How to restrict VMs from changing IP address?

J

justjosh

Active Member
Nov 4, 2019
99
0
26
59
Hello,

Have been looking around Proxmox for a bit, cannot seem to find an option to lock VMs to their allocated IP address.

Do I need to resort to a separate firewall box that runs DHCP? Any recommendations for this?

Thanks!
 
In the VMs firewall settings there is an option to enable "IP filter" (VM -> Firewall -> Options) in the GUI. Make sure you have enabled the firewall at the VM and datacenter level for the setting to take effect.
 
Stefan_R said:
In the VMs firewall settings there is an option to enable "IP filter" (VM -> Firewall -> Options) in the GUI. Make sure you have enabled the firewall at the VM and datacenter level for the setting to take effect.
Click to expand...
I'm looking for something that can be applied generally on the DC level so that once an IP has been assigned to a VM on setup, a change of the IP from within the VM would result in no connection being routed.
I do not even see an option to bind an IP to a VM in the GUI on setup, am I looking in the wrong place?
 
justjosh said:
I do not even see an option to bind an IP to a VM in the GUI on setup, am I looking in the wrong place?
Click to expand...
Ah sorry, I though you were talking about containers. No, VMs can not directly be assigned an IP address (since they have their own, seperate network stack). You can tell the guest to use a specific IP via Cloud-Init, but there's currently no firewall support for that built-in.

In your case, a DHCP/firewall combo or adding some 'iptables' commands to your deployment procedure.
 
Stefan_R said:
Ah sorry, I though you were talking about containers. No, VMs can not directly be assigned an IP address (since they have their own, seperate network stack). You can tell the guest to use a specific IP via Cloud-Init, but there's currently no firewall support for that built-in.

In your case, a DHCP/firewall combo or adding some 'iptables' commands to your deployment procedure.
Click to expand...
How would the IP tables work? I assume it would reside on the HV level? I know how to configure it if there was a device sitting in between functioning as a gateway but not sure how to do so if the VMs are exposed directly as the next hop on route.
Consider implementing such a feature as competitor product XCP-ng does have an option to lock an IP to a VM.
 
justjosh said:
How would the IP tables work? I assume it would reside on the HV level?
Click to expand...

Yes, ebtables can be used to filter bridge interfaces. Something like
Code: 
# ebtables -I FORWARD -s XX:XX:XX:XX:XX:XX -p ipv4 --ip-source ! 192.168.X.X -j DROP
should work. You'd need to make it persistent somehow.

The MAC address can be filtered by simply enabling the PVE firewall (for Datacenter, VM, *and* all the VM's interfaces!) and checking the "MAC filter" box in the VM's firewall options (default on).

justjosh said:
Consider implementing such a feature as competitor product XCP-ng does have an option to lock an IP to a VM.
Click to expand...
It's a bit tricky, since we don't know the VM's IP on the hypervisor level, but if you want you can open an issue on our bugtracker for further discussion.
 
Stefan_R said:
Yes, ebtables can be used to filter bridge interfaces. Something like
Code: 
# ebtables -I FORWARD -s XX:XX:XX:XX:XX:XX -p ipv4 --ip-source ! 192.168.X.X -j DROP
should work. You'd need to make it persistent somehow.

The MAC address can be filtered by simply enabling the PVE firewall (for Datacenter, VM, *and* all the VM's interfaces!) and checking the "MAC filter" box in the VM's firewall options (default on).
Click to expand...
Will look into this
It's a bit tricky, since we don't know the VM's IP on the hypervisor level, but if you want you can open an issue on our bugtracker for further discussion.
Click to expand...
An IP gets passed during cloud-init, surely there would be a way to store that and bind it? How XCP-ng does it is not automatic either, they have a field under XO that allows you to assign an IP to a VM and lock traffic to only that IP.
 
justjosh said:
An IP gets passed during cloud-init, surely there would be a way to store that and bind it?
Click to expand...
Only if using cloud-init. As I said, you can place feature requests on the bugtracker to give them more visibility and discussion, the idea doesn't sound bad in general to me.
 
I have an SRX5308 and am using Static DHCP. You assign an IP to a MAC address. You can set the MAC address on the VM's.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back