Hi everyone,
I’m currently exploring options for microsegmentation in Proxmox VE. Our networking team prefers to avoid the built-in Proxmox firewall and instead enforce segmentation on our central firewall. The requirement is that some VMs in the same subnet should only be able to communicate through the firewall (using proxy ARP), not directly on L2.
What came to my mind immediately was using port isolation on a VNet with VLAN zone, enforcing VM to VM communication only via the Proxy ARP enabled router/firewall but from the Proxmox SDN documentation I’ve read:
Port isolation is local to each host. Use the VNET Firewall to further isolate traffic in the VNET across nodes. For example, DROP by default and only allow traffic from the IP subnet to the gateway and vice versa. (This is a problem as we are going to have a cluster of 8 hosts).
My main question:
Is the only/recommended way to achieve this functionality across the entire cluster to combine PVLANs on the physical switches in conjunction with VNet port isolation in Proxmox, or are there other recommended approaches?
Is it possible to achieve this without using PVLANs on the physical switch? For example only allowing traffic between central gateway/firewall and a VM in VNet through VNet firewall? That way two VMs in the same VNet could communicate with each other only via the central firewall?
Has anyone here deployed such a setup (PVLAN + proxy ARP + Proxmox SDN)? Any lessons learned or information on how you would approach this requirement (microsegmentation of the VMs on the same subnet via central physical firewall) would be greatly appreciated.
I’m currently exploring options for microsegmentation in Proxmox VE. Our networking team prefers to avoid the built-in Proxmox firewall and instead enforce segmentation on our central firewall. The requirement is that some VMs in the same subnet should only be able to communicate through the firewall (using proxy ARP), not directly on L2.
What came to my mind immediately was using port isolation on a VNet with VLAN zone, enforcing VM to VM communication only via the Proxy ARP enabled router/firewall but from the Proxmox SDN documentation I’ve read:
Port isolation is local to each host. Use the VNET Firewall to further isolate traffic in the VNET across nodes. For example, DROP by default and only allow traffic from the IP subnet to the gateway and vice versa. (This is a problem as we are going to have a cluster of 8 hosts).
My main question:
Is the only/recommended way to achieve this functionality across the entire cluster to combine PVLANs on the physical switches in conjunction with VNet port isolation in Proxmox, or are there other recommended approaches?
Is it possible to achieve this without using PVLANs on the physical switch? For example only allowing traffic between central gateway/firewall and a VM in VNet through VNet firewall? That way two VMs in the same VNet could communicate with each other only via the central firewall?
Has anyone here deployed such a setup (PVLAN + proxy ARP + Proxmox SDN)? Any lessons learned or information on how you would approach this requirement (microsegmentation of the VMs on the same subnet via central physical firewall) would be greatly appreciated.
Last edited: