accessing web gui only on internal Lan

[pr777]

hi
i have installed proxmox 8.3.2
i have setup the network interfaces with vmbr0 for management interface and wan with 192.168.1.x with gateway 192.168.1.1
and vbmr1 for local lan 192.168.14.1/24
I want to access the web GUI only from inside local Lan and deny access to gui to any address within 192.168.1.x/ (wan side router) and the outside world
How is possible to restrict that?

 

[vandrommethomas]

I'm struggling weeks allready to setup a 10Gbe backbone for PBS (so only for the backups and restores).
I think I can conclude that Proxmox is unable to attach 2 networks to the same Proxmox-server, even if that server has also two seperate NIC's. So you need a Proxmoxserver for each network (or Vlan) u use. And then somehow, you need to configure your router to accept "some" (I'm still finding out what) traffic between those networks to work. Allowing all traffic between networks is the exact opposite of what you want to achieve with seperating networks.
I documented my entire architecture before installing hardware and start configuration, but couldn't see that one comming.
Somehow I can't believe it, because its such a basic thing. I have a server with 4 nic's and 4 vm's, but I'm unable to create those networks, because I can add only one gateway. If I have to connect the server to the different networks, and all traffic is routed to the same network outside, I actually have build a router, not a Hypervisor. Maybe you could install a router in another VM. But that sounds like real bad practice. It also means that if you have one beefy server (thats a lot of Homelab cases), and you want to run Proxmox on it, so you can virtualize the needed servers one one server, you should install first a couple of VM's with Proxmox Server to be able to attach them to different networks. That again sounds like really bad practice.

Can somewone lead us to the right direction please? I'm blocked for weeks allready because my seperate wifinetwork with an adblocker can't be attached to the adblocker in Proxmox, because it is another network. Do I really need a seperate device for an adblocker? That again is the exact opposite of what you want to achieve with a hypervisor. I did all this with VMware Workstation Pro, but wanted to upgrade to Proxmox. Boy, did that escalated quickly..
But I must be dooing something wrong, because I read that almost the entire world uses Proxmox to host a VM with Home Assistant. That would mean they couldn't use a seperate network for the iOt-devices, and I read that's also what theyre dooing. So why did I have to stop everything an go buy a seperate NUC to install Home Assistant on to get the lights back on? And then came the biggest joke: Home Assistant OS is perfectly possible to use different networks for different devices. So now I'm moving some urgent things to my new hypervisor: Home Assistant..

To be clear: I don't want to start freewheeling in configfiles in the CLI from the host OS. I want to know where I can find some basic functionallity in Proxmox. If using different networks in Proxmox is impossible and confirmed, Proxmox isn't the right Hypervisor for me.

Thanks in advance,
Thomas

(I created this account to be able to reply, excuse me for the frustration in my post but you cannot believe how stressfull and timeconsuming the past weeks where. I think you can brake marriages with things like this ;-) )

 

[leesteken]

i have setup the network interfaces with vmbr0 for management interface and wan with 192.168.1.x with gateway 192.168.1.1
and vbmr1 for local lan 192.168.14.1/24
I want to access the web GUI only from inside local Lan and deny access to gui to any address within 192.168.1.x/ (wan side router) and the outside world

Remove the Proxmox IP address and gateway from vmbr0 and add a new IP address and gateway for Proxmox on vmbr1. And also update /etc/hosts.

 

[aaron]

i have setup the network interfaces with vmbr0 for management interface and wan with 192.168.1.x with gateway 192.168.1.1
and vbmr1 for local lan 192.168.14.1/24
I want to access the web GUI only from inside local Lan and deny access to gui to any address within 192.168.1.x/ (wan side router) and the outside world
How is possible to restrict that?

Two more options, besides what @leesteken suggested:

first: enable the firewall on the datacenter or host level (the latter will only apply to the individual host) and disable all incoming, except with the 192.168.14.0/24 as source. (first the accept from that source, then the block/drop rule.

second: configure pveproxy to listen only on a specific IP, see https://pve.proxmox.com/pve-docs/pveproxy.8.html#pveproxy_listening_address

because I can add only one gateway

I only skimmed this wall of text, but be aware that there can only be one default gateway. for more specific routes to other networks, you will need to configure them manually.

If you have trouble, please open a new thread, provide all the details concisely. The easier it is to understand what you have, where the problem is, the more likely people will answer.
As a quick hint, look into `post-up` and `post-down` commands for the `interfaces` file where you can use the `ip` tool to add/remove more specific routes.

 

[vandrommethomas]

Two more options, besides what @leesteken suggested:

first: enable the firewall on the datacenter or host level (the latter will only apply to the individual host) and disable all incoming, except with the 192.168.14.0/24 as source. (first the accept from that source, then the block/drop rule.

second: configure pveproxy to listen only on a specific IP, see https://pve.proxmox.com/pve-docs/pveproxy.8.html#pveproxy_listening_address



I only skimmed this wall of text, but be aware that there can only be one default gateway. for more specific routes to other networks, you will need to configure them manually.

If you have trouble, please open a new thread, provide all the details concisely. The easier it is to understand what you have, where the problem is, the more likely people will answer.
As a quick hint, look into `post-up` and `post-down` commands for the `interfaces` file where you can use the `ip` tool to add/remove more specific routes.

Thanks for your quick reply Aaron. My issue is the exact same issue as the OP, the limitation of using the same gateway for each network. I just wanted confirmation that Proxmox VE has this limitation, because then Proxmox is no fit with my current architecture. I'm moving from VMware Workstation Pro, but it will be easier and safer to migrate back to that solution then use the proposed workarounds.
So I can move on, thanks!
Thomas

 

[aaron]

This is regular networking. There can only be one default gateway to which the host (no the VMs, they have their own routing table), will send all packets for which it has no specific route.
If you have other networks, that need to be reached via a different gateway that is not the default gateway, you need to specify it in the routing table.
Again, this is nothing Proxmox VE specific, but just how networking works.

If you come from a desktop virtualization (VMware Workstation), that might have been handled more automatically by it.

 

[shanreich]

expanding on this:

If you want to route packets based on the destination address of the packet:

ip route add 192.0.2.0/24 via 198.51.100.0

This will send packets with destination address in the subnet 192.0.2.0/24 to 198.51.100.0


If you want to route based on the source address of the packet - then you need policy-based routing:

ip rule add from 192.0.2.0/24 table example
ip route add 192.0.2.0/24 dev <dev> table example
ip route add default via 192.0.2.1 table example

This adds a separate routing table for all packets with source address in 192.0.2.0/24. Then all packets with that source address will use that routing table instead of the default routing table.


You can also combine both, e.g. route a packet with a specific source address and a specific destination address:

ip rule add from 192.0.2.0/24 table example
ip route add 192.0.2.0/24 dev <dev> table example
ip route add 198.51.100.0/24 via 192.0.2.1 table example

You only need this if you want to go from one subnet to another. If you have a subnet 192.0.2.0/24 on a device, then all packets to that subnet will automatically leave the device that has this subnet configured - no need to do anything there.


There's also the possibility of using VRFs for that, see [1]
[1] https://docs.kernel.org/networking/vrf.html

 

[pr777]

Remove the Proxmox IP address and gateway from vmbr0 and add a new IP address and gateway for Proxmox on vmbr1. And also update /etc/hosts.

HI thanks for the reply

my router gateway is 192.168.1.1
if i delete a ip address and gateway from vmbr0 and add a new ip address and gateway on vmbr1 lets say 192.168.14.2 and gateway 192.168.14.1
i dont have any internet connection on the proxmox and in opnsense running in a VM
i have connected my mini pc running pve in this scenario
from a lan of my router gateway 192.168.1.1 a cable that goes into my enp2so which is vmbr0
and a cable from enp3s0 =vmbr1 LAN that goes into the switch

ether from vmbr0 or vmbr1 i need to set an ip 192.168.1.x/24 and gateway 192.168.1.1 to have a working internet

doing so i can access the web gui from my router gateway
i have changed the /etc/hosts configuration to 192.168.14.1 but i can still access the gui from my router gateway with the ip 192.168.1.X

my dns for pve is 8.8.8.8

how about setting up a vlan for vbmr0
any ideas

 

[pr777]

i managed to fix it

instead of remove the ip and gateway from vmbr0(WAN) i setup a firewall policy to deny access to port 8006 for that specific ip which is in the gateway subnet address, so i could access internet on the pve.

on vmbr1 (LAN) i added a new ip with different subnet without the gateway

then i change the /etc/hosts configuration, matching the ip of vmbr1 from the internal lan
then i setup a policy on /etc/default/pveproxy

took me a lot of try but i managed to do it

Regards