Implementing MAC Filtering for IPv4 in Proxmox Using Built-In Firewall Features

N

NextStepUser

Member
Jun 7, 2020
6
0
21
57
Hi everyone,

I'm planning to set up MAC filtering for IPv4 traffic in my Proxmox live cluster and aim to use ebtables and ipset where necessary, but I would like to primarily rely on Proxmox's built-in GUI features for easier management.

As I'm still learning Proxmox's firewall system and don't have much experience with its configuration, I’d greatly appreciate a detailed, step-by-step guide to help me achieve this.

Here’s my intended setup:​

Datacenter Level:

  • Define global rules to ensure MAC filtering is applied uniformly across the cluster.
  • Use ipset to dynamically manage a list of allowed MAC-IP pairs (if supported in Proxmox).
  • Enforce firewall rules to allow only traffic from permitted MAC-IP pairs.

Host Level:

  • Configure firewalls on individual nodes to ensure consistent MAC filtering while maintaining critical cluster functions like live migration.

For VMs:

  • Ideally, avoid configuring anything on the VMs themselves (beyond assigning specific MAC addresses).
  • Use the firewall at the host or datacenter level to handle filtering.

My Questions:​

  1. Datacenter Level:
    • What is the best way to configure global MAC-IP filtering rules at the datacenter level using the GUI?
    • Should I create custom rules for ebtables/ipset within the GUI, or is there a more straightforward approach?
  2. Host Level:
    • How should the node-level firewalls be set up to ensure reliable MAC filtering for IPv4 traffic without disrupting cluster communication?
  3. VM Configuration:
    • Can I fully manage MAC-IP filtering through the Proxmox firewall without additional configuration on the VMs (beyond setting MAC addresses)?
If anyone could provide a detailed walkthrough or share their experiences with a similar setup, it would be incredibly helpful. I’m particularly interested in understanding the step-by-step process for leveraging Proxmox GUI tools for this use case.

Thank you so much in advance for your help!

Best regards
 
Last edited:
In the Guest Firewall Options, there is a MAC Filtering option. It only allows VMs to send traffic with the MAC configured on the Network device. Is this already sufficient for your use case?
 
shanreich said:
In the Guest Firewall Options, there is a MAC Filtering option. It only allows VMs to send traffic with the MAC configured on the Network device. Is this already sufficient for your use case?
Click to expand...
Thank you for answer. The MAC Filtering option is helpful, but I also need to pair MAC addresses with specific IPs to prevent users from assigning arbitrary IPs. Is there a way to achieve this in Proxmox directly?
 
There is also IP filtering on a per VM/NIC-basis by creating a specific ipfilter-netX IPSet. Then only packets with the specified IP can be sent from the VM.
 
shanreich said:
There is also IP filtering on a per VM/NIC-basis by creating a specific ipfilter-netX IPSet. Then only packets with the specified IP can be sent from the VM.
Click to expand...
Thank you for help.

If I enable the firewall option for a VM, does this automatically activate the Datacenter/Host-level firewall as well?

Here's my intended setup: (If it works)
I enable the VM firewall with the MAC Filter and IP Filter options set to "true." After that, I assign an IP to the corresponding IPSet. In the VM firewall settings, I create just one inbound and one outbound rule to allow traffic, as the IP Filter already enforces restrictions.

--------------
I create my VMs using Cloud-Init. Is there a way to pass the IP directly when using qm clone and automatically generate the corresponding IPSet (e.g., Name: IP -> contains 10.10.10.10)?
 
You must log in or register to reply here.
Top Bottom