Assign static IP's to KVM guests

C

commgdog

New Member
May 14, 2015
7
1
3
I have searched around the web the last couple of days, but can't seem to find what I am looking for.

Here is my situation:

I have a machine installed in a datacenter with a /26 of public IP's assigned to it (into eth0).

I set up a bridge within Proxmox and everything works as intended (assigning the public IP's within the KVM guests).

My concern is that some clients that have access to some of the KVM guests could potentially change their guests IP to anything on the bridge (whether it be intentional or accidental) and cause issues.

Is it possible within the Proxmox host to build the network in such a way that each KVM guest on the host can only use a specific IP address from the bridge?

I thought about setting up a pfSense guest to do the networking, but I would like to keep it all within Proxmox if possible.

Is this possible?
 
I have solved my own issue, here is how I did it (using the Proxmox firewall within the web GUI):


  • Log into the Proxmox web GUI
  • With the view in the top right set to "Server View", select the "Datacenter" folder right below it
  • Select the "Firewall" tab to the right to configure the firewall

Since I enabled the firewall, I had to set some rules to allow traffic to the web GUI (TCP 8006) and SSH (TCP 22)


  • On the "Firewall" tab, go to "Add" and add the following rules:

Direction: in | Action: ACCEPT | Protocol: tcp | Dest. port: 8006
Direction: in | Action: ACCEPT | Protocol: tcp | Dest. port: 22

Leave all of the other fields blank except the ones described above

  • While on the "Firewall" tab, look on the bottom of the page for another tab titled "Options" and select it
  • Edit the option "Enable Firewall" to "Yes"
  • Next, Select the node in which the guest KVM machine is that you want to assign an IP too and select the "Firewall" tab again
  • Select the "Options" tab at the bottom again and make sure that the option "Enable Firewall" is set to "Yes"
  • Select the KVM guest now on the server view tree to the left which you want to assign an IP to
  • Under the hardware tab, select the network device you are using (net0 in my case) and make sure that the "Firewall" box is checked.
Note: when you do this, it should append firewall=1 to the string of options

Since I enabled the firewall for the guest KVM machine, I had to add a rule to accept traffic (by default, I don't think there are any traffic rules)​


  • Select the "Firewall" tab and click "Add" to add the following rules:

Direction: in | Action: ACCEPT

Leave all of the other fields blank except the ones described above, this rule should allow all traffic to pass to the VM, you could theoretically add more rules here if you only wanted to let certain traffic pass


The above guide is for enabling the firewall, the next part is how I was able to assign an IP that the KVM guest was allowed to use​
Note: At this point I restarted the node, I am not sure if you have to do this for the firewall to take affect, but it might not hurt

To assign an IP, I had to set up and "ipfilter" to prevent IP spoofing



  • With the VM you want to assign an IP selected, select the "Firewall" tab and select the "IPSet" tab at the bottom of the page

The page that comes up should be split into two parts. To the left, you should see a list of "IPSet" configurations and to the left, you should see a list of "IP/CIDR" configurations.


  • Select "Create" on the left "IPSet" side and create a new "IPSet" with the name "ipfilter-net0" where the "-net0" portion is the network device that you are using on the VM, comment is optional
  • Select the new rule you made on the "IPSet" side and then click the "Add" button on the left "IP/CIDR" side
  • For the "IP/CIDR" field, type in the IP address you want to allot to the VM, for example. This IP has to be a valid one that is on the interface (net0) attached to the VM
  • Make sure that "nomatch" is unchecked, comment is optional

And that's it!

The IP that you put in will be the only IP that will work on the KVM guest. Within the guest, set the IP to the one that was typed in.

This configuration can also be done by editing files on the Proxmox server itself via ssh, you can follow the guides here. (look for the "Standard IP set 'ipfilter' section)

I am interested in seeing if there are any other ways to do this, or if this way is even valid (I'm not sure if I have caused any hidden issues by doing it this way).

Any feedback would be appreciated.
 
It works only with outgoing traffic, but was not for incoming.
Proxmox was not created a rule, but need to create:
-A tap100i0-IN -m set ! --match-set PVEFW-100-ipfilter-net0-v4 dst -j DROP

Example like outgoing:
-A tap100i0-OUT -m set ! --match-set PVEFW-100-ipfilter-net0-v4 src -j DROP

Why?
 
Last edited:
I found something else, pretty basic, but it works great.
danpros.com/2017/09/assign-static-ips-to-kvm-guests-using-dhcp-in-proxmox
 
Hi @commgdog

That was a nice piece of information.
Are you perhaps on IRC? It looks like you have done pretty much what I am looking forward to doing.

I have a few questions, advise is the best.

Regards,

Foster
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back