[PATCH pve-docs] sdn: evpn: add a note about nf_conntrack_allow_invalid with multiple exit-nodes
Alexandre Derumier
alexandre.derumier at groupe-cyllene.com
Mon Dec 16 11:52:31 CET 2024
reported on the forum:
https://forum.proxmox.com/threads/evpn-vpls-with-multi-exit-nodes-firewall-drop-packet-with-asymetric-routing.158225
With multiple exit-nodes, traffic can be asymetric, so we need to enable invalid conntrack
Signed-off-by: Alexandre Derumier <alexandre.derumier at groupe-cyllene.com>
---
pvesdn.adoc | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/pvesdn.adoc b/pvesdn.adoc
index 5d5d27b..2683dfc 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -1159,6 +1159,15 @@ net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
-----
+If the PVE Firewall is enabled, you should allow invalid conntrack on the
+exit-nodes.
+
+add the following to `/etc/pve/nodes/<exitnode>/host.fw`:
+
+---
+nf_conntrack_allow_invalid: 1
+---
+
VXLAN IPSEC Encryption
~~~~~~~~~~~~~~~~~~~~~~
--
2.39.5
More information about the pve-devel
mailing list