Hello,
I have configured 2 bridges on my home Proxmox:
All my VMs are connected to VMBR0 on local network (mysql, home server, gaming machine, etc...
VMBR1 is only for testing some things for my job (debug, PDA connexion) with 2 VMs: 1 Windows and 1 Debian
I would like to isolate this network.
Idealy, the Windows and the Dedian on VMBR1 can reach the gateway for Internet, but can't communicate with all VMs in VMBR0.
I tried ebtables with no success. With iptables I have to configure all new VMs.
I doesn't have switch with vlan option, only the ISP router.
What is the best way ?
I have configured 2 bridges on my home Proxmox:
auto lo
iface lo inet loopback
iface eno1 inet manual
iface eno2 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.0.10
netmask 255.255.255.0
gateway 192.168.0.254
bridge_ports eno1
bridge_stp off
bridge_fd 0
#default
auto vmbr1
iface vmbr1 inet static
hwaddress ether xx:xx:xx:xx:xx:xx
address 10.41.5.1
netmask 255.255.255.248
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.41.5.0/29' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.41.5.0/29' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 33899 -j DNAT --to 10.41.5.2:3389
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 33899 -j DNAT --to 10.41.5.2:3389
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 5147 -j DNAT --to 10.41.5.2:5147
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 5147 -j DNAT --to 10.41.5.2:5147
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 27270 -j DNAT --to 10.41.5.2:27270
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 27270 -j DNAT --to 10.41.5.2:27270
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 27280 -j DNAT --to 10.41.5.2:27280
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 27280 -j DNAT --to 10.41.5.2:27280
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
iface lo inet loopback
iface eno1 inet manual
iface eno2 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.0.10
netmask 255.255.255.0
gateway 192.168.0.254
bridge_ports eno1
bridge_stp off
bridge_fd 0
#default
auto vmbr1
iface vmbr1 inet static
hwaddress ether xx:xx:xx:xx:xx:xx
address 10.41.5.1
netmask 255.255.255.248
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.41.5.0/29' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.41.5.0/29' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 33899 -j DNAT --to 10.41.5.2:3389
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 33899 -j DNAT --to 10.41.5.2:3389
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 5147 -j DNAT --to 10.41.5.2:5147
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 5147 -j DNAT --to 10.41.5.2:5147
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 27270 -j DNAT --to 10.41.5.2:27270
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 27270 -j DNAT --to 10.41.5.2:27270
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 27280 -j DNAT --to 10.41.5.2:27280
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 27280 -j DNAT --to 10.41.5.2:27280
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
All my VMs are connected to VMBR0 on local network (mysql, home server, gaming machine, etc...
VMBR1 is only for testing some things for my job (debug, PDA connexion) with 2 VMs: 1 Windows and 1 Debian
I would like to isolate this network.
Idealy, the Windows and the Dedian on VMBR1 can reach the gateway for Internet, but can't communicate with all VMs in VMBR0.
I tried ebtables with no success. With iptables I have to configure all new VMs.
I doesn't have switch with vlan option, only the ISP router.
What is the best way ?