hi,
i have a proxmox setup (7.4-3) with 2 seperate physical interfaces. both are conennected to the same LAN segment (192.168.1.0/24). one is bridged to vmbr0 (managment of the host itself) and proxmox has an IP address on that interface. the other network adapter is a usb adapter (bound to vmbr1) for me to put all the VM's into so i can put them into their own DMZ of sorts. originally they were "actually" in a dmz between 2 hardware firewalls, but a change in my environment means that those vm's now need to be on my LAN, so i elected to start using the proxmox firewall to filter the traffic to/from them.
to summerise.
proxmox adapter0 = VMBR0 = mgmt IP for proxmox on 192.168.1.232
proxmox adapter1 = VMBR1 = all VM's are given their adapters from this interface. (proxmox itself does not own an IP in this interface). however, the interface is actually plugged into the same lan segment + phys switch as the adapter0.
if i add a firewall rule to the "host firewall area" (after enabling firewalling at DC, host and vm level);
i.e. DENY ,IN, Adapter: VMBR1, Source: ANY, Dest:192.168.1.238 (the vm guest).
i can STILL ping the vm guest from the local LAN and the guest can ping my LAN.
however, if i add the same firewall rule to the Guest VM itself (under proxmox "virtual machine firewall" area), the same rule works (albeit no adapter (vmbr1) needed on this rule as its at the machine level and the machine is bound to vmbr1).
Is this experience expected? because proxmox doesnt have an IP on the second interface it cannot do firewalling on said interface (layer 2 transparent firewalling, as it isnt the Default gateway for all traffic).
but it can do machine level firewalling because all traffic at the guest level is filtered (just not at the interface level those guests sit in?).
if thats the case, then ok, i'll await an update for interface level firewalling filtering and stick with firewalling at the machine level and replicate rules per vm.
or maybe i should be creating a secondary psudo vm network on proxmox so all the vm's sit in a different subnet and they need proxmox as a DG out to get to anything... if i do that however it would be on the primary mgmt vmbr0 interface exposing my hypervisor to the traffic i set out to put into a DMZ (using a secondary adapter which would now be defunct).
i have a proxmox setup (7.4-3) with 2 seperate physical interfaces. both are conennected to the same LAN segment (192.168.1.0/24). one is bridged to vmbr0 (managment of the host itself) and proxmox has an IP address on that interface. the other network adapter is a usb adapter (bound to vmbr1) for me to put all the VM's into so i can put them into their own DMZ of sorts. originally they were "actually" in a dmz between 2 hardware firewalls, but a change in my environment means that those vm's now need to be on my LAN, so i elected to start using the proxmox firewall to filter the traffic to/from them.
to summerise.
proxmox adapter0 = VMBR0 = mgmt IP for proxmox on 192.168.1.232
proxmox adapter1 = VMBR1 = all VM's are given their adapters from this interface. (proxmox itself does not own an IP in this interface). however, the interface is actually plugged into the same lan segment + phys switch as the adapter0.
if i add a firewall rule to the "host firewall area" (after enabling firewalling at DC, host and vm level);
i.e. DENY ,IN, Adapter: VMBR1, Source: ANY, Dest:192.168.1.238 (the vm guest).
i can STILL ping the vm guest from the local LAN and the guest can ping my LAN.
however, if i add the same firewall rule to the Guest VM itself (under proxmox "virtual machine firewall" area), the same rule works (albeit no adapter (vmbr1) needed on this rule as its at the machine level and the machine is bound to vmbr1).
Is this experience expected? because proxmox doesnt have an IP on the second interface it cannot do firewalling on said interface (layer 2 transparent firewalling, as it isnt the Default gateway for all traffic).
but it can do machine level firewalling because all traffic at the guest level is filtered (just not at the interface level those guests sit in?).
if thats the case, then ok, i'll await an update for interface level firewalling filtering and stick with firewalling at the machine level and replicate rules per vm.
or maybe i should be creating a secondary psudo vm network on proxmox so all the vm's sit in a different subnet and they need proxmox as a DG out to get to anything... if i do that however it would be on the primary mgmt vmbr0 interface exposing my hypervisor to the traffic i set out to put into a DMZ (using a secondary adapter which would now be defunct).