SDN - Node Firewall stops DHCP even with rules in guide

S

SnappProx

New Member
Jan 14, 2026
2
0
1
Hello! As title states, I'm using a Simple SDN zone with auto dhcp enabled, dnsmasq installed, basically everything working. HOWEVER, when I enable the node-level firewall, dhcp stops working entirely. Datacentre firewall doesn't effect dhcp.

I have the rules set up from the guide on both a datacentre and a node-level1768393093787.png1768393105931.png
(These are screenshots from the Datacentre firewall, and then the node firewall)

the VNet is called vmbr100, so the DNS rule is set to point to the SDN zones gateway.

What I'm trying to do is isolate the simple SDN zone so it doesn't have access to the LAN it's SNAT'd behind.. if that makes sense.

Thanks :) If there's any questions I can answer to help myself out, please let me know.
 
This is a pretty common gotcha with Proxmox SDN + node firewall. When you enable the node‑level firewall, it starts filtering traffic before dnsmasq sees it, so DHCP (UDP 67/68) gets silently dropped unless it’s explicitly allowed on the bridge.

A couple of things to double‑check:

Make sure DHCP (UDP 67/68) is allowed on the node firewall, not just the datacenter level. Datacenter rules don’t always save you once the node firewall is active.

The rule needs to be applied to vmbr100 (the SDN bridge), and it should allow traffic to and from the SDN gateway IP.

If the node firewall default policy is DROP, dnsmasq will break immediately unless those rules are in place.

For isolating the SDN zone: you’re on the right track. The usual approach is to allow DHCP + DNS to the SDN gateway, allow outbound WAN if needed, and then explicitly block access to your LAN subnets on the node firewall. SNAT will still work, but east‑west access won’t.

TL;DR: DHCP breaking when node firewall is enabled almost always means missing UDP 67/68 rules on the bridge. Once those are allowed, everything else tends to fall back into place.
 
You must log in or register to reply here.
Top Bottom