Isolate vmbrX

cromatn5

Well-Known Member
Mar 26, 2018
77
11
48
38
France
Hello,

I have configured 2 bridges on my home Proxmox:

auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.0.10
netmask 255.255.255.0
gateway 192.168.0.254
bridge_ports eno1
bridge_stp off
bridge_fd 0
#default

auto vmbr1
iface vmbr1 inet static
hwaddress ether xx:xx:xx:xx:xx:xx
address 10.41.5.1
netmask 255.255.255.248
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '10.41.5.0/29' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.41.5.0/29' -o vmbr0 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 33899 -j DNAT --to 10.41.5.2:3389
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 33899 -j DNAT --to 10.41.5.2:3389
post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp --dport 5147 -j DNAT --to 10.41.5.2:5147
post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp --dport 5147 -j DNAT --to 10.41.5.2:5147
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 27270 -j DNAT --to 10.41.5.2:27270
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 27270 -j DNAT --to 10.41.5.2:27270
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 27280 -j DNAT --to 10.41.5.2:27280
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 27280 -j DNAT --to 10.41.5.2:27280
post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1

All my VMs are connected to VMBR0 on local network (mysql, home server, gaming machine, etc...

VMBR1 is only for testing some things for my job (debug, PDA connexion) with 2 VMs: 1 Windows and 1 Debian

I would like to isolate this network.
Idealy, the Windows and the Dedian on VMBR1 can reach the gateway for Internet, but can't communicate with all VMs in VMBR0.

I tried ebtables with no success. With iptables I have to configure all new VMs.

I doesn't have switch with vlan option, only the ISP router.

What is the best way ?
 
Update, for now I have created a group, attached to the firewall of VMBR1's VMs, who drop out to local network.
If someone had a better solution, I'm interested.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!