VM or CT: no internet if firewall is on in network device

HenrySJ · Oct 19, 2022

I have a proxmox server (soyoustart) with 2 bridges, one with public IPs (vmbr0) and another with a private network (vmbr1).

vmbr0 VMs work fine with public IPs, firewall on or firewall off

vmbr1 VMs or CTs only have internet if I disable the firewall check in the VM network device.

Anyone has had this problem? I need the VM or CT Firewall working even if they are in an internal network.

Host interfaces file:


auto lo
iface lo inet loopback

auto eno3
iface eno3 inet static
        address xxx.xx.18.14
        netmask 255.255.255.255
        pointopoint xxx.xx.18.254
        gateway xxx.xx.18.254
        hwaddress 0C:C4:7A:C3:52:A6
        post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/proxy_arp

iface eno4 inet manual

auto vmbr0
iface vmbr0 inet static
        address xxx.xx.18.14
        netmask 255.255.255.255
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        up ip route add xxx.xxx.169.32/32 dev vmbr0
        up ip route add xxx.xxx.169.33/32 dev vmbr0
        up ip route add xxx.xxx.169.34/32 dev vmbr0
        up ip route add xxx.xxx.169.35/32 dev vmbr0
        up ip route add xxx.xxx.169.36/32 dev vmbr0
        up ip route add xxx.xxx.169.37/32 dev vmbr0
        up ip route add xxx.xxx.169.38/32 dev vmbr0
        up ip route add xxx.xxx.169.39/32 dev vmbr0
        up ip route add xxx.xxx.169.40/32 dev vmbr0
        up ip route add xxx.xxx.169.41/32 dev vmbr0
        up ip route add xxx.xxx.169.42/32 dev vmbr0
        up ip route add xxx.xxx.169.43/32 dev vmbr0
        up ip route add xxx.xxx.169.44/32 dev vmbr0
        up ip route add xxx.xxx.169.45/32 dev vmbr0
        up ip route add xxx.xxx.169.46/32 dev vmbr0
        up ip route add xxx.xxx.169.47/32 dev vmbr0

auto vmbr1   # Second Bridge, internal network
iface vmbr1 inet static
        address 10.10.10.1
        netmask 255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno3 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno3 -j MASQUERADE

shrdlicka · Oct 19, 2022

Hi

can you post the rules iptables-save? Can you post pveversion -v?

Regards

HenrySJ · Oct 19, 2022

shrdlicka said:
Hi

can you post the rules iptables-save? Can you post pveversion -v?

Regards

I coudn't find iptables-save file, cannot post iptables -L (20k chars, max 16k). I just activated the datacenter firewall and the node firewall and added rules to allow icmp and full Access from my Office IP.

VMs in vmbr0 have firewall active with the ports needed working fine.

VMs in vmbr1 have no rules in the firewall, in firewall options, firewall is off and also tested with on.

In network device if the option in the picture below is checked, i loose internet conectivity, if I uncheckit internet conectivity comes back inmediatly, no need to reboot. Same behavior if it is a VM or a CT.

pveversion:


root@prox01:/etc# pveversion -v
proxmox-ve: 7.2-1 (running kernel: 5.15.53-1-pve)
pve-manager: 7.2-11 (running version: 7.2-11/b76d3178)
pve-kernel-helper: 7.2-12
pve-kernel-5.15: 7.2-10
pve-kernel-5.15.53-1-pve: 5.15.53-1
ceph-fuse: 14.2.21-1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve1
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.2-4
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.2-2
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-3
libpve-storage-perl: 7.2-8
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.0-3
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.2.6-1
proxmox-backup-file-restore: 2.2.6-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.1
pve-cluster: 7.2-2
pve-container: 4.2-2
pve-docs: 7.2-2
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-6
pve-firmware: 3.5-1
pve-ha-manager: 3.4.0
pve-i18n: 2.7-2
pve-qemu-kvm: 7.0.0-3
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-4
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.5-pve1

HenrySJ · Oct 19, 2022

Saved iptables rules and attached them here.

Any help would be apreciated.

Thank you.

Henry

shrdlicka · Oct 20, 2022

I see you are using security groups from the rules I see in them, I'm not that worried, but have you tried disabling them (just uncheck the "enabled" column) and then enabling the firewall again?

btw. with iptables-save I meant the command that prints all the rules

.

HenrySJ · Oct 20, 2022

shrdlicka said:
I see you are using security groups from the rules I see in them, I'm not that worried, but have you tried disabling them (just uncheck the "enabled" column) and then enabling the firewall again?

btw. with iptables-save I meant the command that prints all the rules .

I completly disabled the Datacenter and Node firewalls to test. Same behavior.

Search

Search

VM or CT: no internet if firewall is on in network device

HenrySJ

Member

shrdlicka

Proxmox Retired Staff

HenrySJ

Member

HenrySJ

Member

Attachments

shrdlicka

Proxmox Retired Staff

HenrySJ

Member

We value your privacy