PBS with Multiple VLANs: Possible to Bind GUI to Single VLAN?

[SInisterPisces]

Hello,

tl;dr, I have multiple IP addresses on PBS (1 per VLAN) and want to bind the GUI to a single VLAN. I'm not sure how to do this/if it's possible.

I've got two NICs set up in my PBS server via a Linux bond. I put a VMBR on top of that so I could assign VLANs.

One of the VLANs is my management VLAN. This one has IP Address A.
The other VLAN is my storage network VLAN. It has IP Address B.

I'd like for the web GUI to be bound only to IP Address A. Nothing and no one should ever attempt to use the GUI from within the storage network VLAN.

I think I could dig into the system via the shell and find whatever config file tells the web server to listen on all interfaces, but that is clearly not a supported adjustment. Am I missing something?

Right now, my config looks like this:

root@andromeda0:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

iface enp1s0 inet manual
#MTU 9000
        mtu 9000

iface enp2s0 inet manual
#MTU 9000
        mtu 9000

source /etc/network/interfaces.d/*

auto bond0
iface bond0 inet manual
#LACP Bond for On-Board Intel NICs - MTU 9000
        bond-mode 802.3ad
        bond_xmit_hash_policy layer2+3
        bond-slaves enp1s0 enp2s0
        mtu 9000

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.2/24
        gateway 10.10.10.1
#Linux bridge with VLAN tag awareness for bond0 - MTU 9000
        bridge-vlan-aware yes
        bridge-ports bond0
        bridge-vids 2-4094
        mtu 9000

auto vmbr0.200
iface vmbr0.200 inet static
        address 10.10.200.10/24
#Storage Network VLAN - MTU 9000
        mtu 9000

 

[Chris]

Hello,

tl;dr, I have multiple IP addresses on PBS (1 per VLAN) and want to bind the GUI to a single VLAN. I'm not sure how to do this/if it's possible.

I've got two NICs set up in my PBS server via a Linux bond. I put a VMBR on top of that so I could assign VLANs.

One of the VLANs is my management VLAN. This one has IP Address A.
The other VLAN is my storage network VLAN. It has IP Address B.

I'd like for the web GUI to be bound only to IP Address A. Nothing and no one should ever attempt to use the GUI from within the storage network VLAN.

I think I could dig into the system via the shell and find whatever config file tells the web server to listen on all interfaces, but that is clearly not a supported adjustment. Am I missing something?

Right now, my config looks like this:

root@andromeda0:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

iface enp1s0 inet manual
#MTU 9000
        mtu 9000

iface enp2s0 inet manual
#MTU 9000
        mtu 9000

source /etc/network/interfaces.d/*

auto bond0
iface bond0 inet manual
#LACP Bond for On-Board Intel NICs - MTU 9000
        bond-mode 802.3ad
        bond_xmit_hash_policy layer2+3
        bond-slaves enp1s0 enp2s0
        mtu 9000

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.2/24
        gateway 10.10.10.1
#Linux bridge with VLAN tag awareness for bond0 - MTU 9000
        bridge-vlan-aware yes
        bridge-ports bond0
        bridge-vids 2-4094
        mtu 9000

auto vmbr0.200
iface vmbr0.200 inet static
        address 10.10.200.10/24
#Storage Network VLAN - MTU 9000
        mtu 9000

Hi,

the Proxmox Backup Server proxy server will listen on all interfaces, so you will have to setup a firewall rule if you want to restrict access from a certain subnet.

 

[SInisterPisces]

Thanks.

Just to clarify, that's on my actual whole-network firewall, right (e.g., OPNSense)?

PVE has its own firewall built in, but I didn't see anything similar for PBS.

Is there a chance interface selection will come to PBS eventually? I know it's available in PVE via the pveproxy configuration file.

 

[Chris]

Just to clarify, that's on my actual whole-network firewall, right (e.g., OPNSense)?

Where you want to drop eventual traffic depends on the network topology.

PVE has its own firewall built in, but I didn't see anything similar for PBS.

No, there is no firewall as in PVE for PBS, but nevertheless you can use iptables based filtering by e.g. adding rules via post-up hooks in your network configuration. For more details and examples on this see https://wiki.debian.org/iptables

Is there a chance interface selection will come to PBS eventually? I know it's available in PVE via the pveproxy configuration file.

There is no such configuration option at the moment, the listen address and port are hardcoded, see https://git.proxmox.com/?p=proxmox-...23b671c0f84d21181a40853b9d99c58f;hb=HEAD#l308

Please feel free to open a feature request at https://bugzilla.proxmox.com/, in order to evaluate such a configuration option.

 

[SInisterPisces]

Added an enhancement request here: https://bugzilla.proxmox.com/show_bug.cgi?id=5620

Thanks!