Firewall limit Web UI access


New Member
Jan 5, 2019
So far I've one PVE node with two NIC. One is LAN (enp7s0 / vmbr0) and one is DMZ (enp8s0 / vmbr1). I would like to prevent anything on the DMZ from accessing the PVE Web UI.

Can I do this using the Datacenter firewall UI? I tried the following from the Web but it didn't work when testing from a VM on the DMZ network.

Direction: In
Action: Drop
Interface: vmbr1
Destination: (my PVE server)

Surprisingly, I found that it did work if I switched on the individual node firewall, but I assume that wouldn't scale well if/when I graduate to a cluster.

This post explained that you have to enable the firewall on node(s) in order for the Datacenter rules to take effect.

(sorry, new users not allowed to post links: Google for kiloroot secure proxmox firewall)

Only thing I'm not sure about is why they advocate
Datacenter –> Firewall Tab –> Options –> Input Policy: ACCEPT
Followed by adding a DROP rule. Drop appears to be the default now for the Datacenter firewall.


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!