Hello everyone!
I have a recently created Proxmox 7 cluster made of a number of hosts. These hosts have a public IP address each and also a private IP address (
Also the VMs will have a private network (
Now I am planning on how to configure the firewall and one of the configuration items will be preventing private traffic from going outside of the specific scope described above. Especifically, I am talking about IP subnets:
At the moment I have this in mind:
Analogously, should I add a rule for incoming traffic among hosts for the
Finally, should I add a rule for incoming traffic among guests for the
Thanks in advance.
I have a recently created Proxmox 7 cluster made of a number of hosts. These hosts have a public IP address each and also a private IP address (
192.168.1.0/24
), connected via VLAN with id 4003, which is used by the hosts to talk to each other (it's the IP address I used when creating the cluster and it has entries on all /etc/hosts
files).Also the VMs will have a private network (
192.168.0.0/24
) via VLAN with id 4002 to communicate among themselves (e.g. web server to database server).Now I am planning on how to configure the firewall and one of the configuration items will be preventing private traffic from going outside of the specific scope described above. Especifically, I am talking about IP subnets:
169.254.0.0/16
(RFC3927)10.0.0.0/8
,172.16.0.0/12
and192.168.0.0/16
(RFC1918)100.64.0.0/10
(RFC6598)
192.168.1.0/24
) and among guests (192.168.1.0/24
), I was wondering at which level (datacenter or node) apply the rules and how to configure the rules.At the moment I have this in mind:
- Allow outgoing traffic to net
192.168.0.0/24
only through interface vmbr4002 (private network for guests). - Allow outgoing traffic to net
192.168.1.0/24
only through interface vmbr4003 (private network for hosts). - Disallow outgoing traffic to Proxmox IP Set ipv4_private (which includes all aliases for the abovementioned private networks).
Analogously, should I add a rule for incoming traffic among hosts for the
192.168.1.0/24
range on the vmbr4003 bridge at the datacenter level?Finally, should I add a rule for incoming traffic among guests for the
192.168.0.0/24
at the VM level or at the datacenter level on the vmbr4002 bridge?Thanks in advance.
Last edited: