SDN aliases not found by firewall

B

beastyAlk

New Member
Feb 11, 2026
4
0
1
Hello

I'm having problems creating firewall rules using aliases created dinamically.

I started by creating a simple zone and a vnet on top of that. The zone is using integrated IPAM and PowerDNS for name registration and resolution.
The vnet has one subnet declared with gateway, snat and dhcp range.

I set the firewall at DC level to default drop IN and FORWARD and to default DROP at vnet level (firewall is on at DC, host and vnet level while off on vm/lxc and network interface)

I want to allow traffice inside the vnet from one specific container to another using the aliases but the firewall seems unable to find the value of any "+sdn/guest-ipam-###" as it shows in the logs:
pve proxmox-firewall [11671]: error updating firewall rules: could not find ipset sdn/guest-ipam-105


The containers are in a vnet created in a simple zone, the simple zone is using integrated IPAM and PowerDNS.
 
Last edited:
The name seems to include a q instead of a g (sdn/quest-ipam-105)? Did you create the rule entry manually or via the API?
 
shanreich said:
The name seems to include a q instead of a g (sdn/quest-ipam-105)? Did you create the rule entry manually or via the API?
Click to expand...
sorry it was a typo. now it's correct.

I didn't create them manually, they were created automatically after I moved the containers from the host linux bridge to the vnet interface.

I want to specify that the IPSets related to the vnet (in my case +sdn/vlabnet-*) are correctly evaluated by the firewall.
 
Last edited:
Can you post the output of the following files (from the host where the issue occurs).

Code: 
cat /etc/pve/firewall/cluster.fw
cat /etc/pve/local/host.fw
cat /etc/pve/sdn/firewall/*

cat /etc/pve/sdn/zones.cfg
cat /etc/pve/sdn/vnets.cfg

cat /etc/pve/sdn/pve-ipam-state.json
 
Last edited:
  • Like
Reactions: beastyAlk
You must log in or register to reply here.
Top Bottom
Back