Hi there, hope you are all doing well! I'm having a bit of an issue with getting proxmox's firewall to play nicely with a VM I have. My use case at this very minute is quite simple, I just want to host a single arch VM while I lean more about the OS as I switch from vmware, this VM has a teamspeak voip service running that uses ports 9987/udp and 30033/tcp to communicate with clients, pretty bog standard but we all have to start somewhere
I think I have my head wrapped around how proxmox's firewalling operates but just to lay it in the open my current understanding is that DC firewall rules apply to all hosts in a cluster but hosts can also have individual firewall settings for case by case control, individual VM firewalls are separate from both the dc and node firewalls given you are using a bridging interface and not NAT or masquerading (I am using a bridging interface to connect VM's to my private network.)
The current problem I am encountering is that only some of the firewall rules I have applied to my VM instance seem to actually take effect, both the ICMP and SSH rule I have bellow work fine, however the other three do not seem to function. I have pinned this down specifically to the VM firewall rules with my current understanding.
this can be seen when I turn the firewall on and off as shown bellow:
Working but firewall disabled
Not working but firewall enabled with valid rules
pinging and ssh however both work as expected on my local network.
I feel its worth mentioning along side this that my troubleshooting thus far has led me to poke around a bit at the common problems people face and that all of the following are currently true:
- I have the VM's mac tied to a static address on my local network via DHCP so it doesn't hop around with reboots
- rebooting the host / reloading the firewall doesn't effect the current result
- Data center firewall is enabled ( has local network limited macros to provide icmp and ssh)
- Node firewall is enabled (no rules)
- Guest VM firewall is enabled (service becomes accessible when its disabled)
- Guest VM interface (net0) has the affected by firewall checkbox enabled
Guest VM netfilter rules are completely flushed, so proxmox should be the point of arbitration for firewall rules and theres no leftover rules causing this behaviour
Firewall service is running on the host, host is also up to date package-wise
likewise firewall config entries for both the host and VM (vm id being 100) are present and validate what the GUI is showing
Apologies in advance for this as I'm sure I'm missing something small however I just can't seem to find anything obvious in regards to what it might be, perhaps I am missing some syntax in the rule declaration that the ssh macro / icmp one handle? or maybe my understanding of how the firewall layers are logcially segregated isn't up to snuff, i'm not quite sure.
Thanks for all your help and advice in advance,
Bibostin.
I think I have my head wrapped around how proxmox's firewalling operates but just to lay it in the open my current understanding is that DC firewall rules apply to all hosts in a cluster but hosts can also have individual firewall settings for case by case control, individual VM firewalls are separate from both the dc and node firewalls given you are using a bridging interface and not NAT or masquerading (I am using a bridging interface to connect VM's to my private network.)
The current problem I am encountering is that only some of the firewall rules I have applied to my VM instance seem to actually take effect, both the ICMP and SSH rule I have bellow work fine, however the other three do not seem to function. I have pinned this down specifically to the VM firewall rules with my current understanding.
this can be seen when I turn the firewall on and off as shown bellow:
Working but firewall disabled
Not working but firewall enabled with valid rules
pinging and ssh however both work as expected on my local network.
I feel its worth mentioning along side this that my troubleshooting thus far has led me to poke around a bit at the common problems people face and that all of the following are currently true:
- I have the VM's mac tied to a static address on my local network via DHCP so it doesn't hop around with reboots
- rebooting the host / reloading the firewall doesn't effect the current result
- Data center firewall is enabled ( has local network limited macros to provide icmp and ssh)
- Node firewall is enabled (no rules)
- Guest VM firewall is enabled (service becomes accessible when its disabled)
- Guest VM interface (net0) has the affected by firewall checkbox enabled
Guest VM netfilter rules are completely flushed, so proxmox should be the point of arbitration for firewall rules and theres no leftover rules causing this behaviour
Firewall service is running on the host, host is also up to date package-wise
likewise firewall config entries for both the host and VM (vm id being 100) are present and validate what the GUI is showing
Apologies in advance for this as I'm sure I'm missing something small however I just can't seem to find anything obvious in regards to what it might be, perhaps I am missing some syntax in the rule declaration that the ssh macro / icmp one handle? or maybe my understanding of how the firewall layers are logcially segregated isn't up to snuff, i'm not quite sure.
Thanks for all your help and advice in advance,
Bibostin.