VM using wrong NIC as it seems

V

VeganerAlbtraum

New Member
Mar 27, 2024
1
0
1
Given a Proxmox host with 1 real NIC and 2 Linux bridges (vmbr0 + vmbr1).
  • vmbr0 is supposed to be used from host and VMs for communication to the internet.
  • vmbr1 is supposed to be used by VMs to communicate between each other only.

Proxmox Host > /etc/network/interfaces
Code: 
auto lo
iface lo inet loopback

iface enp34s0 inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.178.80/24
    gateway 192.168.178.1
    bridge-ports enp34s0
    bridge-stp off
    bridge-fd 0

iface wlp36s0 inet manual

auto vmbr1
iface vmbr1 inet manual
    bridge-ports none
    bridge-stp off
    bridge-fd 0
#k8s internal comms

source /etc/network/interfaces.d/*

VM > /etc/network/interfaces
Code: 
source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens18
iface ens18 inet dhcp
# This is an autoconfigured IPv6 interface
iface ens18 inet6 auto

# The secondary network interface
allow-hotplug ens19
iface ens19 inet static
  address 10.0.0.61
  netmask 255.255.255.0

This so far works.


Now I'm adding IP filtering to prevent IP spoofing. However, when enable the IP filtering, suddenly my VM cannot access the internet anymore.

Proxmox Host > /etc/pve/firewall/cluster.fw
Code: 
[OPTIONS]

enable: 1

[ALIASES]

k3sagent01_net0 192.168.178.61
local_network 192.168.178.0/24
k3sagent02_net0 192.168.178.62
k3sserver00_net0 192.168.178.60

[IPSET k3snodes_net0_ips]

dc/k3sagent01_net0
dc/k3sagent02_net0
dc/k3sserver00_net0

[IPSET local_network_ips]

dc/local_network

[group k3sagent_net0_in]

IN ACCEPT -source +dc/local_network_ips -p tcp -dport 443 -log nolog # Default HTTPS port
IN ACCEPT -source +dc/local_network_ips -p tcp -dport 80 -log nolog # Default HTTP port
IN ACCEPT -source +dc/local_network_ips -p tcp -dport 22 -log info # Default SSH port

[group k3sserver_net0_in]

IN ACCEPT -source +dc/local_network_ips -p tcp -dport 22 -log info # Default SSH port

Proxmox Host > /etc/pve/firewall/vm.fw
Code: 
[OPTIONS]

ipfilter: 1
policy_in: DROP
enable: 1
log_level_out: info
log_level_in: info

[IPSET ipfilter_net0]

dc/k3sagent01_net0

[RULES]

GROUP k3sagent_net0_in -i net0

If I add 10.0.0.61 to the VM's IP Set, it can connect to the outside internet without issue.
This to me indicates it always wants to use the ens19 interface (which is connected to vmbr1) instead of using ens18 connected to vmbr0.

I can of course disable IP filtering completely, but would rather fix the issue...
Thanks in advance for your input!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom