Simple SDN Zone default behavior

S

Surakshith

New Member
Jul 7, 2025
4
0
1
Its 2025 and I am using proxmox latest version - 8.4 . I created 2 simple sdn zones. Vnets with different ip subnets in each dhcp enabled and snat enabled.

but still my vms in different sdn simple zones are able to communicate with each other by default. This defeats whole purpose of me using sdn.

I cannot use other type of zones since the vlans etc needs to be configured in physical switches which is not possible for my use case.

Can anyone suggest a work around with minimal changes and most importantly should be able to be achieved dynamically using the api calls.
 
You can enable the VM firewall and reject all the input traffic. (Under VM->Firewall->Options->Input Policy.)
 
Can you explain this and show your configuration of your simple zone please. What was your test and which a ip net do you use?
 
Surakshith said:
Inter zone communication is the default behavior of simple sdn zones or is this a bug and will be resolved soon?
Click to expand...
It should be isolated without nat. The only way with nat without firewall could be to create vrf like for evpn zones, but It'll need some route leaks between main vrf , so I'm not sure it's reasy without a routing daemon like frr.
 
news said:
Can you explain this and show your configuration of your simple zone please. What was your test and which a ip net do you use?
Click to expand...
I was trying to create isolated network lab setup , each isolated lab(multiple set of VMs)have their own unique simple zone and within have many vnets( completely different ip sets). DHCP is enabled also SNAT is enabled for Internet access.

I noticed that with these configurations, vms in different simple zones were able to communicate with each other(ping ,ssh , rdp etc.. Basically everything they do when they are connected to each other).
spirit said:
It should be isolated without nat. The only way with nat without firewall could be to create vrf like for evpn zones, but It'll need some route leaks between main vrf , so I'm not sure it's reasy without a routing daemon like frr.
Click to expand...
Now , for me to isolate these vms, as mentioned above in this thread. One of the easiest way is to disable SNAT. But I won't be having internet access I think that is not a deal breaker for my use case. I cannot make use of firewall because creation of these setup needs to be done dynamically and firewall configurations add overhead.
 
Last edited:
I’m facing a similar issue: I need to create two simple SDN zones where the VMs in each zone cannot ping each other. However, VMs from different zones can still ping one another.


I tried enabling the Proxmox firewall to restrict this behavior, but I ran into problems. I’m not sure how to define rules that allow communication within the same zone’s subnet while blocking traffic between different zones. Also, enabling the firewall ends up blocking DHCP as well.
 
dnk said:
I tried enabling the Proxmox firewall to restrict this behavior, but I ran into problems. I’m not sure how to define rules that allow communication within the same zone’s subnet while blocking traffic between different zones. Also, enabling the firewall ends up blocking DHCP as well.
Click to expand...

Since simple zones are routed via the PVE host, you would need to restrict the traffic via host-level forward rules. We automatically generate IP sets for the SDN subnets, so it should be as simple as creating two DROP rules in the host forward chain with source / destination zone1 / zone2 (two, because they need to be created for both directions).

For DHCP, you just need to allow the respective UDP ports on the PVE host (UDP port 67). You can restrict this to the respective SDN subnets as well.
 
I’ve fixed the issue — it turns out I just needed to restart pve-firewall after modifying the rules.
Here’s my current configuration in /etc/pve/firewall/cluster.fw:
code_language.shell: 
[OPTIONS]
policy_in: DROP
enable: 1

[RULES]
IN ACCEPT -i vmbr0 -p tcp -dport 8006 -log nolog
IN DHCPfwd(ACCEPT) -log debug    # DHCP REQUEST
IN DNS(ACCEPT)     -log debug    # DNS REQUEST
Thanks a lot for your help!
Best regards,
 
Last edited:
You must log in or register to reply here.
Top Bottom