I have already searched for similar questions but wasn't able to find a satisfying answer (or maybe I just overlooked it).
I have a VM with OPNsense that acts as a central firewall and router, which is connected to vmbr0 (WAN) and vmbr1 (LAN).
There are multiple other VMs connected to vmbr1.
I now want to be able to first isolate all the VMs inside vmbr1 from each other, and then selectively allow some specific connections via the OPNsense VM.
From what I'm seeing this doesn't seem to be possible, as the VMs can communicate with each other directly, skipping the router.
Furthermore, if I configured the proxmox native firewall of the various VMs to only allow connections to the router, I wouldn't be able to make exceptions to that rule inside of OPNsense.
I would prefer to keep all my firewall settings centralized, i.e. not write those exceptions into the native firewall, and I also don't want to create a new bridge network for each VM.
Is there some better way to solve this?
I have a VM with OPNsense that acts as a central firewall and router, which is connected to vmbr0 (WAN) and vmbr1 (LAN).
There are multiple other VMs connected to vmbr1.
I now want to be able to first isolate all the VMs inside vmbr1 from each other, and then selectively allow some specific connections via the OPNsense VM.
From what I'm seeing this doesn't seem to be possible, as the VMs can communicate with each other directly, skipping the router.
Furthermore, if I configured the proxmox native firewall of the various VMs to only allow connections to the router, I wouldn't be able to make exceptions to that rule inside of OPNsense.
I would prefer to keep all my firewall settings centralized, i.e. not write those exceptions into the native firewall, and I also don't want to create a new bridge network for each VM.
Is there some better way to solve this?