ESXi/NSX-T to Proxmox and microsegmentation ..

Whitehawk29

New Member
Feb 25, 2024
1
0
1
Hello guys,

What would be your network/firewall setup if we ask you to migrate a cluster of 5 esxi servers with nsx-t microsegmentation/multiple tenants to a fresh new proxmox cluster ?
SDN with zones/vnet/vlan(or vxlan?) and proxmox firewall would be equivalent to nsx-t ?

Thank you !!
 
Last edited:
Hello guys,

What would be your network/firewall setup if we ask you to migrate a cluster of 5 esxi servers with nsx-t microsegmentation/multiple tenants to a fresh new proxmox cluster ?
SDN with zones/vnet/vlan(or vxlan?) and proxmox firewall would be equivalent to nsx-t ?

Thank you !!
for firewalling/microsegementation, you don't need sdn ( no need of nsx-t equivalent), it's working at bridge level with any kind of network.

If you want something like nsx (with routed vxlan, anycast routers,....) you can use sdn with bgp-evpn.
 
Hello guys,

What would be your network/firewall setup if we ask you to migrate a cluster of 5 esxi servers with nsx-t microsegmentation/multiple tenants to a fresh new proxmox cluster ?
SDN with zones/vnet/vlan(or vxlan?) and proxmox firewall would be equivalent to nsx-t ?

Thank you !!

I don't believe Proxmox has an equivalent to NSX-T Manager in the sense of T0 and T1 Edges's and Firewalling. You would need to make use of the New SDN Features in Proxmox as Spirit indicated, and then use separate Firewalls ( eg. Opnsense ) and attach the vxlan segments ( instead if geneve ) to these Firewalls for as indicated Customers. I stand under correction.
 
I don't believe Proxmox has an equivalent to NSX-T Manager in the sense of T0 and T1 Edges's and Firewalling. You would need to make use of the New SDN Features in Proxmox as Spirit indicated, and then use separate Firewalls ( eg. Opnsense ) and attach the vxlan segments ( instead if geneve ) to these Firewalls for as indicated Customers. I stand under correction.
technically, you could use the evpn exit-node as edge firewall (using proxmox host rules). But you don't have nat 1:1 currently.

Personnaly, I'm firewalling directly on node, don't care too much about edge firewalling.

Another could be to use a pfsense/opennsense/... or any other vm as edge firewall. (through vlan/vxlan/whatever you want)
 
technically, you could use the evpn exit-node as edge firewall (using proxmox host rules). But you don't have nat 1:1 currently.

Personnaly, I'm firewalling directly on node, don't care too much about edge firewalling.

Another could be to use a pfsense/opennsense/... or any other vm as edge firewall. (through vlan/vxlan/whatever you want)
I think from a feature set in NSX-T, you had the option of T1 Edges, that you could provide clients via the use of something like VCD, which gave a client full access to load balancing, Firewalling and Routing Feature sets, which in order to try and replicate you end up having to give a customer some sort of access to a Firewall.
 
I think from a feature set in NSX-T, you had the option of T1 Edges, that you could provide clients via the use of something like VCD, which gave a client full access to load balancing, Firewalling and Routing Feature sets, which in order to try and replicate you end up having to give a customer some sort of access to a Firewall.
Still not ready, maybe in the future:
https://bugzilla.proxmox.com/show_bug.cgi?id=3382


Note that with current proxmox firewall implementation, you can give permissions to a customer with acl on his vm.
 
But can we do microsegmentation?. Restricting East to West traffic between VMs.? Restricting specific traffic's between two groups like Staging and Production, etc.. ?
Any guide/doc. please share it.:)
yes, sure, simply use the firewall feature on the vm. It's done at bridge level, so it's works between 2 vms on the same network.

It need to be done vm by vm currently.

but you can create security groups at datacente level. (security group = a group of rules), then add the common, security group in the vm(s) firewall(s).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!