[PVE-User] PVE-firewall and multicast with linux bridging

Bryan Fields Bryan at bryanfields.net
Sun Jun 22 08:22:02 CEST 2025 

I've run into this multicast issue.  Even with the interface as unfirewalled, 
proxmox is blocking multicast/invalid traffic at the server and datacenter level.

I have the following VM's and LXC's all attached to an interface vmbr46.

100.120.255.128/28
100.120.255.129 - vrrp gateway
100.120.255.130 - Core 1 (router VM)
100.120.255.131 - Core 2 (router VM)
100.120.255.132 - NMS LXC
100.120.255.133 - vm0 - debian testing VM
100.120.255.134 - vm1 - debian testing VM
100.120.255.135 - Hypervisor vmbr46

This is an isolated bridge on linux, and is only used for testing of these 
servers/multicast network.  None of the ports have the firewall enabled.

During testing, I've had PIM between the routers come up and several weird 
groups back and forth.  I first assumed it was the fact I was testing from an 
LXC, and made the VMs.  This was not the case, as the VM's would have the same 
issues of only some ICMP pings to the multicast addresses working and testing 
with socat showed one way multicast between the Hypervisor and one VM.

After much mocking this up on another host and locally with real servers, I 
was able to isolate it to the bridge device.  There was not firewall logs for 
any of this, and pings to 224.0.0.1 wouldn't even work.  This is the all 
multicast address, everything that is participating in multicast should reply.

I configured the vmbr46 as 100.120.255.135/28 on the hypervisor to test this. 
I had the management firewall on the hypervisor disabled and confirmed I 
wasn't seeing any drops in the logs.  eventually after troubleshooting this, I 
discovered there is a built in rule that blocks BROADCAST, MULTICAST, and 
ANYCAST across all interfaces, even though it's not on the forward chain. 
Owing to how multicast is handled on the bridge, it appears the INPUT chain is 
filtering this.

This is in the rules, and appears to be harcoded in
/usr/share/perl5/PVE/Firewall.pm
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP

I'd be ok with the hypervisor not being able to talk directly to the VMs on 
the vmbr46 interface, but I need the VMs and CT's to pass multicast with each 
other.  Is there some way to exempt an interface totally from filtering?

-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net

More information about the pve-user mailing list