Hi,
We stumbled upon an issue with IPv6, Subnet router anycast addresses, and Proxmox firewall. We fought to get to the bottom of it. Situation: we have a router, configured with a subnet router anycast address, let's say the router is A::1/64 and the anycast address is A::/64 We have a VM in a bridge, connected to that router, address A::2. We want A::2 to ping A::, and in return, A::1 will reply, with that source address. We get: A::2 echo request to A:: A::1 echo reply to A::2 If we enable the Datacenter firewall, this rule: -A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP will kill that packet, as the source address does not match the original destination, and that's to be expected. We can ask the router to reply using the anycast address, but if we do that, we loose the information we'd like to keep: the source IP on the router's side. The VM or CT itself has the firewall disabled, and so has the host hosting them. So questions! A) Is it expected that such a rule be enabled for VM bridges, when firewall is disabled for the VM? It is so now, and it's not exactly a happy situation: enabling the firewall on the datacenter/hosts is not exactly supposed to have an impact on the VMs, is it? My guess is it's not easy to distinguish that path from any other, but that's not clear in the doc. B) Can we plug ourself in somewhere to have a rule like: -I PVEFW-FORWARD -p icmpv6 --icmpv6-type echo-reply -j ACCEPT included BEFORE the --ctstate INVALID one? I don't see any way to do that in the chain, but I may be missing something. C) Or can we have a specific option for IPv6 ICMP echo reply, but that seems a bit specific. Cheers, Gilou _______________________________________________ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
