I'm creating 10 virtual machines that all need network connectivity to communicate with each other. One of these vms needs to communicate with other computers on the network (outside of PVE), but the other 9 don't need an outside connection. I'd like to set it up so that the other 9 vms are not visible to other computers on the network. I guess I'm looking to create a "private" network for the 10 vms and one of those vms will also need to connect to the "public" network. Can anyone give me some advice on setting this up? I'm still pretty new to PVE.
Networking advice needed
- Thread starter docmattman
- Start date
To better clarify Dietmar answer:
in general, think a bridge (vmbrXX) like a physical switch
- add a bridge from Proxmox web interface without any IP (i.e. vmbr99) and without any ethernet connected (i.e. NO eth0 or eth1 or whatever)
- reboot (sigh!)
- now you can create 8 VM with a single interface connected to vmbr99, and inside the vm assign a subnet not present in your normal lan (i.e. 192.168.200.0/24) and assign an unique static IP to each VM
As gateway assign the IP of that subnet that you have planned to assign to the 9° VM (i.e. could be 192.168.200.44)
- create the 9° vm with 2 interfaces, one connected to vmbr99 and the other to vmbr0. Let's say that eth0, connected to vmbr0, will have IP 192.168.1.44, while eth1, connected with vmbr99, will have 192.168.200.44
- in the 9° VM, create the forwarding and nat rules to let traffic go from and to the two subnets
in general, think a bridge (vmbrXX) like a physical switch
- add a bridge from Proxmox web interface without any IP (i.e. vmbr99) and without any ethernet connected (i.e. NO eth0 or eth1 or whatever)
- reboot (sigh!)
- now you can create 8 VM with a single interface connected to vmbr99, and inside the vm assign a subnet not present in your normal lan (i.e. 192.168.200.0/24) and assign an unique static IP to each VM
As gateway assign the IP of that subnet that you have planned to assign to the 9° VM (i.e. could be 192.168.200.44)
- create the 9° vm with 2 interfaces, one connected to vmbr99 and the other to vmbr0. Let's say that eth0, connected to vmbr0, will have IP 192.168.1.44, while eth1, connected with vmbr99, will have 192.168.200.44
- in the 9° VM, create the forwarding and nat rules to let traffic go from and to the two subnets
Thanks for the info. I'll give this a try. One other question about this... I'm going to be creating a PVE cluster soon. If I have the vms on separate PVE machines in the same cluster, can they still have their own "private" network using the bridge technique mentioned above? Or will they need something else since they won't all be on the same physical machine?
You need something else. Think a vmbrXX like a physical switch "inside" your Proxmox server. If they are "linked" to some physical nic port (i.e. eth0) is like they are "plugged" with the physical world, otherwise they are not. A vmbrXX that has not physical nic can't be reached by outside the server.
What suggested is a "trick" that is simple in concept but often people not used to virtualization don't think about this possibility.
If you don't use it, you can use the same tools and techniques you would use in the physical world (vlans or simple different network classes, depends upon how secure you need to be).
I.e. you could have 4 cluster node, each with 3 nic, and use the 3° nick of them all to be used by vmbr3 (created on all the 4 nodes), and connect eth3 of all the nodes to a separate switch. Again, the vm that acts as a "bridge" (router) between the two lans will have 2 nics and one on, i.e., vmbr0.
I'm not a big expert or have experience of the above, is just the first idea comes to my mind, and since no one has replied to your last question so far...
Best regards
What suggested is a "trick" that is simple in concept but often people not used to virtualization don't think about this possibility.
If you don't use it, you can use the same tools and techniques you would use in the physical world (vlans or simple different network classes, depends upon how secure you need to be).
I.e. you could have 4 cluster node, each with 3 nic, and use the 3° nick of them all to be used by vmbr3 (created on all the 4 nodes), and connect eth3 of all the nodes to a separate switch. Again, the vm that acts as a "bridge" (router) between the two lans will have 2 nics and one on, i.e., vmbr0.
I'm not a big expert or have experience of the above, is just the first idea comes to my mind, and since no one has replied to your last question so far...
Best regards