Force all traffic in a bridge through router VM

[nett_hier]

I have already searched for similar questions but wasn't able to find a satisfying answer (or maybe I just overlooked it).
I have a VM with OPNsense that acts as a central firewall and router, which is connected to vmbr0 (WAN) and vmbr1 (LAN).
There are multiple other VMs connected to vmbr1.
I now want to be able to first isolate all the VMs inside vmbr1 from each other, and then selectively allow some specific connections via the OPNsense VM.
From what I'm seeing this doesn't seem to be possible, as the VMs can communicate with each other directly, skipping the router.
Furthermore, if I configured the proxmox native firewall of the various VMs to only allow connections to the router, I wouldn't be able to make exceptions to that rule inside of OPNsense.
I would prefer to keep all my firewall settings centralized, i.e. not write those exceptions into the native firewall, and I also don't want to create a new bridge network for each VM.
Is there some better way to solve this?

 

[spirit]

can't you use some kind of /32 for your vm ip ? or even without /32, use different subnet for your vms (using same bridge )

if you want to manage filteting on opnsense and you don't want direct access between vm, you need to force traffic to opnsense(so not same subnet, no arp)

 

[nett_hier]

can't you use some kind of /32 for your vm ip ? or even without /32, use different subnet for your vms (using same bridge )

if you want to manage filteting on opnsense and you don't want direct access between vm, you need to force traffic to opnsense(so not same subnet, no arp)

If I understand the first part correctly it'd mean having to statically configure IPs inside of each VM, right? As opposed to being able to distribute them via DHCP (I have no clue how I'd configure a setup like that in OPNsense).
I guess it kind of makes sense, though it also seems like it'd be easier to mess up something (duplicate IPs, specify incorrect subnets, etc.) since the configuration would be decentralized. (As opposed to a list of static DHCP mappings in OPNsense).
I'll consider it though, makes sense.

Or maybe I'll just make separate bridges/VLANs/whatever for each VM/-group I need isolated from others, since that way I'll at least get some centralized config.

Update: Currently looking into SDN and IPAM support, maybe I can figure out something that way...

 

[mldy]

If I understand the first part correctly it'd mean having to statically configure IPs inside of each VM, right? As opposed to being able to distribute them via DHCP (I have no clue how I'd configure a setup like that in OPNsense).
I guess it kind of makes sense, though it also seems like it'd be easier to mess up something (duplicate IPs, specify incorrect subnets, etc.) since the configuration would be decentralized. (As opposed to a list of static DHCP mappings in OPNsense).
I'll consider it though, makes sense.

Or maybe I'll just make separate bridges/VLANs/whatever for each VM/-group I need isolated from others, since that way I'll at least get some centralized config.

Update: Currently looking into SDN and IPAM support, maybe I can figure out something that way...

Hi, were you able to solve the problem? I'm having the exact same issue. I can't figure out how to force all LXC/VM traffic through my opnsense vm so that for e.g. containers can't communicate directly (skipping the opnsense router..)

 

[barbaraproctor]

I have already searched for similar questions but wasn't able to find a satisfying answer (or maybe I just overlooked it).
I have a VM with OPNsense that acts as a central firewall and router, which is connected to vmbr0 (WAN) and vmbr1 (LAN).
There are multiple other VMs connected to vmbr1.
I now want to be able to first isolate all the VMs inside vmbr1 from each other, and then selectively allow some specific connections via the OPNsense VM.
From what I'm seeing this doesn't seem to be possible, as the VMs can communicate with each other directly, skipping the router.
Furthermore, if I configured the proxmox native firewall of the various VMs to only allow connections to the router, I wouldn't be able to make exceptions to that rule inside of OPNsense.
I would prefer to keep all my firewall settings centralized, i.e. not write those exceptions into the native firewall, and I also don't want to create bloxd io a new bridge network for each VM.
Is there some better way to solve this?

Hello, you want to isolate your VMs on the same bridge and control their connections via OPNsense, right?
I did some research and I see that you can use a feature called private bridge in Proxmox, which prevents the VMs on the same bridge from communicating with each other directly. Instead, they have to go through the OPNsense router, which can apply the firewall rules you want.
To enable this feature, you have to edit the file /etc/network/interfaces on your Proxmox host and add this line to your vmbr1 configuration:
bridge-ports none
Then, you have to restart the network service or reboot the host.

 

[nett_hier]

Hello, you want to isolate your VMs on the same bridge and control their connections via OPNsense, right?
I did some research and I see that you can use a feature called private bridge in Proxmox, which prevents the VMs on the same bridge from communicating with each other directly. Instead, they have to go through the OPNsense router, which can apply the firewall rules you want.
To enable this feature, you have to edit the file /etc/network/interfaces on your Proxmox host and add this line to your vmbr1 configuration:
bridge-ports none
Then, you have to restart the network service or reboot the host.

Thanks for the update, could you maybe link some of the documentation you've seen?
For one, I cannot configure bridge-ports none since I'm using the bridge as the basis for an SDN. And I haven't seen a similar setting for such SDNs.
Also, even if I only had one node with a bridge to connect to VMs, how would the connections be able to reach OPNsense but not other nodes? I'm aware it would be possible to figure this out with the Proxmox firewall, but as stated in the original post I wanted to avoid that.

 

[nett_hier]

Hi, were you able to solve the problem? I'm having the exact same issue. I can't figure out how to force all LXC/VM traffic through my opnsense vm so that for e.g. containers can't communicate directly (skipping the opnsense router..)

My current approach is to just create multiple networks where I can tolerate devices seeing each other, and connecting each to the OPNsense VM.
It does mean that it now has a ton of network adapters, but it's the easiest way of doing things.
I'm currently also planning to move a lot of firewalling into Tailscale and install that into every VM instead, but I haven't figured out yet how to set that up most efficiently, especially since I would want nodes to see each other on the underlying network in that case (but not allow any connections except via Tailscale).

 

[coolhuman]

I've managed to solve this issue (Forcing all network traffic to upstream Firewall.) by creating a new Linux Bridge without any bridge ports.

After It, I've configured each LXC container with a static IPv4 Address on a /32 subnet, and used the Firewall IPv4 of that Bridge/Port as the Gateway.

By doing this, all traffic is going through my Firewall and the Containers + VM's stopped connecting through themselves directly.

It may be overkill, but now on my network all inter-LXC traffic has to first go through the Firewall (Which is virtualized), then also has to pass through Proxmox VE Firewall (Interface-level), and then on the host Itself (UFW).
Since I only have 5 containers, managing them is kinda easy.