Hi all,
Running PVE 7.4.16. Have (quite some) experience with Mikrotik ROS firewalls (which is much like iptables just with a nice GUI - only stating this to let you know I'm not a complete newbie).
With PVE firewall, though I have some things I can't wrap my head around.
I've turned on the firewall (on cluster level, then on the node itself, then on 2 CT-s). Firewall is really a default setup, with policy DROP in input and ACCEPT in output.
I've turned on logging on input to see if anything else it trying to access something on those CTs that I haven't allowed.
So now I get things like this in the log:
All fine, except these IP addresses have nothing to do with those CT-s. I have a bunch of other examples in the logs. These other examples have addresses that have nothing to do with either these CT-s or any other IP address on PVE this host. Which I find quite confusing.
So... what's going on in here ?
Why and how is PVE firewall on my CT-s even seeing traffic that nothing to do with those CT-s. Has anyone else seen things like this happening ?
This is my network setup:
auto bond0
iface bond0 inet manual
bond-slaves eno12399np0 eno8303
bond-miimon 100
bond-mode active-backup
bond-primary eno12399np0
mtu 9000
auto vmbr0
iface vmbr0 inet static
address 10.10.40.41/23
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
mtu 9000
Running PVE 7.4.16. Have (quite some) experience with Mikrotik ROS firewalls (which is much like iptables just with a nice GUI - only stating this to let you know I'm not a complete newbie).
With PVE firewall, though I have some things I can't wrap my head around.
I've turned on the firewall (on cluster level, then on the node itself, then on 2 CT-s). Firewall is really a default setup, with policy DROP in input and ACCEPT in output.
I've turned on logging on input to see if anything else it trying to access something on those CTs that I haven't allowed.
So now I get things like this in the log:
Code:
100 6 veth100i0-IN 09/Sep/2023:20:00:27 +0200 policy DROP: IN=fwbr100i0 OUT=fwbr100i0 PHYSIN=fwln100i0 PHYSOUT=veth100i0 MAC=72:64:58:8c:99:56:8e:84:98:00:9d:78:08:00 SRC=10.10.40.135 DST=10.10.40.145 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=39627 DF PROTO=TCP SPT=62978 DPT=6162 SEQ=3798276170 ACK=0 WINDOW=62720 SYN
114 6 veth114i0-IN 09/Sep/2023:20:00:27 +0200 policy DROP: IN=fwbr114i0 OUT=fwbr114i0 PHYSIN=fwln114i0 PHYSOUT=veth114i0 MAC=72:64:58:8c:99:56:8e:84:98:00:9d:78:08:00 SRC=10.10.40.135 DST=10.10.40.145 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=39627 DF PROTO=TCP SPT=62978 DPT=6162 SEQ=3798276170 ACK=0 WINDOW=62720 SYN
All fine, except these IP addresses have nothing to do with those CT-s. I have a bunch of other examples in the logs. These other examples have addresses that have nothing to do with either these CT-s or any other IP address on PVE this host. Which I find quite confusing.
So... what's going on in here ?
Why and how is PVE firewall on my CT-s even seeing traffic that nothing to do with those CT-s. Has anyone else seen things like this happening ?
This is my network setup:
auto bond0
iface bond0 inet manual
bond-slaves eno12399np0 eno8303
bond-miimon 100
bond-mode active-backup
bond-primary eno12399np0
mtu 9000
auto vmbr0
iface vmbr0 inet static
address 10.10.40.41/23
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
mtu 9000
Last edited: