Hello,
my current setting is the following. I have two public IP addresses. One is assigned to the physical host where Proxmox VE is installed on. The other one is assigned to a pfSense VM inside of Proxmox (connected to the vmbr0). I can ping both public IPs from the outside.
Currently the proxmox firewall is completely disabled (Enable Firewall: No on all levels [datacenter, node, vm]).
There are only manual iptables rules which only allow ping and SSH (not limited to any device or address) - everything else is dropped on the INPUT chain.
As I was not really sure on how the firewall precedence works, I played around a bit and found a strange behavior:
TL;DR:
initial state:
Proxmox independent iptables rules:
allow SSH and Ping
policy DROP/ACCEPT
VM FW (activated)
rules: none
policy: ACCEPT/ACCEPT
firewall=1 on the vmbr0 device
VM can be pinged from outside and can ping remote hosts.
Setting this:
Datacenter FW (activated)
rules: allow SSH and Ping,
policy: ACCEPT/ACCEPT
Node FW (activated)
rules: none
Leads to:
VM not reachable via ping nor can it ping to the outside
Disabling the FW on Datacenter and Node again does not lead to working ping responses.
my current setting is the following. I have two public IP addresses. One is assigned to the physical host where Proxmox VE is installed on. The other one is assigned to a pfSense VM inside of Proxmox (connected to the vmbr0). I can ping both public IPs from the outside.
Currently the proxmox firewall is completely disabled (Enable Firewall: No on all levels [datacenter, node, vm]).
There are only manual iptables rules which only allow ping and SSH (not limited to any device or address) - everything else is dropped on the INPUT chain.
As I was not really sure on how the firewall precedence works, I played around a bit and found a strange behavior:
- When enabling the firewall for the pfsense VM with no specific rules and ACCEPT/ACCEPT policies (and restarting the pve-firewall service on the host) everything stays the same. Ping comes through to the host and to the pfsense vm.
- When I set the Datacenter Firewall to ACCEPT/ACCEPT with no deny rules and enable the Node Firewall too (with no rules specified at all) the pfsense VM does not reply anymore on pings. Even though I see no rules that would prevent this.
- Futhermore the VM cannot connect to the outside - it seems to be locked out of everything.
- When disabling the firewall for the datacenter and the node again, the VM still does not reply to ping.
TL;DR:
initial state:
Proxmox independent iptables rules:
allow SSH and Ping
policy DROP/ACCEPT
VM FW (activated)
rules: none
policy: ACCEPT/ACCEPT
firewall=1 on the vmbr0 device
VM can be pinged from outside and can ping remote hosts.
Setting this:
Datacenter FW (activated)
rules: allow SSH and Ping,
policy: ACCEPT/ACCEPT
Node FW (activated)
rules: none
Leads to:
VM not reachable via ping nor can it ping to the outside
Disabling the FW on Datacenter and Node again does not lead to working ping responses.
Last edited:
