Hi, thank you for your reply. I have explored the firewall rules , it is good however I will be hosting 50-60 tenant VM so managing the firewall rules of all those VM individually isn't going to be practical. Hence I am looking for a solution within proxmox to better this. SDN along with Vlan may be a solution but if I am hosting 50-60 VMs than managing traffic among those VMs is going to be quite challenging. I will host one company that will have 4 vms , some of which will communicate with each other and some won't.Hey,
you can add a firewall rule to drop/reject traffic in a subnet by setting the source and destination to the subnet. If your router should also be on the same subnet, you can add another rule(in front of the blocking one) that allows all traffic from and to the router.
(Datacenter -> Firewall -> Add)
Hi, thank you for your suggestion. Do you have any documentation for this or any online article on it ?Hi,
Maybe a external pppoe server could do the job. Each VM will use a pppoe client.
Good luck / Bafta !
You can specify a whole network as des/src,Hi, thank you for your reply. I have explored the firewall rules , it is good however I will be hosting 50-60 tenant VM so managing the firewall rules of all those VM individually isn't going to be practical. Hence I am looking for a solution within proxmox to better this. SDN along with Vlan may be a solution but if I am hosting 50-60 VMs than managing traffic among those VMs is going to be quite challenging. I will host one company that will have 4 vms , some of which will communicate with each other and some won't.
192.168.1.0/24
would include all hosts from 192.168.1.1-254
. So there is no need for a rule for every VM. You will however need a rule for every exception.Ok, let's say if I have 100 VMs from 40 tenants. Now each tenant may have upto 4 VMs . Among those four , two VM's will communicate with each other and other 2 won't. Similar combinations such as these will be applicable for all other tenants and their VMs. Should I create specific subnets for all these ?You can specify a whole network as des/src,192.168.1.0/24
would include all hosts from192.168.1.1-254
. So there is no need for a rule for every VM. You will however need a rule for every exception.
Thank you for all the suggestions. I will try vlans and firewall to come to a resolution.Hi again,
Very dificult problem to solve ...
IMHO, you have many problem to solve:
1- traffic isolation from tentant X to tentant Y
2- in the same tentant zone, some VM must be reachable (2 VM)
3- because you will have many VMs/tentants, you must authentication any VM(so a client if will change his IP/gw will not be able to have any traffic - very important if you do not want to go in troubles)
4- firewall/routing
Possible solutions:
1. Vlan, vxlan, vpls, and others(primary interface)
2. This VMs must be in the same isolation zone(vlan, vxlan, and so on), using a secondary interface for this VMs
3. pppoe, and maybe others ... on primary interface(with def gateway for Internet access, IP/netmask)
4. On your border router, you can make only one rule to block inter-pppoe clients(on Linux, using something like pppoe-name+ -> pppoe-name+ => Drop) routing
All this points, are only scratch the surface for a possible solution.
Good luck / Bafta !