[pve-devel] [PATCH pve-docs] sdn: evpn: add a note about nf_conntrack_allow_invalid with multiple exit-nodes

Alexandre Derumier via pve-devel Mon, 16 Dec 2024 02:53:07 -0800

--- Begin Message ---

reported on the forum:
https://forum.proxmox.com/threads/evpn-vpls-with-multi-exit-nodes-firewall-drop-packet-with-asymetric-routing.158225


With multiple exit-nodes, traffic can be asymetric, so we need to enable 
invalid conntrack

Signed-off-by: Alexandre Derumier <alexandre.derum...@groupe-cyllene.com>
---
 pvesdn.adoc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index 5d5d27b..2683dfc 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -1159,6 +1159,15 @@ net.ipv4.conf.default.rp_filter=0
 net.ipv4.conf.all.rp_filter=0
 -----
 
+If the PVE Firewall is enabled, you should allow invalid conntrack on the
+exit-nodes.
+
+add the following to `/etc/pve/nodes/<exitnode>/host.fw`:
+
+---
+nf_conntrack_allow_invalid: 1
+---
+
 VXLAN IPSEC Encryption
 ~~~~~~~~~~~~~~~~~~~~~~
 
-- 
2.39.5

--- End Message ---

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH pve-docs] sdn: evpn: add a note about nf_conntrack_allow_invalid with multiple exit-nodes

Reply via email to