Any way to isolate VMs on same VLANs/bridge?

[EdoFede]

Hi,

I'm planning a migration on a new PVEs infrastructure of many VMs.

One customer have a lot (50, growing) of tiny VMs on the same subnet that needs only internet access (in/out).
They asked if we can "isolate" these VMs.

In the "classic" way for every VM we have to:
- create a VLAN (on PVE and switches)
- creating a subnet, rules, 3 IPs (pfsense with HA) on the firewall
- configuring the VM for the new network
A very long activity (somewhere scriptable, somewhere not)...

Is there any way to achieve a "VM isolation" in proxmox VE for a set of VM that are on the same VLAN/bridge?

In simple terms: every VMs on the same VLAN/subnet must talk only with the default gateway and not with other VMs.

Thanks in advance for any solutions or suggestions!

Bye,
Edoardo

 

[Dunuin]

Security group added to all VM firewalls that drops all packets that are not coming from/targeting the gateway? But of cause no as isolated as running VLANs. Hadn't time to temper around with the new SDN feature but maybe there you find something.

 

[EdoFede]

Tried today with PVE Firewall, but seems to do nothing in this case.
I've started 3 VMs, one pinging the other two.
Enabled Firewall on one of the "pinged" VM with DROP policy, nothing happens, ping works.
(of course, I've enabled Firewall also on Datacenter page and on the VMnet adapter).

I was hoping it could be done this way but no success.
And that seems right of course, because firewall works on Layer 3 and I have all the VMs on the same net.

Thanks for your suggestion