Multiple IPs with Firewall VM and VLAN

[marcel.sottnik]

Hi Forum

I have following scenario:

Got assigned multiple IPs (with different gateways) on the only one physical NIC on my Host system. All IPs but one reserved for the access to the Proxmox Host would be assigned to a Firewall VM. Only this firewall would interface with he host. The rest of the VMs would just get ips of the vlan from the Firewall VM over dhcp and also the FW VM would handle all the traffic and NATing and filtering. I struggle to configure this setup.

My (naive) idea was to create IPless Linux bridge to the primary Network device of the host. Conect the virtual NIC of the Firewall to that bridge. Create an ipless VLAN and connect other VMs NICs to the VLAN. The Firewall would have defined multiple IPs on its NIC and also distribute LAN IPs over DHCP and handle all the access of the VMs to the outside. Obviously my scenario is not possible (as the GUI won't allow me to do this) or I cannot set it up properly.
Could you point me into right direction to achieve what I want?

 

[Stoiko Ivanov]

How about the following:
* connect the one nic to one bridge (vmbr0 - where you configure the IP for the PVE-Node)
* create an IPless bridge without any nic assigned (vmbr1)
* create your firewall VM - add one interface to vmbr0 (outbound/egress interface)
* add another interface of that VM to vmbr1 (inside interface)
* configure the firewall VM as needed (add IPs for the various subnets, create firewall rules, configure DHCP)
* create your guests and add their interfaces to vmbr1

All of that should be doable via the GUI

Should you still need more separation - you can either create more bridges without interfaces, or make vmbr1 vlan-aware and add interfaces with vlan tags to guests (and the firewall guest)

I hope this gets you started!

else - also checkout our reference documentation: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_network_configuration

 

[marcel.sottnik]

How about the following:
* connect the one nic to one bridge (vmbr0 - where you configure the IP for the PVE-Node)
* create an IPless bridge without any nic assigned (vmbr1)
* create your firewall VM - add one interface to vmbr0 (outbound/egress interface)
* add another interface of that VM to vmbr1 (inside interface)
* configure the firewall VM as needed (add IPs for the various subnets, create firewall rules, configure DHCP)
* create your guests and add their interfaces to vmbr1

All of that should be doable via the GUI

Should you still need more separation - you can either create more bridges without interfaces, or make vmbr1 vlan-aware and add interfaces with vlan tags to guests (and the firewall guest)

I hope this gets you started!

else - also checkout our reference documentation: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_network_configuration

When trying to create the IPless bridge it won't work:


/etc/networl/interfaces:

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp35s0
iface enp35s0 inet static

auto vmbr0
iface vmbr0 inet static
        address xxx.xxx.xxx.xxx
        netmask 255.255.xxx.xxx
        gateway xxx.xxx.xxx.xxx
        bridge_ports enp35s0
        bridge_stp off
        bridge_fd 0

 

[marcel.sottnik]

When trying to create the IPless bridge it won't work:
View attachment 15280

/etc/networl/interfaces:

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp35s0
iface enp35s0 inet static

auto vmbr0
iface vmbr0 inet static
        address xxx.xxx.xxx.xxx
        netmask 255.255.xxx.xxx
        gateway xxx.xxx.xxx.xxx
        bridge_ports enp35s0
        bridge_stp off
        bridge_fd 0

I realized the error had nothing to do with the vmbr1. It was some glitch in the proxmox config interface. After Setting a comment on the enp35s0 and applying changes. I could save and apply changes.

 

[marcel.sottnik]

I realized the error had nothing to do with the vmbr1. It was some glitch in the proxmox config interface. After Setting a comment on the enp35s0 and applying changes. I could save and apply changes.

How about the following:
* connect the one nic to one bridge (vmbr0 - where you configure the IP for the PVE-Node)
* create an IPless bridge without any nic assigned (vmbr1)
* create your firewall VM - add one interface to vmbr0 (outbound/egress interface)
* add another interface of that VM to vmbr1 (inside interface)
* configure the firewall VM as needed (add IPs for the various subnets, create firewall rules, configure DHCP)
* create your guests and add their interfaces to vmbr1

All of that should be doable via the GUI

Should you still need more separation - you can either create more bridges without interfaces, or make vmbr1 vlan-aware and add interfaces with vlan tags to guests (and the firewall guest)

I hope this gets you started!

else - also checkout our reference documentation: https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysadmin_network_configuration

I don't understand how does the above solution include the option for multiple IPs on one NIC.
I cannot define multiple IPs on vmbr0. I also cannot create something like vmbr0:0 with a different address.
I cannot create separate vmbr2, which would use enp35s0 as a port. Once the enp35s0 is used as port/slave, it cannot be used for any other network definition.
I cannot use routing either, because the other additional IP, doesn't have the same gateway as the main one.
I really am running out of options here.
What I am trying to achieve is pretty easy definition of the network on the Hyper-V. I don't want to believe, that LInux cannot achieve the same.

 

[Stoiko Ivanov]

I thought you want to configure all subnets (apart from the one where the PVE-node has its ip) inside the Firewall VM?
Why would you want to give the PVE node an IP in all subnets?

having multiple gateways does not work as expected (and without quite some manual intervention) on a host - since it can always have one default route) - usually you want to have a transparent (layer-2) firewall which does the packet filtering - and on the guests you define an ip from one subnet with it's regular gateway

I hope this helps

 

[marcel.sottnik]

I thought you want to configure all subnets (apart from the one where the PVE-node has its ip) inside the Firewall VM?
Why would you want to give the PVE node an IP in all subnets?

Actually I don't. It was just to illustrate what I tried. I want one of the public IPs on the PVE and the rest assigned to the FW VM.

having multiple gateways does not work as expected (and without quite some manual intervention) on a host - since it can always have one default route) - usually you want to have a transparent (layer-2) firewall which does the packet filtering - and on the guests you define an ip from one subnet with it's regular gateway

I hope this helps

I now have ordered all my public ips, so they are in the same range with the same gateway. One of them shoulb be assigned as the external ip of the PVE and the rest should be set in the FW VM as it's external IPs. My difficulty is how to make a set up where all traffic incoming to the PVE with external IP1 will stay on PVE Host and the rest will be forwarded to the FW VM.

Current FW VM NICs configuration:


Current PVE Host configuration: