How to restrict VMs from changing IP address?

justjosh

Well-Known Member
Nov 4, 2019
101
1
56
59
Hello,

Have been looking around Proxmox for a bit, cannot seem to find an option to lock VMs to their allocated IP address.

Do I need to resort to a separate firewall box that runs DHCP? Any recommendations for this?

Thanks!
 
In the VMs firewall settings there is an option to enable "IP filter" (VM -> Firewall -> Options) in the GUI. Make sure you have enabled the firewall at the VM and datacenter level for the setting to take effect.
 
In the VMs firewall settings there is an option to enable "IP filter" (VM -> Firewall -> Options) in the GUI. Make sure you have enabled the firewall at the VM and datacenter level for the setting to take effect.
I'm looking for something that can be applied generally on the DC level so that once an IP has been assigned to a VM on setup, a change of the IP from within the VM would result in no connection being routed.
I do not even see an option to bind an IP to a VM in the GUI on setup, am I looking in the wrong place?
 
I do not even see an option to bind an IP to a VM in the GUI on setup, am I looking in the wrong place?
Ah sorry, I though you were talking about containers. No, VMs can not directly be assigned an IP address (since they have their own, seperate network stack). You can tell the guest to use a specific IP via Cloud-Init, but there's currently no firewall support for that built-in.

In your case, a DHCP/firewall combo or adding some 'iptables' commands to your deployment procedure.
 
Ah sorry, I though you were talking about containers. No, VMs can not directly be assigned an IP address (since they have their own, seperate network stack). You can tell the guest to use a specific IP via Cloud-Init, but there's currently no firewall support for that built-in.

In your case, a DHCP/firewall combo or adding some 'iptables' commands to your deployment procedure.
How would the IP tables work? I assume it would reside on the HV level? I know how to configure it if there was a device sitting in between functioning as a gateway but not sure how to do so if the VMs are exposed directly as the next hop on route.
Consider implementing such a feature as competitor product XCP-ng does have an option to lock an IP to a VM.
 
How would the IP tables work? I assume it would reside on the HV level?

Yes, ebtables can be used to filter bridge interfaces. Something like
Code:
# ebtables -I FORWARD -s XX:XX:XX:XX:XX:XX -p ipv4 --ip-source ! 192.168.X.X -j DROP
should work. You'd need to make it persistent somehow.

The MAC address can be filtered by simply enabling the PVE firewall (for Datacenter, VM, *and* all the VM's interfaces!) and checking the "MAC filter" box in the VM's firewall options (default on).

Consider implementing such a feature as competitor product XCP-ng does have an option to lock an IP to a VM.
It's a bit tricky, since we don't know the VM's IP on the hypervisor level, but if you want you can open an issue on our bugtracker for further discussion.
 
Yes, ebtables can be used to filter bridge interfaces. Something like
Code:
# ebtables -I FORWARD -s XX:XX:XX:XX:XX:XX -p ipv4 --ip-source ! 192.168.X.X -j DROP
should work. You'd need to make it persistent somehow.

The MAC address can be filtered by simply enabling the PVE firewall (for Datacenter, VM, *and* all the VM's interfaces!) and checking the "MAC filter" box in the VM's firewall options (default on).
Will look into this
It's a bit tricky, since we don't know the VM's IP on the hypervisor level, but if you want you can open an issue on our bugtracker for further discussion.
An IP gets passed during cloud-init, surely there would be a way to store that and bind it? How XCP-ng does it is not automatic either, they have a field under XO that allows you to assign an IP to a VM and lock traffic to only that IP.
 
An IP gets passed during cloud-init, surely there would be a way to store that and bind it?
Only if using cloud-init. As I said, you can place feature requests on the bugtracker to give them more visibility and discussion, the idea doesn't sound bad in general to me.
 
I have an SRX5308 and am using Static DHCP. You assign an IP to a MAC address. You can set the MAC address on the VM's.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!