How to separete network for some VMs form my normal home network

T

tegralens

Active Member
Nov 8, 2018
20
1
43
48
Hello all. I am new to proxmox and I do not know how I would separate and make an internal network. I used virtual box and it was easier to separate the network.

Can someone help me to see how I would accomplish this? See pic attached to how I was starting to do the network part.

Example.
10.0.0.0 Network (this will be my separate network for testing and all that stuff but will not have access to my home network)
VM1
VM2
VM3
I think It's possible that these can have access to the internet but not access my home internal normal network.


192.168.1.0 Network (home network)
VM4 - Would be my home network using my router which I also use for DHCP

I do not have a lot of experience with VLAN and New to Proxmox. (Been watching a lot of Videos) I would like to stay with Proxmox.

Any help will be appreciated. Thank you all for your hard work.

I am running a Dell PowerEdge R620 with a quad nic. One of the nics are being used now to access my home network. Which is how I can connect to Proxmox.
 

Attachments

  • 1.PNG
    1.PNG
    62.1 KB · Views: 61
tegralens said:
No help from anyone?
Click to expand...
Hi tegralens

There are several ways to use separate networks, depending on your infrastructure. The best way is to use VLANs and a firewall to connect them with the internet and to restrict access, even though you don't have much experience with VLANs or Proxmox. Otherwise you'll run into issues and limitations that you really want to avoid... ;)

In order to use VLANs, your switches should support tagged VLAN (IEEE 802.1Q). There are many affordable "smart managed" switches that support VLANs.

On Proxmox you can configure VLANs too, but if you don't have experience, then keep you fingers away ... ;) .

The best option for you could be to configure a "Linux bridge" as VLAN aware. You can use the existing bridge "vmbr0" on eno1 for this. Doing so, you won't have to configure any VLANs on Proxmox itself, but only on your switche(s). Then, you will have to assign a VLAN-ID to the network interface of the VMs, so they can connect to the right network. In example, we could use following definitions:

- VLAN 1 = Home network
- VLAN 10 = Test Lab network
- VLAN 20 = Transit network to the internet

In this case, you could create VMs for your home network assigning VLAN-ID 1 (just not entering any ID as VLAN-ID 1 is default) to the network interface of the VM. The same for VMs that you want to connect to the test lab network (ID 10) or tansit network (ID 20). A virtual firewall would need a network interface for each VLAN it have to connect to, so it would look like this

- FW eth0 (home), no VLAN-ID (default 1)
- FW eth1 (test), VLAN-ID 10
- FW eth2 (transit), VLAN-ID 20

These are the settings you need to change, in order to setup your network in a VLAN aware mode. IP configuration is made then on the VMs.

I hope that could help you with this information... :)

Regards,
 
Belegnor said:
Hi tegralens

There are several ways to use separate networks, depending on your infrastructure. The best way is to use VLANs and a firewall to connect them with the internet and to restrict access, even though you don't have much experience with VLANs or Proxmox. Otherwise you'll run into issues and limitations that you really want to avoid... ;)

In order to use VLANs, your switches should support tagged VLAN (IEEE 802.1Q). There are many affordable "smart managed" switches that support VLANs.

On Proxmox you can configure VLANs too, but if you don't have experience, then keep you fingers away ... ;) .

The best option for you could be to configure a "Linux bridge" as VLAN aware. You can use the existing bridge "vmbr0" on eno1 for this. Doing so, you won't have to configure any VLANs on Proxmox itself, but only on your switche(s). Then, you will have to assign a VLAN-ID to the network interface of the VMs, so they can connect to the right network. In example, we could use following definitions:

- VLAN 1 = Home network
- VLAN 10 = Test Lab network
- VLAN 20 = Transit network to the internet

In this case, you could create VMs for your home network assigning VLAN-ID 1 (just not entering any ID as VLAN-ID 1 is default) to the network interface of the VM. The same for VMs that you want to connect to the test lab network (ID 10) or tansit network (ID 20). A virtual firewall would need a network interface for each VLAN it have to connect to, so it would look like this

- FW eth0 (home), no VLAN-ID (default 1)
- FW eth1 (test), VLAN-ID 10
- FW eth2 (transit), VLAN-ID 20

These are the settings you need to change, in order to setup your network in a VLAN aware mode. IP configuration is made then on the VMs.

I hope that could help you with this information... :)

Regards,
Click to expand...

There is no need for a managed switch if all vm's are on the same proxmox host.

If he sets up manual bridges with vlan's he will also have to setup dhcp, dns, upstream nat etc. which is much harder for a beginner then a dedicated firewall vm which does everything out of the box.

A virtual firewall doesn't need a interface for each vlan, just leave the vlan tag empty and all vlans are forwarded. Vlans can be setup within the firewall vm.
 
H4R0 said:
There is no need for a managed switch if all vm's are on the same proxmox host.
Click to expand...
I never said that "managed switches" are required, but "switches that support tagged VLANs". A little but very important difference, just to put things clear...

Obviously he don't need to use managed switches, but using unmanaged switches, he could run into IP spoofing issues and he'll wonder why (it happened to me). A managed switch will allow him to have some controll over how the switch should work, avoiding such issues and making his life easier...

And even though the VMs are all on the Proxmox host, he will have to access them some how, from devices in his home network or other hardware devices that he want to connect directly to the "VM network" in future, so VLAN support on the used switches is highly recommended...

If he sets up manual bridges with vlan's he will also have to setup dhcp, dns, upstream nat etc. which is much harder for a beginner then a dedicated firewall vm which does everything out of the box.
Click to expand...
That's wrong. It doesn't matter how he configures the VLANs, he will have to setup DNS, DHCP and other network services in any case, as VLANs and network services like DNS, DHCP or NAT "run" in different OSI layers...

A virtual firewall doesn't need a interface for each vlan, just leave the vlan tag empty and all vlans are forwarded. Vlans can be setup within the firewall vm.
Click to expand...
Please, can you explain why should this be easier for a beginner than running a vmbridge in "VLAN aware mode" and assigning VLAN-IDs to the VM network interfaces? I'm just curious about it...

And depending on which firewall is used, he could run into strange behaiviors and issues, if configuring VLANs on the firewall. Adding a new network interface to the VM is easier...
 
Last edited:
Belegnor said:
I never said that "managed switches" are required, but "switches that support tagged VLANs". A little but very important difference, just to put things clear...
Click to expand...

Well "switches that support tagged VLANs" thats what managed switches are.. unmanaged switches have no configuration options.

Belegnor said:
Obviously he don't need to use managed switches, but using unmanaged switches, he could run into IP spoofing issues and he'll wonder why (it happened to me). A managed switch will allow him to have some controll over how the switch should work, avoiding such issues and making his life easier...
Click to expand...

He can filter all vlan traffic on his nic using the proxmox firewall so it does not leave the host. I agree with you that if he wants to do serious networking he should get a managed switch, but to isolate some vm's on proxmox its not necessary.

Belegnor said:
And even though the VMs are all on the Proxmox host, he will have to access them some how, from devices in his home network or other hardware devices that he want to connect directly to the "VM network" in future, so VLAN support on the used switches is highly recommended...
Click to expand...

He can just use the vm firewall as gateway and setup a static route to access the vlans.

Also proxmox offers splice, vnc etc. which do work well including file transfer, clipboard sharing etc.

Belegnor said:
That's wrong. It doesn't matter how he configures the VLANs, he will have to setup DNS, DHCP and other network services in any case, as VLANs and network services like DNS, DHCP or NAT "run" in different OSI layers...

Please, can you explain why should this be easier for a beginner than running a vmbridge in "VLAN aware mode" and assigning VLAN-IDs to the VM network interfaces? I'm just curious about it...
Click to expand...

My point was that its easier to do on the firewall appliance, just check a checkbox and youre done. If he just uses vlan aware bridges he wont have internet, he will have to setup outbound nat, routes etc. on its own.. Manually configure that stuff on linux shell for a beginner ?! True for a isolated lan that has no internet just go with bridges, but he stated he wants internet access and that involves more.

Belegnor said:
And depending on which firewall is used, he could run into strange behaiviors and issues, if configuring VLANs on the firewall. Adding a new network interface to the VM is easier...
Click to expand...

What issues for example ? How is it easier ? Not only you have to do configuration in 2 guis as you also have to set up the interfaces within the firewall. It also adds unnecessary virtualization overhead, just go with 1 interface if you can...


This is getting offtopic, its not helping op, setting up a isolated network seems easy but it is not for a beginner.

Given that he already has a dedicated server he should start to learn about networking.
 
H4R0 said:
Well "switches that support tagged VLANs" thats what managed switches are.. unmanaged switches have no configuration options.
Click to expand...
Wrong. "Modern" unmanaged switches have an "automatic learning feature" that allows them to process VLAN tags correctly, even though they don't have any configuration options. But as already said, managed switches make life easier.

He can filter all vlan traffic on his nic using the proxmox firewall so it does not leave the host. I agree with you that if he wants to do serious networking he should get a managed switch, but to isolate some vm's on proxmox its not necessary.
Click to expand...

Why should he use the Proxmox firewall? Perhaps he wants to use his "own firewall" (it doesn't matter if hardware or virtual).

He can just use the vm firewall as gateway and setup a static route to access the vlans.
Click to expand...

He can use this VM (or an existing hardware) firewall to restrict access between both networks too instead of the Proxmox firewall...

Also proxmox offers splice, vnc etc. which do work well including file transfer, clipboard sharing etc.
Click to expand...

Perhaps he want to test systems that offer web or file services like Emby Media Server of FreeNAS or OMV or ...

In this case, SPICE or VNC would be quite useless...

My point was that its easier to do on the firewall appliance, just check a checkbox and youre done.
Click to expand...
Nope ... You have to configure VLAN interfaces on the firewall in order to use VLANs too.

Running a Linux bridge in "VLAN aware mode" is quite easy: check a checkbox ...

1602697385691.png

... assigne VLAN-IDs to the network interfaces of the VM ...

1602697554642.png

and you're done with VLAN configuration on Proxmox ...

That's an example for a firewall using VLAN aware bridges:

1602701525708.png

I don't think this is more complicated than configuring VLAN interfaces on a firewall ... ;)

If he just uses vlan aware bridges he wont have internet, he will have to setup outbound nat, routes etc. on its own..
Click to expand...

Wrong. As I said before, VLANs and routing, NAT and other protocols belong to different OSI layers, so it doesn't matter if he uses VLAN aware bridges or VLAN interfaces on a firewall, as routing has to be configured anyway, in order to allow internet access for the home and test networks.

Typically, firewalls automatically add routes to directly connected networks. So if you use a firewall as a gateway, both networks will have internet access and it doesn't matter how the VLANs were configured.

Outbound NAT may be necesary or not, depending on the used infrastruture. In example, if his internet router offers the possiblity to add routes, then no outbound NAT is required on the firewall ...

Manually configure that stuff on linux shell for a beginner ?!
Click to expand...

Once again, running a linux bridge in "VLAN aware mode" doesn't require manual configuration on the linux shell. It can be done using the Proxmox GUI, as I've shown before.

True for a isolated lan that has no internet just go with bridges, but he stated he wants internet access and that involves more.
Click to expand...

There is no relation between "bridges" (layer 2) and internet access (routing, layer 3). A Linux bridge allows VMs to connect to a physical network interface. If the interface is connected to a network with direct internet access, then the VMs will have internet access too. If not, then a gateway (router or firewall) is required. But this fact doesn't depend on using a "bridge" or not...

What issues for example ?
Click to expand...

Perhaps VLANs not working correctly, depending on the virtualized firewall?

How is it easier ? Not only you have to do configuration in 2 guis as you also have to set up the interfaces within the firewall. It also adds unnecessary virtualization overhead, just go with 1 interface if you can...
Click to expand...
I've shown it before. And you have to configure the firewall interfaces that you need in any case, it doesn't matter if they are network interfaces or subinterfaces (VLANs). But using VLAN aware bridges, you don't need to set up any VLANs on the firewall itself ...

And why should I "go with only one interface", if I can easily add more virtual (native) network interfaces instead of adding VLANs on one virtual (native) interface within the firewall? What is the impact on the performance of the virtualization environment when adding several network interfaces to a VM in comparison to using only one network interface?

This is getting offtopic, its not helping op, setting up a isolated network seems easy but it is not for a beginner.
Click to expand...

I don't think that this is getting offtopic at all, as we both are giving enought information and different points of view. And it isn't relevant, which approach is "better". The only relevant thing is the fact, that he can choose which way suits better for him in order to resolve his problem, based on the information that we have given to him. And he may be a beginner, but none of us had the knowhow just from the start, so who cares? It seems to me that he exactly wants to do that: to build up his own knowhow and to learn ... ;)
 
Last edited:
  • Like
Reactions: guletz
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back