accessing web gui only on internal Lan

P

pr777

New Member
Jan 5, 2025
1
0
1
hi
i have installed proxmox 8.3.2
i have setup the network interfaces with vmbr0 for management interface and wan with 192.168.1.x with gateway 192.168.1.1
and vbmr1 for local lan 192.168.14.1/24
I want to access the web GUI only from inside local Lan and deny access to gui to any address within 192.168.1.x/ (wan side router) and the outside world
How is possible to restrict that?
 
Last edited:
I'm struggling weeks allready to setup a 10Gbe backbone for PBS (so only for the backups and restores).
I think I can conclude that Proxmox is unable to attach 2 networks to the same Proxmox-server, even if that server has also two seperate NIC's. So you need a Proxmoxserver for each network (or Vlan) u use. And then somehow, you need to configure your router to accept "some" (I'm still finding out what) traffic between those networks to work. Allowing all traffic between networks is the exact opposite of what you want to achieve with seperating networks.
I documented my entire architecture before installing hardware and start configuration, but couldn't see that one comming.
Somehow I can't believe it, because its such a basic thing. I have a server with 4 nic's and 4 vm's, but I'm unable to create those networks, because I can add only one gateway. If I have to connect the server to the different networks, and all traffic is routed to the same network outside, I actually have build a router, not a Hypervisor. Maybe you could install a router in another VM. But that sounds like real bad practice. It also means that if you have one beefy server (thats a lot of Homelab cases), and you want to run Proxmox on it, so you can virtualize the needed servers one one server, you should install first a couple of VM's with Proxmox Server to be able to attach them to different networks. That again sounds like really bad practice.

Can somewone lead us to the right direction please? I'm blocked for weeks allready because my seperate wifinetwork with an adblocker can't be attached to the adblocker in Proxmox, because it is another network. Do I really need a seperate device for an adblocker? That again is the exact opposite of what you want to achieve with a hypervisor. I did all this with VMware Workstation Pro, but wanted to upgrade to Proxmox. Boy, did that escalated quickly..
But I must be dooing something wrong, because I read that almost the entire world uses Proxmox to host a VM with Home Assistant. That would mean they couldn't use a seperate network for the iOt-devices, and I read that's also what theyre dooing. So why did I have to stop everything an go buy a seperate NUC to install Home Assistant on to get the lights back on? And then came the biggest joke: Home Assistant OS is perfectly possible to use different networks for different devices. So now I'm moving some urgent things to my new hypervisor: Home Assistant..

To be clear: I don't want to start freewheeling in configfiles in the CLI from the host OS. I want to know where I can find some basic functionallity in Proxmox. If using different networks in Proxmox is impossible and confirmed, Proxmox isn't the right Hypervisor for me.

Thanks in advance,
Thomas

(I created this account to be able to reply, excuse me for the frustration in my post but you cannot believe how stressfull and timeconsuming the past weeks where. I think you can brake marriages with things like this ;-) )
 
pr777 said:
i have setup the network interfaces with vmbr0 for management interface and wan with 192.168.1.x with gateway 192.168.1.1
and vbmr1 for local lan 192.168.14.1/24
I want to access the web GUI only from inside local Lan and deny access to gui to any address within 192.168.1.x/ (wan side router) and the outside world
Click to expand...
Remove the Proxmox IP address and gateway from vmbr0 and add a new IP address and gateway for Proxmox on vmbr1. And also update /etc/hosts.
 
  • Like
Reactions: pr777
pr777 said:
i have setup the network interfaces with vmbr0 for management interface and wan with 192.168.1.x with gateway 192.168.1.1
and vbmr1 for local lan 192.168.14.1/24
I want to access the web GUI only from inside local Lan and deny access to gui to any address within 192.168.1.x/ (wan side router) and the outside world
How is possible to restrict that?
Click to expand...
Two more options, besides what @leesteken suggested:

first: enable the firewall on the datacenter or host level (the latter will only apply to the individual host) and disable all incoming, except with the 192.168.14.0/24 as source. (first the accept from that source, then the block/drop rule.

second: configure pveproxy to listen only on a specific IP, see https://pve.proxmox.com/pve-docs/pveproxy.8.html#pveproxy_listening_address


vandrommethomas said:
because I can add only one gateway
Click to expand...
I only skimmed this wall of text, but be aware that there can only be one default gateway. for more specific routes to other networks, you will need to configure them manually.

If you have trouble, please open a new thread, provide all the details concisely. The easier it is to understand what you have, where the problem is, the more likely people will answer.
As a quick hint, look into `post-up` and `post-down` commands for the `interfaces` file where you can use the `ip` tool to add/remove more specific routes.
 
  • Like
Reactions: pr777
aaron said:
Two more options, besides what @leesteken suggested:

first: enable the firewall on the datacenter or host level (the latter will only apply to the individual host) and disable all incoming, except with the 192.168.14.0/24 as source. (first the accept from that source, then the block/drop rule.

second: configure pveproxy to listen only on a specific IP, see https://pve.proxmox.com/pve-docs/pveproxy.8.html#pveproxy_listening_address



I only skimmed this wall of text, but be aware that there can only be one default gateway. for more specific routes to other networks, you will need to configure them manually.

If you have trouble, please open a new thread, provide all the details concisely. The easier it is to understand what you have, where the problem is, the more likely people will answer.
As a quick hint, look into `post-up` and `post-down` commands for the `interfaces` file where you can use the `ip` tool to add/remove more specific routes.
Click to expand...
Thanks for your quick reply Aaron. My issue is the exact same issue as the OP, the limitation of using the same gateway for each network. I just wanted confirmation that Proxmox VE has this limitation, because then Proxmox is no fit with my current architecture. I'm moving from VMware Workstation Pro, but it will be easier and safer to migrate back to that solution then use the proposed workarounds.
So I can move on, thanks!
Thomas
 
This is regular networking. There can only be one default gateway to which the host (no the VMs, they have their own routing table), will send all packets for which it has no specific route.
If you have other networks, that need to be reached via a different gateway that is not the default gateway, you need to specify it in the routing table.
Again, this is nothing Proxmox VE specific, but just how networking works.

If you come from a desktop virtualization (VMware Workstation), that might have been handled more automatically by it.
 
expanding on this:

If you want to route packets based on the destination address of the packet:

Code: 
ip route add 192.0.2.0/24 via 198.51.100.0

This will send packets with destination address in the subnet 192.0.2.0/24 to 198.51.100.0


If you want to route based on the source address of the packet - then you need policy-based routing:

Code: 
ip rule add from 192.0.2.0/24 table example
ip route add 192.0.2.0/24 dev <dev> table example
ip route add default via 192.0.2.1 table example

This adds a separate routing table for all packets with source address in 192.0.2.0/24. Then all packets with that source address will use that routing table instead of the default routing table.


You can also combine both, e.g. route a packet with a specific source address and a specific destination address:

Code: 
ip rule add from 192.0.2.0/24 table example
ip route add 192.0.2.0/24 dev <dev> table example
ip route add 198.51.100.0/24 via 192.0.2.1 table example


You only need this if you want to go from one subnet to another. If you have a subnet 192.0.2.0/24 on a device, then all packets to that subnet will automatically leave the device that has this subnet configured - no need to do anything there.


There's also the possibility of using VRFs for that, see [1]
[1] https://docs.kernel.org/networking/vrf.html
 
Last edited:
  • Like
Reactions: aaron
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom