Separating Traffic Among VMs

nazmul

New Member
Sep 7, 2022
7
0
1
Hi, I am trying to separate traffic among VMs. Creating Vlan is one of the solutions but if I have 100 VMs of 100 different customers that I have to create 100 vlans. Is there a better solution to this in proxmox ?
 
Hey,

you can add a firewall rule to drop/reject traffic in a subnet by setting the source and destination to the subnet. If your router should also be on the same subnet, you can add another rule(in front of the blocking one) that allows all traffic from and to the router.
(Datacenter -> Firewall -> Add)
 
Hey,

you can add a firewall rule to drop/reject traffic in a subnet by setting the source and destination to the subnet. If your router should also be on the same subnet, you can add another rule(in front of the blocking one) that allows all traffic from and to the router.
(Datacenter -> Firewall -> Add)
Hi, thank you for your reply. I have explored the firewall rules , it is good however I will be hosting 50-60 tenant VM so managing the firewall rules of all those VM individually isn't going to be practical. Hence I am looking for a solution within proxmox to better this. SDN along with Vlan may be a solution but if I am hosting 50-60 VMs than managing traffic among those VMs is going to be quite challenging. I will host one company that will have 4 vms , some of which will communicate with each other and some won't.
 
Hi,

Maybe a external pppoe server could do the job. Each VM will use a pppoe client.

Good luck / Bafta !
Hi, thank you for your suggestion. Do you have any documentation for this or any online article on it ?
 
Hi, thank you for your reply. I have explored the firewall rules , it is good however I will be hosting 50-60 tenant VM so managing the firewall rules of all those VM individually isn't going to be practical. Hence I am looking for a solution within proxmox to better this. SDN along with Vlan may be a solution but if I am hosting 50-60 VMs than managing traffic among those VMs is going to be quite challenging. I will host one company that will have 4 vms , some of which will communicate with each other and some won't.
You can specify a whole network as des/src, 192.168.1.0/24 would include all hosts from 192.168.1.1-254. So there is no need for a rule for every VM. You will however need a rule for every exception.
 
Last edited:
You can specify a whole network as des/src, 192.168.1.0/24 would include all hosts from 192.168.1.1-254. So there is no need for a rule for every VM. You will however need a rule for every exception.
Ok, let's say if I have 100 VMs from 40 tenants. Now each tenant may have upto 4 VMs . Among those four , two VM's will communicate with each other and other 2 won't. Similar combinations such as these will be applicable for all other tenants and their VMs. Should I create specific subnets for all these ?
 
Hi again,

Very dificult problem to solve ...

IMHO, you have many problem to solve:
1- traffic isolation from tentant X to tentant Y
2- in the same tentant zone, some VM must be reachable (2 VM)
3- because you will have many VMs/tentants, you must authentication any VM(so a client if will change his IP/gw will not be able to have any traffic - very important if you do not want to go in troubles)
4- firewall/routing

Possible solutions:

1. Vlan, vxlan, vpls, and others(primary interface)
2. This VMs must be in the same isolation zone(vlan, vxlan, and so on), using a secondary interface for this VMs
3. pppoe, and maybe others ... on primary interface(with def gateway for Internet access, IP/netmask)
4. On your border router, you can make only one rule to block inter-pppoe clients(on Linux, using something like pppoe-name+ -> pppoe-name+ => Drop) routing

All this points, are only scratch the surface for a possible solution.

Good luck / Bafta !
 
Last edited:
  • Like
Reactions: Hannes Laimer
Hi again,

Very dificult problem to solve ...

IMHO, you have many problem to solve:
1- traffic isolation from tentant X to tentant Y
2- in the same tentant zone, some VM must be reachable (2 VM)
3- because you will have many VMs/tentants, you must authentication any VM(so a client if will change his IP/gw will not be able to have any traffic - very important if you do not want to go in troubles)
4- firewall/routing

Possible solutions:

1. Vlan, vxlan, vpls, and others(primary interface)
2. This VMs must be in the same isolation zone(vlan, vxlan, and so on), using a secondary interface for this VMs
3. pppoe, and maybe others ... on primary interface(with def gateway for Internet access, IP/netmask)
4. On your border router, you can make only one rule to block inter-pppoe clients(on Linux, using something like pppoe-name+ -> pppoe-name+ => Drop) routing

All this points, are only scratch the surface for a possible solution.

Good luck / Bafta !
Thank you for all the suggestions. I will try vlans and firewall to come to a resolution.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!