Internet access from unbound Linux Bridge?

[tgates]

Hello. I have recently set up Proxmox VE and Proxmox Backup Server on a dedicated server off-site for backup & redundancy. I have successfully set up backup sync jobs and restored a backup of my VMs to Proxmox VE. I ran into an issue though. After creating my second non-management bridge, I can access the wide internet from my VMs using this. This is a problem because licensed applications don't like it when they get duplicated in a location hundreds of miles away. (Specifically, ones that call to a mother ship) I would like to have a private-only static IPv4 network so that my VMs can talk with each other, without any outside connection.

I was under the impression that my attached network config shouldn't allow routing through my outbound connection enp38s0 on vmbr1. I do have UFW installed on Proxmox VE to block specific ports that are automatically allowed by Proxmox. (SSH & Spice blocked for security, whitelist IPs on other ports) Maybe UFW is causing issues?

I did play with DROP for forward packets in UFW, but this just causes all traffic on local vmbr10 to be dropped. (Including local traffic on the same subnet between VMs) Any ideas?

 

[mira]

Did you add any up/post-up commands to add routes?
Do you NAT any outgoing packets on that bridge?

Do the guests have a gateway configured that forwards traffic to the outside?
Running tcpdump on that bridge could help narrow down where this comes from, and where outgoing packets are sent.

 

[tgates]

Did you add any up/post-up commands to add routes?
Do you NAT any outgoing packets on that bridge?

Do the guests have a gateway configured that forwards traffic to the outside?
Running tcpdump on that bridge could help narrow down where this comes from, and where outgoing packets are sent.

The guest gateway is set as the IP of the Proxmox Host - 192.168.100.1
At one point I had NAT with IP Masquerade set to allow guests to communicate via 1 public IP address assigned to Proxmox, but I removed all of the post-up added lines to /etc/network/interfaces, and applied changes. The interfaces file doesn't have any additional lines anymore. Maybe I missed something somewhere else? I'm open to trying things. I appreciate the help, a bit new to networking within Linux as a hypervisor.

I'm not familiar with tcpdump, but I ran a capture and source = guest VM IP. Trace route shows that the route jumps from 192.168.100.1 (Local gateway) to the public gateway and so on to the destination IP.

 

[mira]

Remove the guest gateway if you don't want those guests to get to the outside.
They should still be able to communicate with any other guests on the same bridge. If they're outside your configured subnet, you'll have to add a route on both sides.

If you set your host as gateway, and enable `ip_forward` (/proc/sys/net/ipv4/ip_forward), they can talk to the outside via your host.

 

[tgates]

Remove the guest gateway if you don't want those guests to get to the outside.
They should still be able to communicate with any other guests on the same bridge. If they're outside your configured subnet, you'll have to add a route on both sides.

If you set your host as gateway, and enable `ip_forward` (/proc/sys/net/ipv4/ip_forward), they can talk to the outside via your host.

Thank you so much for your help! The /proc/sys/net/ipv4/ip_forward file had 1 and was enabled. (I imagine from when I had NAT set up) Writing a 0 to this fixed it!
I wanted a gateway to be set because for some reason windows networking would refuse to work without a gateway, so this is perfect!