[SOLVED] Simple SDN zone and Firewall

[JF CASSAN]

I would like to host a pair of web applications in LCXs on a server, with one unique public IP address.




I have created a simple zone in SDN, created a subnet 192.168.100.0/24
LCX are attached the the SDN zone, and they get their IP addresses.
LCXs have access to the internet, and to the LAN (this is unwanted)
I have 3 LXCs;

1. The reverse proxy (caddy)
2. The app1,that is listening http traffic on it's own port
3. The app2, that is listening http traffic on it's own port

The internet router sends the 80 and the 443 traffic to the proxmox server.
The proxmox incoming traffic on port 80 and 443 is forwarded to the reverse proxy using iptables -nat instructions on the proxmox server.

The reverse proxy (caddy) is doing the SSL termination and tries to route the traffic to applications various containers (as visible in the logs)

At this point:

- The communication between the reverse proxy and the containers is blocked
- The reverse proxy serves the external urls, but fails to contact the application container
- each container can access to the internet
- but each container can access the the lan, which is unwanted

What I'm doing wrong?
Is there some tutorial / comprehensible docs I can read?

thanks for your help

 

[JF CASSAN]

Finally, after carefully checked all IP, rule, the system is working.

 

[jellium]

I have created a simple zone in SDN, created a subnet 192.168.100.0/24
LCX are attached the the SDN zone, and they get their IP addresses.
LCXs have access to the internet, and to the LAN (this is unwanted)

Dear,
I also noticed that the containers have access to the LAN (i.e. that of the Proxmox host). It defeats the purpose of zones to be isolated from one another, doesn't it?
Can you explain to me at which level does the created _VNet_ of your created zone:
- allows the LXCs to have access to the Internet (since it is not bridged to any other interface, or I am missing something)
- allows the LXCs to have access to the LAN (for the same reason as above, or again I am missing something).

The Proxmox's SDN documentation states, for Simple Zones:

_traffic is only local on each the node (sic.)_: does it mean there actually is some bridging between the VNet and the _node_ main interface?

Also, would you be so kind providing more insights on how your setup properly works in the end (regarding your initial issue)?
Thank you in advance.

 

[jellium]

Dear,
I also noticed that the containers have access to the LAN (i.e. that of the Proxmox host). It defeats the purpose of zones to be isolated from one another, doesn't it?
Can you explain to me at which level does the created _VNet_ of your created zone:
- allows the LXCs to have access to the Internet (since it is not bridged to any other interface, or I am missing something)
- allows the LXCs to have access to the LAN (for the same reason as above, or again I am missing something).

The Proxmox's SDN documentation states, for Simple Zones:
View attachment 65750
_traffic is only local on each the node (sic.)_: does it mean there actually is some bridging between the VNet and the _node_ main interface?

Also, would you be so kind providing more insights on how your setup properly works in the end (regarding your initial issue)?
Thank you in advance.

Upon further thinking, the keyword here is SNAT. I believe I get it now.