Hi,
I read over some other threads that this issue is known but the solution does not seem to be official. That's why I'm posting this one.
Example: VM1 on vlan30 and VM2 on vlan60
- VM1 can ping VM2 (and vice versa)
- VM2 cannot ssh VM1... But VM1 can ssh to VM2
- PVE firewall is activated
When PVE Firewall is disabled, everything works.
---
I think this problem arises only when trying to communicate across different VMS using different Vlans on the same node.
If I migrate the vm to another node, SSH starts working again.
---
So far, I found out the problem is known and the suggested fix could be:
in host.fw:
[OPTIONS]
nf_conntrack_allow_invalid: 1enable: 1
I didn't test it yet but I really don't understand this parameter and what it can possibly compromise from a security stand point.
Anyone?
I read over some other threads that this issue is known but the solution does not seem to be official. That's why I'm posting this one.
Example: VM1 on vlan30 and VM2 on vlan60
- VM1 can ping VM2 (and vice versa)
- VM2 cannot ssh VM1... But VM1 can ssh to VM2
- PVE firewall is activated
When PVE Firewall is disabled, everything works.
---
I think this problem arises only when trying to communicate across different VMS using different Vlans on the same node.
If I migrate the vm to another node, SSH starts working again.
---
So far, I found out the problem is known and the suggested fix could be:
in host.fw:
[OPTIONS]
nf_conntrack_allow_invalid: 1enable: 1
I didn't test it yet but I really don't understand this parameter and what it can possibly compromise from a security stand point.
Anyone?