[PVE-User] PVE-firewall and multicast with linux bridging

Sat, 21 Jun 2025 23:28:33 -0700

I've run into this multicast issue. Even with the interface as unfirewalled, proxmox is blocking multicast/invalid traffic at the server and datacenter level. 

I have the following VM's and LXC's all attached to an interface vmbr46.

100.120.255.128/28
100.120.255.129 - vrrp gateway
100.120.255.130 - Core 1 (router VM)
100.120.255.131 - Core 2 (router VM)
100.120.255.132 - NMS LXC
100.120.255.133 - vm0 - debian testing VM
100.120.255.134 - vm1 - debian testing VM
100.120.255.135 - Hypervisor vmbr46
This is an isolated bridge on linux, and is only used for testing of these servers/multicast network. None of the ports have the firewall enabled.
During testing, I've had PIM between the routers come up and several weird groups back and forth. I first assumed it was the fact I was testing from an LXC, and made the VMs. This was not the case, as the VM's would have the same issues of only some ICMP pings to the multicast addresses working and testing with socat showed one way multicast between the Hypervisor and one VM.
After much mocking this up on another host and locally with real servers, I was able to isolate it to the bridge device. There was not firewall logs for any of this, and pings to 224.0.0.1 wouldn't even work. This is the all multicast address, everything that is participating in multicast should reply.
I configured the vmbr46 as 100.120.255.135/28 on the hypervisor to test this. I had the management firewall on the hypervisor disabled and confirmed I wasn't seeing any drops in the logs. eventually after troubleshooting this, I discovered there is a built in rule that blocks BROADCAST, MULTICAST, and ANYCAST across all interfaces, even though it's not on the forward chain. Owing to how multicast is handled on the bridge, it appears the INPUT chain is filtering this. 

This is in the rules, and appears to be harcoded in
/usr/share/perl5/PVE/Firewall.pm
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
I'd be ok with the hypervisor not being able to talk directly to the VMs on the vmbr46 interface, but I need the VMs and CT's to pass multicast with each other. Is there some way to exempt an interface totally from filtering? 

--
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net


_______________________________________________
pve-user mailing list
pve-user@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user

Reply via email to