fransizjean

New Member
Jul 16, 2021
3
0
1
26
Hey everyone,
I want to isolate virtual machines from communicating with each other without getting out on the local network.
I realised a test with a my laptop connected to the server where i managed to ping a vm from another so even if i need any connection between the VMs I want it to happen in the switch or the physical firewall so i can manage them from the interfaces easily.

So i tried to use the vlan tag to do the job, created a linux vlan in network for each vm and tagged them differently and it isolates them, if i give them the same tag they can still access eachother which gives me flexibility too which is good but the problem is that i no longer have internet connection.

Doesnt just attribitung vlan tags is enough or do i need to do specific configurations in the switch too?

And do you guys know other ways to isolate 2 vms in the same host from communicating from eachother(without using too much source like a firewall vm and having a easily configurable system).

Thanks from advance.
 
Hey everyone,
I want to isolate virtual machines from communicating with each other without getting out on the local network.
I realised a test with a my laptop connected to the server where i managed to ping a vm from another so even if i need any connection between the VMs I want it to happen in the switch or the physical firewall so i can manage them from the interfaces easily.

So i tried to use the vlan tag to do the job, created a linux vlan in network for each vm and tagged them differently and it isolates them, if i give them the same tag they can still access eachother which gives me flexibility too which is good but the problem is that i no longer have internet connection.

Doesnt just attribitung vlan tags is enough or do i need to do specific configurations in the switch too?

And do you guys know other ways to isolate 2 vms in the same host from communicating from eachother(without using too much source like a firewall vm and having a easily configurable system).

Thanks from advance.

Short version:
- Use different subnets, like 192.168.1.0, 192.168.2.0 for each VM to isolate them.
- In your router you can configure static routes so each subnet can access the internet.
 
If you want that VMs can't access each other why not use Proxmox's firewall rules? Just block all incoming and outgoing traffic of each VM and whitelist IPs+Ports that can be connected to or accessed by.

VLANs are more usefull if you want to create a DMZ so VMs are not in your private LAN. But you would still need to use firewall rules to prevent communication between VMs in that DMZ subnet.

Also keep in mind that every subnet (and so every VLAN) need its own router if you want to communicate with other networks like your LAN or the internet.

And you need a managed switch and router that supports vlans or your VLAn are limited to virtual NICs and bridges on your host.

Best would be to setup a OPNsense/pfsense VM that acts as your router/gateway for all your VMs.
That way you can use the OPNsense firewall to limit communication between LAN/DMZ/internet subnets. And then additionally the Proxmox firewall rules to restrict access between the VM inside the DMZ subnet.
 
Last edited:
Short version:
- Use different subnets, like 192.168.1.0, 192.168.2.0 for each VM to isolate them.
- In your router you can configure static routes so each subnet can access the internet.
Thanks for the reply. The thing is that i am in an internship in an it company and the company is planning to build a server room then expanse it if necessary so i need something that can scale easily. I and a few other technicians want to use proxmox and i talked about the problematics of VM's talking with eachother in the same host and i am trying to find a solution for that.

If you want that VMs can't access each other why not use Proxmox's firewall rules? Just block all incoming and outgoing traffic of each VM and whitelist IPs+Ports that can be connected to or accessed by.

VLANs are more usefull if you want to create a DMZ so VMs are not in your private LAN. But you would still need to use firewall rules to prevent communication between VMs in that DMZ subnet.

Also keep in mind that every subnet (and so every VLAN) need its own router if you want to communicate with other networks like your LAN or the internet.

And you need a managed switch and router that supports vlans or your VLAn are limited to virtual NICs and bridges on your host.

Best would be to setup a OPNsense/pfsense VM that acts as your router/gateway for all your VMs.
That way you can use the OPNsense firewall to limit communication between LAN/DMZ/internet subnets. And then additionally the Proxmox firewall rules to restrict access between the VM inside the DMZ subnet.
Thanks a lot for the answer. I will try the firewall approach first because VM firewalls would add up easily if theres new servers to add into the system. And there will also be stormshields and l3 switches for east west traffic for the isolation of physical machines.
 
Well i enabled firewall and set VM firewall on reject in/out. Created aliases for me and my coworker then ping tested with multiple systems in the network. Whitelisted ips connect and others dont even receive an answer which is good. Thanks a lot for the help guys, you rock!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!