It’s like simulating two hosts that connect to an external firewall through separate network interfaces.
But I’ve found that this seemingly simple feature is actually quite difficult to implement on PVE.
I plan to route all traffic from the virtual machines through an external firewall for traffic analysis or other purposes. The vmbr0 bridge in PVE is connected to the LAN port of the external firewall.
Because the virtual machines are on the same bridge and in the same subnet, the bridge forwards traffic internally directly based on the known MAC addresses.
I tried:
From my search, this seems to be the Private VLAN feature on ESXi, but it is rarely supported on Linux. Since my hardware isn’t compatible with ESXi, I have to continue using PVE.
But I’ve found that this seemingly simple feature is actually quite difficult to implement on PVE.
I plan to route all traffic from the virtual machines through an external firewall for traffic analysis or other purposes. The vmbr0 bridge in PVE is connected to the LAN port of the external firewall.
Because the virtual machines are on the same bridge and in the same subnet, the bridge forwards traffic internally directly based on the known MAC addresses.
I tried:
- Isolating the ports or using an ebtables firewall will cause them to be unable to communicate with each other.
- Creating a separate bridge for each virtual machine and connecting it to the internal firewall VM is basically a crappy approach.
- The internal firewall in PVE is quite rudimentary, and traffic cannot be analyzed directly.
From my search, this seems to be the Private VLAN feature on ESXi, but it is rarely supported on Linux. Since my hardware isn’t compatible with ESXi, I have to continue using PVE.
