Proxmox ignores Firewalling on interface at host level, but accepts at vm level.


New Member
Aug 14, 2023

i have a proxmox setup (7.4-3) with 2 seperate physical interfaces. both are conennected to the same LAN segment ( one is bridged to vmbr0 (managment of the host itself) and proxmox has an IP address on that interface. the other network adapter is a usb adapter (bound to vmbr1) for me to put all the VM's into so i can put them into their own DMZ of sorts. originally they were "actually" in a dmz between 2 hardware firewalls, but a change in my environment means that those vm's now need to be on my LAN, so i elected to start using the proxmox firewall to filter the traffic to/from them.

to summerise.
proxmox adapter0 = VMBR0 = mgmt IP for proxmox on
proxmox adapter1 = VMBR1 = all VM's are given their adapters from this interface. (proxmox itself does not own an IP in this interface). however, the interface is actually plugged into the same lan segment + phys switch as the adapter0.

if i add a firewall rule to the "host firewall area" (after enabling firewalling at DC, host and vm level);
i.e. DENY ,IN, Adapter: VMBR1, Source: ANY, Dest: (the vm guest).
i can STILL ping the vm guest from the local LAN and the guest can ping my LAN.

however, if i add the same firewall rule to the Guest VM itself (under proxmox "virtual machine firewall" area), the same rule works (albeit no adapter (vmbr1) needed on this rule as its at the machine level and the machine is bound to vmbr1).

Is this experience expected? because proxmox doesnt have an IP on the second interface it cannot do firewalling on said interface (layer 2 transparent firewalling, as it isnt the Default gateway for all traffic).

but it can do machine level firewalling because all traffic at the guest level is filtered (just not at the interface level those guests sit in?).

if thats the case, then ok, i'll await an update for interface level firewalling filtering and stick with firewalling at the machine level and replicate rules per vm.

or maybe i should be creating a secondary psudo vm network on proxmox so all the vm's sit in a different subnet and they need proxmox as a DG out to get to anything... if i do that however it would be on the primary mgmt vmbr0 interface exposing my hypervisor to the traffic i set out to put into a DMZ (using a secondary adapter which would now be defunct).


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!