It is workaround-able by adding the 9999 rule. I just wrote the rule wrong :(
However, no rule should be required, according to the documentation... which is dangerous. I have created the issue here: https://github.com/apache/cloudstack/issues/4402 I did look at the iptables of the VR, but I don't fully understand it. The 3rd forward rule seems to allow everything out, and there are no egress rules before that one, the other two are "STATS" chains, which I suspect stands for statistics. I found outbound rules in the mangle table, which I have never used before... I need to get familiar with it. But even so, I don't fully identify my ACLs in here, I think iptables is not showing it all. Do you know where can I find information about how this VR is implemented? Regards, Rafael On Tue, 2020-10-13 11:59 AM, Thomas Joseph <thomas.jo...@gmail.com> wrote: > Have you logged on to the related virtual router and checked if the > declared firewall rules are visible? > > With regards > Thomas Joseph > > On Tue, 13 Oct 2020, 10:53 am Rafael del Valle, " > target="_blank"><rva...@livelens.net.invalid> > wrote: > > > arrrgh... > > > > Not even the 9999 rule helps once I deploy all my tiers and rules. > > > > Egress just seems broken on VPC in 4.14. > > > > Anybody successfully using Egress/VPC in 4.14? > > > > > > On Tue, 2020-10-13 09:37 AM, rva...@privaz.io.INVALID wrote: > > > Hi Rene, > > > > > > I know what you mean now: the "By default, all incoming traffic to > > > the guest networks is blocked and all outgoing traffic from guest > > > networks is allowed, once you add an ACL rule for outgoing traffic, then > > > only outgoing traffic specified in this ACL rule is allowed, the rest is > > > blocked." > > > > > > This is how I remembered it. > > > > > > However, It looks like the last bit (once you add an ACL rule for > > outgoing traffic...) seems to be implemented in isolated networks but not > > in VPC tiers. > > > > > > I managed to achieve the desired behaviour by adding a: > > > > > > 9999 0.0.0.0/0 Egreess Deny ALL ALL > > > > > > Rule to my ACLs in VPC tiers, even thou there is already another Egress > > rule present. > > > > > > However the Isolated networks that I have do not need it, as they do > > honour the previous specification. > > > > > > I am going to create an issue and see if the team can reproduce this > > behaviour. > > > > > > Regards, > > > Rafael > > > > > > On Mon, 2020-10-12 05:53 PM, Rene Moser " target="_blank">< > > " target="_blank">m...@renemoser.net> wrote: > > > > > > > On 12.10.20 17:30, rva...@privaz.io.INVALID wrote: > > > > > Am I missing something? > > > > > > > > > > > > It's been a while but I remember the default egress rule is "allow > > from > > > > all". > > > > > > > > > > https://docs.cloudstack.apache.org/en/4.14.0.0/adminguide/networking/virtual_private_cloud_config.html?#about-network-acl-lists > > > > > > > > The doc however seems to be inconsistent, the table says "Deny all" > > for > > > > outgoing. I guess this is a typo in the table there. > > > > > > > > Regards > > > > René > > > > > > > > > > > > > > > >