Implementing MAC Filtering for IPv4 in Proxmox Using Built-In Firewall Features

N

NextStepUser

Member
Jun 7, 2020
4
0
21
56
Hi everyone,

I'm planning to set up MAC filtering for IPv4 traffic in my Proxmox live cluster and aim to use ebtables and ipset where necessary, but I would like to primarily rely on Proxmox's built-in GUI features for easier management.

As I'm still learning Proxmox's firewall system and don't have much experience with its configuration, I’d greatly appreciate a detailed, step-by-step guide to help me achieve this.

Here’s my intended setup:​

Datacenter Level:

  • Define global rules to ensure MAC filtering is applied uniformly across the cluster.
  • Use ipset to dynamically manage a list of allowed MAC-IP pairs (if supported in Proxmox).
  • Enforce firewall rules to allow only traffic from permitted MAC-IP pairs.

Host Level:

  • Configure firewalls on individual nodes to ensure consistent MAC filtering while maintaining critical cluster functions like live migration.

For VMs:

  • Ideally, avoid configuring anything on the VMs themselves (beyond assigning specific MAC addresses).
  • Use the firewall at the host or datacenter level to handle filtering.

My Questions:​

  1. Datacenter Level:
    • What is the best way to configure global MAC-IP filtering rules at the datacenter level using the GUI?
    • Should I create custom rules for ebtables/ipset within the GUI, or is there a more straightforward approach?
  2. Host Level:
    • How should the node-level firewalls be set up to ensure reliable MAC filtering for IPv4 traffic without disrupting cluster communication?
  3. VM Configuration:
    • Can I fully manage MAC-IP filtering through the Proxmox firewall without additional configuration on the VMs (beyond setting MAC addresses)?
If anyone could provide a detailed walkthrough or share their experiences with a similar setup, it would be incredibly helpful. I’m particularly interested in understanding the step-by-step process for leveraging Proxmox GUI tools for this use case.

Thank you so much in advance for your help!

Best regards
 
Last edited:
In the Guest Firewall Options, there is a MAC Filtering option. It only allows VMs to send traffic with the MAC configured on the Network device. Is this already sufficient for your use case?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back