[SOLVED] Is there any way to limit a VM into using a specific IP?

R

Razva

Renowned Member
Dec 3, 2013
252
10
83
Romania
cncted.com
Hello,
One of my biggest concerns for putting Proxmox into production is the fact that users are able to use any available IP on their subnet.
Is there any way to limit this behaviour? If not by default, maybe via OpenVSwitch?
Thank you!
 
You can use the Firewall: https://pve.proxmox.com/wiki/Firewall#pve_firewall_ip_sets

Standard IP set ipfilter-net*
These filters belong to a VM’s network interface and are mainly used to prevent IP spoofing. If such a set exists for an interface then any outgoing traffic with a source IP not matching its interface’s corresponding ipfilter set will be dropped.

For containers with configured IP addresses these sets, if they exist (or are activated via the general IP Filter option in the VM’s firewall’s options tab), implicitly contain the associated IP addresses.

For both virtual machines and containers they also implicitly contain the standard MAC-derived IPv6 link-local address in order to allow the neighbor discovery protocol to work.
Code: 
/etc/pve/firewall/<VMID>.fw

[IPSET ipfilter-net0] # only allow specified IPs on net0
192.168.2.10
Click to expand...

I added an additional FW Rule which only accept Traffic to the Target IP which are configured in IPset.
 
jim.bond.9862 said:
What exactly do you mean by that?
Click to expand...
Let's suppose that we have 3 VMs. First uses `192.168.1.10`, second uses `192.168.1.11`, third one uses `192.168.1.12`. All of them are on the same node and on the same subnet. I would like to keep 192.168.1.14 free/reserved for another VM. In our current setup, users on the same subnet are able to freely assign any IP from their subnet.

We're having issues with users "stealing" each other's LAN IPs, and even public IPs (more or less intentionally). This is not a problem on a private setup, where all VMs are managed, but can become a problem in a public setup where we don't manage the VMs.
 
Razva said:
And what if the user controls his own Proxmox Firewall rules? Can this be superseeded somehow by a "higher level software firewall"?
Click to expand...
AFAIK not. But if you offer your Customer a Webinterface, then its about you. Otherwise you should use an own Router and create a VLAN for every Customer you have, there you can bind some IPs - bit this is a heavy overhead.
 
sb-jw said:
AFAIK not. But if you offer your Customer a Webinterface, then its about you. Otherwise you should use an own Router and create a VLAN for every Customer you have, there you can bind some IPs - bit this is a heavy overhead.
Click to expand...
Supposing that I won't give them access to the Proxmox interface, but still allow him access to the firewall (via API -> third-party control panel), will this allow him to remove limits imposed in `/etc/pve/firewall/ID.fw`?
 
Razva said:
(via API -> third-party control panel), will this allow him to remove limits imposed in `/etc/pve/firewall/ID.fw`?
Click to expand...
Sure, if you do not prevent it. But this is completely your part, you can define some prefix and only these rules are visible to the customer.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom