Management Interface

[pjalm]

I have 3 network interfaces and would like to only be able to access the management on one of them. Is this possible?

 

[UdoB]

Assumption: each NIC is assigned in a bridge. That's default and OK.

There are several solutions for your wish, for example limiting "Listen" for the relevant processes or establishing iptables rules.

But approach "zero" is by far the cleanest:
Each bridge has an IP address, right? That's not required! Remove all IP addresses for all bridges except the only one which you want to use.

To be clear: VMs/LXCs connected to that bridge will continue to work fine; they do not need to be able to reach the host on their own network by internet protocol!


For a better discussion you should describe your network setup and post the content of /etc/network/interfaces - in [code] ... [/code]-tags please.

 

[pjalm]

ok i hav 2x 10GBe in a LACP Bond and 1x 1GBe which i wish to use on an isolated management network.

This is my main Proxmox server, i am not sure what the other interfaces are as the server only has 2x 1GBe onboard plus 2x 10GBe via PCIe addon.

auto lo
iface lo inet loopback

iface enp6s0 inet manual

auto eno1
iface eno1 inet static
        address 10.10.1.10/24
#1GBe Management

iface enp5s0 inet manual

auto ens5
iface ens5 inet manual
#10GBe Port 2

iface enp8s0 inet manual

iface enp9s0 inet manual

auto ens4
iface ens4 inet manual
#10GBe Port 1

auto bond0
iface bond0 inet manual
        bond-slaves ens4 ens5
        bond-miimon 100
        bond-mode 802.3ad
        bond-xmit-hash-policy layer2

auto vmbr0
iface vmbr0 inet static
        address 10.10.0.10/24
        gateway 10.10.0.254
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0

source /etc/network/interfaces.d/*

This is my Proxmox Backup Server

auto lo
iface lo inet loopback

auto nic0
iface nic0 inet static
        address 10.10.1.20/24
#1GBe Management

source /etc/network/interfaces.d/*

auto enp1s0f0
iface enp1s0f0 inet manual
#10GBe Port 1

auto enp1s0f1
iface enp1s0f1 inet manual
#10GBe Port 2

auto bond0
iface bond0 inet static
        address 10.10.0.20/24
        gateway 10.10.0.254
        bond-mode 802.3ad
        bond_xmit_hash_policy layer2
        bond-slaves enp1s0f0 enp1s0f1

10.10.1.x is the management network and 10.10.0.x is the main network, both wired to seperate switches and the management one has no internet.

My main desktop/workstation is a Mac with 1x 1GBe which is connected to the management switch and 1x 10GBe via TB3 to the main switch.

 

[cheiss]

Hi,

you may be interesed in the following admin guide section for configuring pveproxy: pveproxy - Proxmox VE API Proxy Daemon
Of course, a proper firewall setup is still recommended.

 

[pjalm]

That worked perfectly, thank you. I used just the LISTEN_IP="10.10.1.10" in the /etc/default/pveproxy and worked instantly. I will look into your firewall suggestion too.

I also attempted to do the same thing on my Proxmox Backup server with no luck though.

I get the following error.

Failed to restart pveproxy.service: Unit pveproxy.service not found.
Failed to restart spiceproxy.service: Unit spiceproxy.service not found.

Thank you again for such a simple solution.

 

[pjalm]

I have been searching but can't find any info for pveproxy on PBS. Does PBS have or use pveproxy? If not how would i set the LISTEN_IP for the PBS server?

 

[pjalm]

I got it working finally, I did some digging and on PBS its called proxmox-backup-proxy not pveproxy.

Everything working great now, Thanks again for the help.

 

[pjalm]

Actually I was wrong, i edited the file and restarted service but its still listening on both NICs