Prevent access to local network from VM.

S

StathisKap

New Member
Oct 19, 2022
7
1
3
I wanna give access to a Linux VM to a friend of mine, but I don't want him to be able to see the other devices on my network. Is there a way I can set it on a separate network so that when it connects, it looks to to him like the VM and the "router" are the only 2 devices?

Thank you
 
You can either put the VM in its own VLAN or just create a new bridge with its own subnet, that is only assigned to the VM in question.
 
I've been trying to figure out how to do that but can't. So if I want to create a new bridge with a subnet. what do I add in the fields?
I'm already using subnet 2, so do I just add 192.168.3.1 in IPV4, and 255.255.0.0 in Gateway? Would that hide everything else?
Screenshot 2022-10-19 at 12.24.12.png
 
Just add 192.168.3.0/24 in IPv4/CIDR and nothing else. Then you should have an isolated 192.168.3.x network in that bridge.

edit: another option would be to just configure firewall rules for your VM
 
Last edited:
I tried adding 192.168.3.0/24 in IPv4 and then changing the VM network card to use the new bridge, but it won't connect. Doesn't say why. Would I need a second card for it?
Also I'd be willing to do firewall rules but mostly after I've exhausted other options. Thank you for the quick replies btw
 
StathisKap said:
I tried adding 192.168.3.0/24 in IPv4 and then changing the VM network card to use the new bridge, but it won't connect. Doesn't say why. Would I need a second card for it?
Also I'd be willing to do firewall rules but mostly after I've exhausted other options. Thank you for the quick replies btw
Click to expand...
You need to configure the bridge in the VM as well. you need to configure a static IP in the VM on the NIC (for instance 192.168.3.1)


edit: something like this

Code: 
iface ens18 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.3.1/24
        bridge-ports ens18
        bridge-stp off
        bridge-fd 0


edit2: I jsut noticed you probably want internet access, so if you want internet access without the VM being able to access other VMs on the same bridge it might just be smarter to put the VM on the existing bridge in its own VLAN.
 
Last edited:
  • Like
Reactions: Tommmii
I had tried that before I made this post so I was just making sure. I just tried it again and I get this again.

Code: 
Error: 8021q: VLAN device already exists.
can't add vlan tag 1 to interface enp1s0 - command '/sbin/ip link add link enp1s0 name enp1s0.1 type vlan id 1' failed: exit code 2

kvm: -netdev type=tap,id=net0,ifname=tap102i0,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown,vhost=on: network script /var/lib/qemu-server/pve-bridge failed with status 512
TASK ERROR: start failed: QEMU exited with code 1
 
Ok sorry, apparently I thought this would work but I was mistaken. I am terribly sorry for the confusion so far, I'll try to redeem myself now ;)

After trying some stuff I think the easiest solution for you would be to just use firewall rules to isolate the VM, other setups have a bit more complexity and might be too complex for your simple use case.

You can accomplish this by
  1. Creating a new Security Group (Datacenter > Firewall > Security Group)
  2. Then add the following rules to the Security Group:

    Code: 
    IN ACCEPT -log nolog                      # allow incoming traffic
OUT ACCEPT -dest 192.168.x.x -log nolog   # allows access to your DNS (if it is on LAN)
OUT ACCEPT -dest 192.168.x.x -log nolog   # allows access to your gateway
OUT DROP -dest 192.168.0.0/16 -log nolog  # denies all access to other members of LAN
  3. Add the Security Group to the VM (Select your VM > Firewall > "Insert Security Group") - You can add the name of your interface there so it only applies to the respective vNIC
  4. Enabling the Firewall on a Datacenter level (Datacenter > Firewall > Options > Firewall > "Yes")
  5. Enabling the Firewall on the VM (Select your VM > Firewall > Options > Firewall > "Yes")
Once again, sry for the confusion I hope this works for you now.
 
Last edited:
  • Like
Reactions: _gabriel and Snowiness7674
I have adguard running on 192.168.2.15 so I use that as the DNS. My router's IP is 192.168.2.1. I've set those things in the rules as you described, and I can't see the other devices on my network but I also can't connect to the internet. I can however, for some reason, ping 8.8.8.8, but not ping www.google.com.
 
StathisKap said:
I have adguard running on 192.168.2.15 so I use that as the DNS. My router's IP is 192.168.2.1. I've set those things in the rules as you described, and I can't see the other devices on my network but I also can't connect to the internet. I can however, for some reason, ping 8.8.8.8, but not ping www.google.com.
Click to expand...
That's weird but being able to ping an IP but not a domain usually means there is some issue with the DNS. Are you sure it is correctly whitelisted? Maybe double-check your DNS settings if the connection is using the DNS server you expect it to use. (can use dig for that)

edit: the order is also important, you need the blanket DROP on all local IPs to be the last entry
 
  • Like
Reactions: Snowiness7674
Oh alright. Yeah it was the order. Works exactly as I wanted it now. Thank you so much for being patient with me and helping me set this up.
Appreciate it
 
  • Like
Reactions: shanreich
shanreich said:
Ok sorry, apparently I thought this would work but I was mistaken. I am terribly sorry for the confusion so far, I'll try to redeem myself now ;)

After trying some stuff I think the easiest solution for you would be to just use firewall rules to isolate the VM, other setups have a bit more complexity and might be too complex for your simple use case.

You can accomplish this by
  1. Creating a new Security Group (Datacenter > Firewall > Security Group)
  2. Then add the following rules to the Security Group:

    Code: 
    IN ACCEPT -log nolog                      # allow incoming traffic
OUT ACCEPT -dest 192.168.x.x -log nolog   # allows access to your DNS (if it is on LAN)
OUT ACCEPT -dest 192.168.x.x -log nolog   # allows access to your gateway
OUT DROP -dest 192.168.0.0/16 -log nolog  # denies all access to other members of LAN
  3. Add the Security Group to the VM (Select your VM > Firewall > "Insert Security Group") - You can add the name of your interface there so it only applies to the respective vNIC
  4. Enabling the Firewall on a Datacenter level (Datacenter > Firewall > Options > Firewall > "Yes")
  5. Enabling the Firewall on the VM (Select your VM > Firewall > Options > Firewall > "Yes")
Once again, sry for the confusion I hope this works for you now.
Click to expand...
I've followed these steps to restrict network access on an LXC rather than a VM. From inside the LXC, I can no longer ping devices on my local network other than the network gateway, however, I can still see all the devices on my local network using

Code: 
sudo nmap -sn 192.168.1.0/24

Why is this happening, and how can I block all local network access? Would putting this LXC on a separate VLAN be a more robust solution?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back