Transfer network between two virtual firewalls is being blocked

[clerin]

Hello everyone,

I’m new here and currently working with a Proxmox environment running on UCS.
I have two virtual firewalls one external and one internal each running on a different Proxmox host. Both firewalls are connected to different VLANs, and between them there is a transfer network (VLAN 99) using a /30 subnet.


On the internal firewall, I have configured “allow any” rules from the internal zone to the DMZ, but not the other way around.
However, communication over the transfer network still doesn’t work it seems to be blocked somewhere between the two firewalls.


My goal is simply to allow traffic from the internal network to reach the external one, but not from external to internal.


If anyone has an idea how to properly connect two virtual firewalls on different VLANs via a transfer network between separate Proxmox hosts, I’d really appreciate your help.
If needed, I can also share screenshots of my current configuration.


Thanks in advance!

 

[zohaibqureshi]

First, verify the transfer network is properly configured on both sides:

• ITLAB-FW02 (External): Should have 192.168.99.254/30
• ITLAB-FW01 (Internal): Should have 192.168.99.253/30
• Both should be able to ping each other on these IPs

Firewall Rules on the Transfer Network​

Even though you configured "allow any" from internal to DMZ, you likely need specific rules for the transfer network interface itself:
On ITLAB-FW01 (Internal):

• Allow traffic from the transfer network interface (VLAN 99) → External zones
• Allow established/related traffic back from the transfer network

On ITLAB-FW02 (External):

• Allow traffic from transfer network (192.168.99.253) → wherever it needs to go
• This is crucial - the external firewall needs to accept traffic coming FROM the internal firewall

Try this and share the result. Thanks