Isolate subnets

I

ikmk3

Member
Mar 16, 2021
11
1
8
32
Hi guys,

I currently have my Proxmox running on an Intel NUC with just 1 NIC, and I would like to isolate some VM/LXC for learning purposes.

I have a OPNsense firewall setup with the following configuration, which is used to route all traffic from my VE:
  • WAN interface: 192.168.1.10
  • LAN interface: 10.0.92.1
Now, all of my VMs and LXC containers has 10.0.92.X addresses, and uses 10.0.92.1 OPNsense firewall as gateway. Now, for learning purposes (in fact, I will want to isolate some VMs from the others), I wanted to create a subnet, lets say 10.0.93.0/24 so I can have some stuff going on here, but with no direct connection to the 10.0.92.X machines. I have tried some tutorials but with no luck

How should I achieve this?

I achived something by applying firewall rules in the same 10.0.92.0 network, but this is not ideal. I am so new at networking, so any help or any ideas/explanations will be so appreciated.

Thank you in advance
 
Last edited:
If you want to manage which VM can access which VM you don't need a OPNsense. For this you got the firewall build into PVE. Just blacklist all incoming and outgoing traffic of a VM and then use whitelisting to allow specific IPs on specific ports and protocols.
Isolating VMs in a DMZ subnet isn't a bad thing, but that only allows you to use the filewall between the different subnets. You can't block communication between VMs that are in the same subnet that way.

For such a DMZ subnet you might want to create a new bridge on your PVE host, give that OPNsense VM a new virtio NIC and bridge it to the new bridge.
 
You have to segment your network for isolate virtual machines sets.
You have to connect your firewall to all your network segments and define the necessary firewall policy for allow only the required traffic between networks and block the rest.

It is not necessary to create a Proxmox bridge for every network segment, you can use VLAN tags in the virtual network device for the virtual machines that have to bee connected to the corresponding network segment.
Captura de pantalla 2021-11-07 a las 20.42.42.png

As an alternative to OPNsense firewall you can use FWCloud managed firewalls (https://fwcloud.net). You can use a virtual machine as you perimetral firewall and easily manage it from your own FWCloud console.
 
SOLTECSIS - Carles Munyoz said:
You have to segment your network for isolate virtual machines sets.
You have to connect your firewall to all your network segments and define the necessary firewall policy for allow only the required traffic between networks and block the rest.

It is not necessary to create a Proxmox bridge for every network segment, you can use VLAN tags in the virtual network device for the virtual machines that have to bee connected to the corresponding network segment.
View attachment 31166

As an alternative to OPNsense firewall you can use FWCloud managed firewalls (https://fwcloud.net). You can use a virtual machine as you perimetral firewall and easily manage it from your own FWCloud console.
Click to expand...
Hello SOLTECSIS,

My question is doesn't that put the vmbr0 on VLan 10 only and no communication with Native VLan 1? In other words the IP that was given to vmbr0 during initial install would no longer work correct? I could be wrong but that is my limited understanding?
 

Attachments

  • 1671287344490.png
    1671287344490.png
    4.6 KB · Views: 7
nexusguy59 said:
My question is doesn't that put the vmbr0 on VLan 10 only and no communication with Native VLan 1? In other words the IP that was given to vmbr0 during initial install would no longer work correct? I could be wrong but that is my limited understanding?
Click to expand...
He isn't editing the bridge vmbr0, he is editing the virtual NIC of a VM. That virtual NIC is then bridged to vmbr0. And yes. the VM could then only communicate over that virtual NIC over VLANID10. As all incoming VLAN10 tagged packets will get the tag removed and all outgoing untagged packets will be tagged with VLAN 10.
 
Dunuin said:
He isn't editing the bridge vmbr0, he is editing the virtual NIC of a VM. That virtual NIC is then bridged to vmbr0. And yes. the VM could then only communicate over that virtual NIC over VLANID10. As all incoming VLAN10 tagged packets will get the tag removed and all outgoing untagged packets will be tagged with VLAN 10.
Click to expand...
Sorry my bad I am trying to learn still, I apologize for the stupid question.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back