Unrecognized traffic 169.254.169.254:80 TCP:S

M

Model_SM9208

New Member
Jul 5, 2024
3
0
1
Hello, been using proxmox for about a year now and I am trying to improve the security of my cluster. Treating all traffic as a problem until proven otherwise. the Block IPv4 link-local (1000000102) rule on my PFsense firewall keeps blocking traffic from my proxmox VMs coming out of the cluster to 169.254.169.254:80 TCP:S (TCP Sync request). All my VMs regardless of what they are running try to reach out here. I am wondering if it is the qemu-guest-agent as that is a common thread accross the servers making this traffic.
 
Last edited:
That's an automatically configured IP address (https://en.wikipedia.org/wiki/Apipa) of one of your devices.

And no, it has nothing do to with that Qemu agent.

(( I for myself prefer to configure all my devices semi-statically (MAC-specific, manually crafted lease in the DHCP-Server), including an entry in a Nameserver - this way I always know which device is which... ))

Best regards
 
  • Like
Reactions: Model_SM9208
Thanks, any advice for tracking down which device is getting that automatically configured IP? I set up every host (Proxmox 8.1) and VM (Ubuntu 22.04 LSTS) with a static IP. The PFsense arp table doesn't have anything with that IP. Traceroute doesn't find it. DHCP is disabled.

EDIT: I've continued to investigate and every time my puppet agent checks in is when the traffic shows up.
 
Last edited:
Brute force / low level method:
  • take one of the linux boxes in that network and be "root"
  • get yourself a random IP address in 169.254.0.0/16 via "ip address add ... ..."
  • verify that this step has been done correctly by just running "ping 169.254.169.254" in a terminal with endless output each second
  • turn off one device after another (or remove connectivity aka "the network cable" for a few seconds) until that "ping" stops
When that "ping" does not work any more you've located the guilty device... ;-)

----
Are you "in the cloud"? Actually that address seems to have an established meaning - ask a random search machine and you'll find (for example) https://serverfault.com/questions/427018/what-is-this-ip-address-169-254-169-254
Maybe PFsense tries to be clever and imitates some mechanism? Disclaimer: I have NO idea...
 
  • Like
Reactions: Model_SM9208
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back