Block input port in a physical node, but allow it inside the node

H

hectorium

New Member
Feb 5, 2021
2
0
1
34
I have installed PROXMOX OS in a server.
This server has a network interface called "eno1" connected to a private network. I have created a bridge vmbr0 using eno1, and Proxmox has the IP address 172.16.26.1.
I have created a lot of virtual machines connected to vmbr0 bridge. They have 172.16.26.2 and so on as IP addresses.

Then, what I want to accomplish is to set up a DHCP server inside one of the VM inside the PROXMOX node, but which it is not supplying IP addresses to the elements outside the physical server. Only other VMs inside the same physical PROXMOX node can use it, and machines in the "private network" can't.

I am starting to use Proxmox and managing networks, and I am still learning to manage networks.

My first idea was to block port 67 (DHCP) for input traffic in my physical server. But as I have a vmbr0 bridge, I am really confused and I don't know how to do it in Proxmox. I tried to block port 67 in the vmbr0 using the Proxmox Web UI in the node level of the firewall, but it just blocks DHCP for proxmox OS itself. But machines outside the server can still use the DHCP server.

Is there any way to accomplish this task?

proxmox_idea.png
 
Pierre-Yves said:
I think you can create a rule to allow DHCP ports for all the VMs
Then another rule that blocks DHCP ports
As the firewall inspects the rules sequentially, if the first rule match, the process stop and the second rule is not used
Regards
Click to expand...
maybe I was not clear enough, sorry. My main concern is NOT ALLOWING serving DHCP requests from machines outside the node.

Your proposal, if I understood correctly, doesn't work because DHCP request don't have any IP (obviously, because the reason of a DHCP request is to get an IP). So, I can not filter which DHCP request comes from a VM and which request comes from the outside.
 
My mistake ... I don' clearly understand.
The firewall only knows what to do looking at IP or TCP Ports.
You're right, as you have not IP yet you cannot use the 2 rules I propose.

In DHCP, you can assign IP Address thanks to macaddress with lines in your DHCP like :

host server1 {
hardware ethernet <mac address>;
fixed-address <ip address>;
}

It's not very flexible since you have to declare all your VMs, and if you add a VM, you'll have to add the new server in your DHCP conf.
But with the correct setup in DHCP, you will only serve the VMs declared.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom