VM or CT: no internet if firewall is on in network device

H

HenrySJ

New Member
Oct 19, 2022
4
0
1
I have a proxmox server (soyoustart) with 2 bridges, one with public IPs (vmbr0) and another with a private network (vmbr1).

vmbr0 VMs work fine with public IPs, firewall on or firewall off

vmbr1 VMs or CTs only have internet if I disable the firewall check in the VM network device.

Anyone has had this problem? I need the VM or CT Firewall working even if they are in an internal network.


Host interfaces file:

auto lo iface lo inet loopback auto eno3 iface eno3 inet static address xxx.xx.18.14 netmask 255.255.255.255 pointopoint xxx.xx.18.254 gateway xxx.xx.18.254 hwaddress 0C:C4:7A:C3:52:A6 post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/proxy_arp iface eno4 inet manual auto vmbr0 iface vmbr0 inet static address xxx.xx.18.14 netmask 255.255.255.255 bridge-ports none bridge-stp off bridge-fd 0 up ip route add xxx.xxx.169.32/32 dev vmbr0 up ip route add xxx.xxx.169.33/32 dev vmbr0 up ip route add xxx.xxx.169.34/32 dev vmbr0 up ip route add xxx.xxx.169.35/32 dev vmbr0 up ip route add xxx.xxx.169.36/32 dev vmbr0 up ip route add xxx.xxx.169.37/32 dev vmbr0 up ip route add xxx.xxx.169.38/32 dev vmbr0 up ip route add xxx.xxx.169.39/32 dev vmbr0 up ip route add xxx.xxx.169.40/32 dev vmbr0 up ip route add xxx.xxx.169.41/32 dev vmbr0 up ip route add xxx.xxx.169.42/32 dev vmbr0 up ip route add xxx.xxx.169.43/32 dev vmbr0 up ip route add xxx.xxx.169.44/32 dev vmbr0 up ip route add xxx.xxx.169.45/32 dev vmbr0 up ip route add xxx.xxx.169.46/32 dev vmbr0 up ip route add xxx.xxx.169.47/32 dev vmbr0 auto vmbr1 # Second Bridge, internal network iface vmbr1 inet static address 10.10.10.1 netmask 255.255.255.0 bridge-ports none bridge-stp off bridge-fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno3 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno3 -j MASQUERADE
 
shrdlicka said:
Hi

can you post the rules iptables-save? Can you post pveversion -v?

Regards
Click to expand...

I coudn't find iptables-save file, cannot post iptables -L (20k chars, max 16k). I just activated the datacenter firewall and the node firewall and added rules to allow icmp and full Access from my Office IP.

VMs in vmbr0 have firewall active with the ports needed working fine.

VMs in vmbr1 have no rules in the firewall, in firewall options, firewall is off and also tested with on.

In network device if the option in the picture below is checked, i loose internet conectivity, if I uncheckit internet conectivity comes back inmediatly, no need to reboot. Same behavior if it is a VM or a CT.

1666196040989.png



pveversion:

root@prox01:/etc# pveversion -v proxmox-ve: 7.2-1 (running kernel: 5.15.53-1-pve) pve-manager: 7.2-11 (running version: 7.2-11/b76d3178) pve-kernel-helper: 7.2-12 pve-kernel-5.15: 7.2-10 pve-kernel-5.15.53-1-pve: 5.15.53-1 ceph-fuse: 14.2.21-1 corosync: 3.1.5-pve2 criu: 3.15-1+pve-1 glusterfs-client: 9.2-1 ifupdown2: 3.1.0-1+pmx3 libjs-extjs: 7.0.0-1 libknet1: 1.24-pve1 libproxmox-acme-perl: 1.4.2 libproxmox-backup-qemu0: 1.3.1-1 libpve-access-control: 7.2-4 libpve-apiclient-perl: 3.2-1 libpve-common-perl: 7.2-2 libpve-guest-common-perl: 4.1-2 libpve-http-server-perl: 4.1-3 libpve-storage-perl: 7.2-8 libspice-server1: 0.14.3-2.1 lvm2: 2.03.11-2.1 lxc-pve: 5.0.0-3 lxcfs: 4.0.12-pve1 novnc-pve: 1.3.0-3 proxmox-backup-client: 2.2.6-1 proxmox-backup-file-restore: 2.2.6-1 proxmox-mini-journalreader: 1.3-1 proxmox-widget-toolkit: 3.5.1 pve-cluster: 7.2-2 pve-container: 4.2-2 pve-docs: 7.2-2 pve-edk2-firmware: 3.20220526-1 pve-firewall: 4.2-6 pve-firmware: 3.5-1 pve-ha-manager: 3.4.0 pve-i18n: 2.7-2 pve-qemu-kvm: 7.0.0-3 pve-xtermjs: 4.16.0-1 qemu-server: 7.2-4 smartmontools: 7.2-pve3 spiceterm: 3.2-2 swtpm: 0.7.1~bpo11+1 vncterm: 1.7-1 zfsutils-linux: 2.1.5-pve1
 
I see you are using security groups from the rules I see in them, I'm not that worried, but have you tried disabling them (just uncheck the "enabled" column) and then enabling the firewall again?


btw. with iptables-save I meant the command that prints all the rules :).
 
shrdlicka said:
I see you are using security groups from the rules I see in them, I'm not that worried, but have you tried disabling them (just uncheck the "enabled" column) and then enabling the firewall again?


btw. with iptables-save I meant the command that prints all the rules :).
Click to expand...
I completly disabled the Datacenter and Node firewalls to test. Same behavior. :(
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom