[SOLVED] Only Allow Traffic from One host to any VMs on vmbr0

[weubjndsknpen]

Hi,

I'm a Proxmox newb. I apologize in advance if I just failed at Googling/searching this. I'd appreciate any assistance someone can provide. I've got some potentially vulnerable guest VMs spun up on my Proxmox server. They, all get bridged to the same network the vmbr0 interface is on (i.e. 192.168.1.10).

Each VM pulls it's own address from the 192.168.1.0/24 network via DHCP. i.e. 192.168.1.11, 192.168.1.12, 192.168.1.13, etc.)

Is there a way to setup a firewall rule on Proxmox such that a specific host (i.e. 192.168.1.9) can connect to any ports on these systems (which there could eventually be more of), prevent any other host on the 192.168.1.0/24 subnet from reaching the guest VMs I spin up or do I need to network the whole thing differently? I'd rather avoid configuring firewalls on each guest if possible.

Thanks,
Sam

 

[weubjndsknpen]

I figured this out. I made a security group with the rules under DataCenter --> Firewall --> Security Groups and turned it "on"
Set Firewall to Yes under DataCenter --> Firewall --> Options

Under PVE (Node) --> Firewall I Inserted the security group and applied it to vmbr0 and turned the rule on
Set Firewall to Yes under pve --> Firewall --> Options

In each VM, I did the following:
Hardware --> Network Device (net0) Checked the Firewall box
Firewall Added the security group and enabled it, but left the interface empty.

There might be a better way to do this, but it worked for me and I didn't have to stand up a router VM for lab work. From the managment system, I can communicate with the server and all VMs. From another computer I cannot hit any ports.

The following posts were helpful.
https://forum.proxmox.com/threads/pve-firewall-doesnt-have-any-effect.47393/
https://serverfault.com/questions/801617/how-to-apply-proxmox-firewall-rules-to-vms