Cluster with active and passive WAN connection security issue?

KlaverBoer

Member
Nov 27, 2021
2
0
6
48
Hi all,

i recently installed my PVE cluster with 2 hosts. On the cluster i run a Pfsense VM which acts as the gateway for my LAN and provides access to the internet WAN. Because i wanted the possibility to do an online migration of this VM between the 2 PVE hosts i created on both hosts a VMBR1 which is connected to the internet WAN.

My ISP modem is in bridge mode. The modems network cable is attached to a switch. The physical NICs in VMBR1 of both PVE hosts are also connected to this switch. VMBR1 does not have an IP address assigned to it. The Pfsense vm is the only vm on the cluster which haves a vnic to VMBR0 and VMBR1. All my other vm's only have a vnic to VMBR0. VMBR0 does have a local ip address assigned to it. VMBR1 doesn't have a ip assigned to it. The pfsense vm gets an ip address from my ISP provider on the WAN nic.

Everything works fine. I can do a live migration of the Pfsense VM without any issues.

If the Pfsense VM is running on PVE host 1, will there be a security issue on the PVE host 2 WAN port, when there is no vm connected to VMBR1 on that host?

I have attached a simple overview of my proxmox situation. Any advice is welcome.

Thanks in advance
 

Attachments

  • proxmox.jpg
    proxmox.jpg
    129.4 KB · Views: 18
I do not think that this is a security issue as long as access on the proxmox nodes is restricted.
Anyway, i don't know which provider you have, but the switch at the WAN side should only send packages through onr port anyway.

Anyone else: If i'm missing something here, feel free to correct me.
 
Thanks for your reply. Thats correct my provider only connects with one interface and that is the WAN in VMBR1 on my pfsense VM. Is there anything i can do to restrict it even more? Or leave it as it is.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!