Firewall rules for PVE cluster and VMs storage traffic

[trigg3r]

In my test environment I build a small PVE cluster: 2 nodes, both with 4 NICs connected to:

NIC1: 192.168.1.0 LAN
NIC2: 192.168.5.0 subnet dedicated to VMs backup traffic
NIC3: 192.168.6.0 subnet dedicated to PVE VMs NFS storage (a NAS share)
NIC4: 192.168.7.0 subnet dedicated to PVE cluster

I want to enable Proxmox firewall features, so: what are the suggested firewall configuration for "PVE cluster" and "VMs storage" traffic?

TIA!

 

[ph0x]

Cluster/Hosts: https://pve.proxmox.com/wiki/Firewall#_ports_used_by_proxmox_ve
VM: Whatever you need ...

 

[trigg3r]

Thanks ph0x!

Related to cluster subnet: the PVE firewall documentation says:
"
Standard IP Alias local_network
...
The firewall automatically sets up rules to allow everything needed for cluster communication (corosync, API, SSH) using this alias.
"

But in my case the cluster subnet (192.168.7.0) is not the auto detect local network (192.168.1.0). So, I see 2 ways to solve this:

1) create all the firewall rules for 192.168.7.0 nodes (based on "Ports used by Proxmox VE")

2) override local_network aliases:

[ALIASES]
local_network 192.168.7.0/24

It seems to me that 2) is preferable. Do you agree with me?

 

[ph0x]

I did it with the other solution. I rather have such stuff under control than rely on builtin stuff which might change over time or have some other implications that I don't know about.
But I guess your way is also possible.

 

[trigg3r]

Thanks again!

 

[trigg3r]

I made some tests and it seem to me that this is the minimum configuration to have the cluster working on 192.168.7.0 subnet and administration services (ssh, web interface) working on 192.168.1.0 subnet:

[OPTIONS]

enable: 1

[ALIASES]

local_network 192.168.7.0/24

[IPSET management]

192.168.1.0/24

(and I don't really understand what is the cluster_network alias mentioned in the documentation ...)