Understanding security with 2 nics and 2 networks

S

sunghost

Active Member
May 27, 2011
168
1
38
Hi,
i use acutal 2.3 and want to install a second nic for wan. now i want to understand how secure is proxmox and the build of the internal routing/bridging. e.g. for wan2lan:
wan-router 10.0.0.1->proxmox 2.nic with firewall on 10.0.0.2 <->and proxmox with kvm clients in 192.168.0.x and first nic with 192.168.0.x to internal hardware clients. now the question is, what if i configure a vm client in 192.168.0.x or a hardware client with 192.168.0.x to 10.0.0.3? could this client directly connect to the wan-router? hope you understand my thoughts...and bring light into darkness.
 
sunghost said:
Hi,
i use acutal 2.3 and want to install a second nic for wan. now i want to understand how secure is proxmox and the build of the internal routing/bridging. e.g. for wan2lan:
wan-router 10.0.0.1->proxmox 2.nic with firewall on 10.0.0.2 <->and proxmox with kvm clients in 192.168.0.x and first nic with 192.168.0.x to internal hardware clients. now the question is, what if i configure a vm client in 192.168.0.x or a hardware client with 192.168.0.x to 10.0.0.3? could this client directly connect to the wan-router? hope you understand my thoughts...and bring light into darkness.
Click to expand...

Hi,
about security: a linux-bridge is like an network-hub - all traffic are visable from all connected devices (on this bridge). But if the host don't look at the traffic (because, for this brigde aren't defined an ip address) I would say it's secure.

You shouldn't run the firewall on the pve host. The most secure way is to use an hardwarefirewall but I have no problems with an software-firewall (depends on the use case) inside an VM (use an firewall-distribution like devil-linux/vyatta and so on).

Simply define a second bridge where the second NIC is connected (like vmbr2, or vmbr1000 - because the net is 10.0.0) and use this bridge also for your VMs (and the firewall-VM?).

Udo
 
Hello Udo,
nice location where you life ;) sadly i cant write an pn to you.
The firewall is just for testing, the final will run standalon on a system. If i understand it right, i dont should configure the ip adress of the wan on the pve host, i should create a second bridge in pve and enter the adress range of 10.0.0.0 for the whole 2. nic. this means all vms which i create for thes nic will work in 10.xx lan? how can i route the 192.x the the 10. firewall only? i thought if would enter as the gateway the pve host and he route it to the firewall which route it over the pve to the wan.?? right Where know the pve to rout the 192.x traffic trough the fiewall in 10.0.0.10???

Hallo Udo,

und danke für deine Antwort, dein Wohnort ist gar nicht so weit weg von hier ;). Schade das es kein PN hier gibt. Da es in Deutsch einfacher für mich ist hier der Text auch in Dt. Also wenn ich dich richtig verstehe, dann soll ich keinen interface Eintrag für die 2. Nic auf dem Host machen? PVE zeigt mir die 2. Nic als vorhanden an. Diese soll ich in PVE als Bridge konfigurieren und mit dem festen Netzbereich 10.0.0.0, sodass ich eigentlich ein 2. Netz in PVE habe, richtig? Alle VMs die ich dann dort ablege, erhalten eine IP aus 10.x richtig? Das Routen übernimmt dann PVE, wodurch ich dann als Gateway der 192.x Clients nur den PVE Host angeben muss, oder? Dadurch würde der Verkehr an die Firewall gehen - ne ist mir grade doch unklar woher die wissen das die FW auf 10.0.0.10 z.B. lauscht???
 
sunghost said:
Hello Udo,
nice location where you life ;) sadly i cant write an pn to you.
The firewall is just for testing, the final will run standalon on a system. If i understand it right, i dont should configure the ip adress of the wan on the pve host, i should create a second bridge in pve and enter the adress range of 10.0.0.0 for the whole 2. nic. this means all vms which i create for thes nic will work in 10.xx lan? how can i route the 192.x the the 10. firewall only? i thought if would enter as the gateway the pve host and he route it to the firewall which route it over the pve to the wan.?? right Where know the pve to rout the 192.x traffic trough the fiewall in 10.0.0.10???

Hallo Udo,

und danke für deine Antwort...
Click to expand...

Hi,
sorry this is an english forum only.
If you don't supply an IP-Adress to the bridge, the pvehost don't care about the traffic which runs over this bridge.
e.g. you have an entry like this in /etc/network/interfaces
Code: 
auto eth1
iface eth1 inet manual

auto vmbr100
iface vmbr100 inet manual
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0
Mean, routing and so on must be done from other hosts (also to reach the pve-hosts on 192.168... if nessesary).


Udo

PS: if you want to write an pm (and you answer fast) use udo_@trashmail.de
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back