Isolated private networks with SDN


New Member
Mar 17, 2023

I have a standalone node (no cluster) on wich I try to configure several private networks, isolated from each other.

While searching for a solution, I found Proxmox's SDN capabilities. So I tried to create 2 zones (Simple plugin), each containing a Vnet, like this :
subnet, SNAT=1​
subnet, SNAT=1​

I have a W10 VM connected to vnet25, and a Debian 12 VM connected to vnet26

Everything seem to work fine, both VM have Internet access, but isolation seems to not be total.

For example, I can ping the Debian from the W10 machine, and I can ssh from W10 to Debian.

So my question is :
is SDN the appropriate solution for what I want to achieve ? Or did I miss something in my configuration ?

Thanks for any suggestion :)
Last edited:
mmm, indeed currently simple zones don't use dedicated vrf.

It's done for bgp-evpn zone, but not yet for simple zone.

I need to check if it could be easy to implement, because with bgp-evpn we have frr routing deamon, and we can easily manage routes to block traffic between differents vnet.

can you open a request in ?

(as workaround the only way is to use proxmox firewall)
Hello spirit,

Thanks for your reply. I opened a request :

I'll try to fiddle a bit with the firewall. Not sure I'll achieve something, since I'm really not used to it. Creating rules is something mysterious to me :)
I'll try this on my local test installation, since I'm very likely to mess up networking at a time or another...
Last edited:
Well, after trying a lot (and locking myself out once :) - fortunately, I had a console open on the node so I could disable the firewall from command line), I think I found the correct rules to isolate fully the virtual nets from each other and from the LAN, while allowing the VM to have Internet access in both direction, so I can do RDP to the VM, for example.​

After creating the SDN, I added four rules at VM level :
outACCEPTnet0192.168.0.254 (LAN GW)
I also added some DNAT rules to /etc/network/interface to redirect traffic for various services (RDP, HTTPS, etc) to the appropriate VM: port.
The first rule depends on the subnet, and must be adapated accordingly. The last three can be put in a security group, making it easier to add to each VM.

After enabling proxmox firewall at each level (datacenter, node, VM and NIC), it seems to work so far...
Last edited:


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!