Proxmox Firewall Rules for Hospitality Network Segmentation — Guest vs Staff Traffic

[mohsin045]

working on a network segmentation project for a hospitality property and trying to get the Proxmox firewall configuration right before going live. the setup involves separating guest wifi traffic from staff management systems, POS terminals, and back office servers running on the same physical infrastructure.

currently on Proxmox VE 8.x with three VLANs defined. one for guest internet access, one for staff operations, and one for server management. the main question is around whether drop rules defined at the datacenter firewall level are sufficient to prevent guest VLAN traffic from reaching staff VMs, or whether rules inside each VM are also necessary as a second isolation layer.

the property is a 5 stars hotel in Lahore operating under Grace Hospitality, so uptime expectations are high and getting the guest to staff network isolation right matters both for security and for compliance with the property management systems running in the environment.

has anyone configured a similar multi-tenant or hospitality setup on Proxmox where guest and operational traffic share the same physical hardware? specifically curious about rule ordering at the bridge level and whether SDN zones would be a cleaner approach than traditional VLAN bridges for this kind of strict traffic separation.

 

[LnxBil]

currently on Proxmox VE 8.x

I hope you're updating before going live. EOL of 8.x is near.

has anyone configured a similar multi-tenant or hospitality setup on Proxmox where guest and operational traffic share the same physical hardware?

Isn't that the default usecase for any non-small company? I have 6 VLANs at home with their corresponding WiFi APs in place to seperate networks properly.

Most of your questions raise more questions. The access, distribution and core switches are also important, e.g. can a guest access the VLAN of the staff just by knowning the correct VLAN ID? If so, you have a bigger problem that cannot be solved at the PVE level. First, you need to have the network including routers and firewalls to be right for you usecase, PVE is only a small problem down the line.

Normally, your VMs are only accessible in the VLAN they're configured with unless you configure it otherwise. The guests should only access other stuff in other network segments (layer 3) if you have a router configured and it will forward and probably filter the network packages. You will not need to configure VLAN bridges, only if you want to have access to your PVE from other VLANs.