[pve-devel] [PATCH pve-docs] sdn: evpn: add a note about nf_conntrack_allow_invalid with multiple exit-nodes

[pve-devel] [PATCH pve-docs] sdn: evpn: add a note about nf_conntrack_allow_invalid with multiple exit-nodes

[Alexandre Derumier via pve-devel]

[-- Attachment #1: Type: message/rfc822, Size: 3447 bytes --]

From: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-docs] sdn: evpn: add a note about nf_conntrack_allow_invalid with multiple exit-nodes
Date: Mon, 16 Dec 2024 11:52:31 +0100
Message-ID: <20241216105231.3188808-1-alexandre.derumier@groupe-cyllene.com>

reported on the forum:
https://forum.proxmox.com/threads/evpn-vpls-with-multi-exit-nodes-firewall-drop-packet-with-asymetric-routing.158225

With multiple exit-nodes, traffic can be asymetric, so we need to enable invalid conntrack

Signed-off-by: Alexandre Derumier <alexandre.derumier@groupe-cyllene.com>
---
 pvesdn.adoc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index 5d5d27b..2683dfc 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -1159,6 +1159,15 @@ net.ipv4.conf.default.rp_filter=0
 net.ipv4.conf.all.rp_filter=0
 -----
 
+If the PVE Firewall is enabled, you should allow invalid conntrack on the
+exit-nodes.
+
+add the following to `/etc/pve/nodes/<exitnode>/host.fw`:
+
+---
+nf_conntrack_allow_invalid: 1
+---
+
 VXLAN IPSEC Encryption
 ~~~~~~~~~~~~~~~~~~~~~~
 
-- 
2.39.5



[-- Attachment #2: Type: text/plain, Size: 160 bytes --]

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel