Proxmox with a guest firewall (ipfire)

FuriousRage

Active Member
Oct 17, 2014
91
2
28
hi, i wish to have this setup as the attached image
howto_config.png

The red is supposed to be DHCP from my ISP.
The green is the lan between other VM's and other clients like my workstation.
I do also want to be able to access the proxmox webgui thru the green parts
proxmox has a fixed ip atm at both ethX but should "only" work on x.x.x.99

What settings to eth0+1 and vmbr0+1 should i need to do to accomplish this so ipfire cant be the "router"? This information seems hard to find using google..
 
Hello FuriousRage

What settings to eth0+1 and vmbr0+1 should i need to do to accomplish this so ipfire cant be the "router"? This information seems hard to find using google..


If I undestood correctly: You want to block access to 192.168.0.99 from VMs and other physical endpoints in subnet 192.168.0.ß0./24.

Simply not possible by the ipfire guest - it is not involved in that traffic. It must be done in the Proxmox server. And it is easy, just use it´s Firewall capability which is available from Version 3.3 on (and ipfire is not necessary any more at all too).


Kind regards

Mr.Holmes
 
Hello FuriousRage




If I undestood correctly: You want to block access to 192.168.0.99 from VMs and other physical endpoints in subnet 192.168.0.ß0./24.

Simply not possible by the ipfire guest - it is not involved in that traffic. It must be done in the Proxmox server. And it is easy, just use it´s Firewall capability which is available from Version 3.3 on (and ipfire is not necessary any more at all too).


Kind regards

Mr.Holmes

Hi, not quite.
I want to use IPFire as a firewall/router, where the red is internet and only accessable thru ipfire and its rules.
The green is supposed to be lan, all VM's and proxmox should be accessable thru the green lan side if firewall rules allows it.
I just dont know how the basic setup for the ethernet ports should be set to make this happen.
 
Create a new bridge for eth1, then do not assign a IP to it. Attach the bridge only to your ipfire kvm.

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth1
bridge_stp off
bridge_fd 0
 
Create a new bridge for eth1, then do not assign a IP to it. Attach the bridge only to your ipfire kvm.

auto vmbr1
iface vmbr1 inet manual
bridge_ports eth1
bridge_stp off
bridge_fd 0

Ok. trying that..
And all other VMs and "real computer" should be assigned to vmbr0?
(oh and i can only access proxmox web internet using vmbr1 and 192.168.0.98)
even if i change it "the other way around" and use eth0/vmbr0(192.168.0.99) it wont connect unless its vmbr1/eth1
 
And all other VMs and "real computer" should be assigned to vmbr0? -> Yes.
oh and i can only access proxmox web internet using vmbr1 and 192.168.0.98 -> All internet traffic would be required to pass through your IPFire instance. How you want to set that part up and who gets access to the internet is all controlled from there.


 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!