping up in the log?)
do the vms have multiple network interfaces ?
 

kristian.kirilov

Active Member
Nov 17, 2016
52
1
28
37
No, one 1 interface in place.

Code:
root@proxmox-node-1.home.lan:~# cat /etc/pve/lxc/121.conf
#SERV%3A DNS, PIHOLE, LLDP, SNMP, LIGHTHTTP, POSTFIX, NRPE, PUPPET
#IP%3A 192.168.10.5
#VLAN%3A 310
#PAT%3A NONE
arch: amd64
cores: 2
hostname: pihole.home.lan
memory: 768
nameserver: 192.168.0.7 192.168.0.17
net0: name=eth0,bridge=vmbr1,gw=192.168.10.254,hwaddr=12:34:56:F6:B2:72,ip=192.168.10.5/24,tag=310,type=veth
ostype: debian
protection: 1
rootfs: zpool-ssd-02:subvol-121-disk-0,size=8G
searchdomain: home.lan
swap: 512
unprivileged: 1
root@proxmox-node-1.home.lan:~# cat /etc/pve/lxc/114.conf
#SERV%3A OCS INVENTORY, LLDP, NRPE, SNMP, PUPPET, MUNIN
#IP%3A 192.168.0.19
#VLAN%3A 30
#PAT%3A NONE
arch: amd64
cores: 1
hostname: inventory.home.lan
memory: 512
nameserver: 192.168.0.17 192.168.0.7
net0: name=eth0,bridge=vmbr1,gw=192.168.0.1,hwaddr=12:34:56:B0:22:32,ip=192.168.0.19/24,tag=30,type=veth
ostype: debian
rootfs: zpool-ssd-02:subvol-114-disk-0,size=8G
searchdomain: home.lan
swap: 512
unprivileged: 1
root@proxmox-node-1.home.lan:~# cat /etc/pve/qemu-server/111.conf
#SERV%3A GITLAB, POSTGRESQL, LLDP, NRPE, SNMP, PUPPET, POSTFIX
#IP%3A 192.168.0.21
#VLAN%3A 30
#PAT%3A NONE
agent: 1
boot: order=virtio0;ide2;net0
cores: 2
cpu: host
ide2: none,media=cdrom
memory: 3072
name: behemoth.home.lan
net0: virtio=12:34:56:69:ED:70,bridge=vmbr1,tag=30
numa: 0
ostype: l26
scsihw: virtio-scsi-pci
serial0: socket
smbios1: uuid=21bcc491-27a8-4195-8772-1373b7db83e3
sockets: 1
virtio0: zpool-ssd-02:vm-111-disk-0,cache=writeback,size=24G
vmgenid: 7d086a51-865b-4bf9-891c-f444a0d17fc1
root@proxmox-node-1.home.lan:~#

In my humble opinion, the issue is somewhere in these special devices which the firewall creates, "i" as input interface and "o" as output.
If I disable the firewall for a particular VM, no errors in the log.

Also this errors are shown in the host OS, not inside the VM's or containers.

As mentioned above I use OpenVSwitch, here you could see some additional info:

Code:
root@proxmox-node-1.home.lan:~# ovs-vsctl show
40d1f46b-8e4a-4d85-b9b4-45a95aa5040b
    Bridge vmbr0
        Port vlan30
            tag: 330
            Interface vlan30
                type: internal
        Port veth1012i0
            tag: 30
            Interface veth1012i0
        Port eth0
            Interface eth0
        Port vmbr0
            Interface vmbr0
                type: internal
    Bridge vmbr1
        Port tap111i0
            tag: 30
            Interface tap111i0
        Port veth112i0
            tag: 30
            Interface veth112i0
        Port veth114i0
            tag: 30
            Interface veth114i0
        Port veth123i0
            tag: 30
            Interface veth123i0
        Port veth121i0
            tag: 310
            Interface veth121i0
        Port bond0
            Interface eth1
            Interface eth2
        Port tap102i0
            tag: 30
            Interface tap102i0
        Port veth108i0
            tag: 310
            Interface veth108i0
        Port vmbr1
            Interface vmbr1
                type: internal
    ovs_version: "2.15.0"
root@proxmox-node-1.home.lan:~#

Code:
root@proxmox-node-1.home.lan:~# ovs-vsctl list port bond0
_uuid               : 785cb447-d4ce-4f0b-8b8e-afd0e7fdc12c
bond_active_slave   : "00:10:18:77:3b:40"
bond_downdelay      : 400
bond_fake_iface     : true
bond_mode           : balance-slb
bond_updelay        : 2000
cvlans              : []
external_ids        : {}
fake_bridge         : false
interfaces          : [04c1081a-ddb1-488f-8a0d-3330f58e4de6, bc62e25e-dcfd-451c-ab6f-50149f2c1d66]
lacp                : active
mac                 : []
name                : bond0
other_config        : {lacp-time=fast}
protected           : false
qos                 : []
rstp_statistics     : {}
rstp_status         : {}
statistics          : {}
status              : {}
tag                 : []
trunks              : []
vlan_mode           : []
root@proxmox-node-1.home.lan:~#

Code:
root@proxmox-node-1.home.lan:~# !5298
ovs-appctl lacp/show bond0
---- bond0 ----
  status: active negotiated
  sys_id: 00:10:18:8a:77:ee
  sys_priority: 65534
  aggregation key: 1
  lacp_time: fast

member: eth1: current attached
  port_id: 1
  port_priority: 65535
  may_enable: true

  actor sys_id: 00:10:18:8a:77:ee
  actor sys_priority: 65534
  actor port_id: 1
  actor port_priority: 65535
  actor key: 1
  actor state: activity timeout aggregation synchronized collecting distributing

  partner sys_id: 18:e8:29:06:c3:52
  partner sys_priority: 32768
  partner port_id: 5
  partner port_priority: 32768
  partner key: 1
  partner state: activity timeout aggregation synchronized collecting distributing

member: eth2: current attached
  port_id: 2
  port_priority: 65535
  may_enable: true

  actor sys_id: 00:10:18:8a:77:ee
  actor sys_priority: 65534
  actor port_id: 2
  actor port_priority: 65535
  actor key: 1
  actor state: activity timeout aggregation synchronized collecting distributing

  partner sys_id: 18:e8:29:06:c3:52
  partner sys_priority: 32768
  partner port_id: 6
  partner port_priority: 32768
  partner key: 1
  partner state: activity timeout aggregation synchronized collecting distributing
root@proxmox-node-1.home.lan:~#

I have 3 network cards, they are all set as trunk. I use eth0 for management proposes, and eth1 and eth2 to do LACP link with another bridge and assign this to the VM's
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!