VM network without seeing main router?

J

Joseph Chrzempiec

Well-Known Member
Jun 9, 2016
142
8
58
45
Hello, Is it possible to give a VM internet access but not let that VM reach the network? So they can't type in a router address of any kind.

Edit: What I mean is to isolate a VM to the internet only and not the rest of the network to other vm or router. I'm sorry I'm no means a linux or programmer, But I'm trying. So please forgive me if I'm phrasing this wrong.


Joseph
 
Last edited:
Joseph Chrzempiec said:
Hello, Is it possible to give a VM internet access but not let that VM reach the network? So they can't type in a router address of any kind.

Edit: What I mean is to isolate a VM to the internet only and not the rest of the network to other vm or router. I'm sorry I'm no means a linux or programmer, But I'm trying. So please forgive me if I'm phrasing this wrong.
Click to expand...
What you are basically talking about is a DMZ. So a dedicated DMZ subnet where clients in that subnet can go online but got no access to your LAN subnet.
For that you will probably need a additional router because your ISPs router most probably won'T be able to route/NAT between multiple subnets. If you are lucky your router got something like a "guest mode" which you could activate for a specific enthernet port. AVM routers for example got this and stuff connected to this "guest port" will be in an isolated subnet with access to the internet but without access to your LAN. But atleast with AVM routers you won't be able to create port-forwards to this guest subnet, so its not that useful to host services and not a real alternative to getting an additional second router for a real DMZ.

One way to accomplish such a DMZ would be to run a OPNsense or pfsense VM on your PVE host. But that is not beginner friendly, even if everything can by done using a webUI.
 
Last edited:
  • Like
Reactions: gurubert
Dunuin said:
What you are basically talking about is a DMZ. So a dedicated DMZ subnet which can go online but got no access to your LAN subnet.
For that you will need a additional router because your ISPs router most probably won'T be able to route/NAT between several subnets.

One way to accomplish such a thing would be to run a OPNsense or pfsense VM on your PVE host.
Click to expand...


hello, i'm not Dmz'ing anything. I have multiple VM on proxmox all of them can access the internet. However I want to Isolate one of them just so it won't access the network but still be able to get on the internet.
 
Joseph Chrzempiec said:
However I want to Isolate one of them just so it won't access the network but still be able to get on the internet.
Click to expand...
Which is also called a DMZ or a separate network (aka VLAN).

You could try to achieve something similar with Proxmox' builtin firewall feature. But this will not save you from a misconfiguration in the VM.
 
Last edited:
Thats one of the great things a hardware router, like a pfsense or OPNsense, offers. But to really make use of it you also need a managed switch that supports tagged vlans. I've got alot of isolated subnets here so I can use the OPNsense firewall rules to manage which subnet might access what. A vlan for guests, so I need need to give guests access to my private services/data. A IoT vlan so smart home stuff can't go online unless I allow specific IPs/domains so they can't collect private data and send them to china or whereever that manufacturer sits and sells my data. A retro vlan for old devices that won't get any updates any longer and therefore shouldn't be allowed to go online anymore (but which I still want to access locally). A DMZ vlan for VMs that host services that should be accessible from the internet but shouldn't have the rights to access my LAN. A trusted LAN vlan which can access all other vlans and the internet. A vlan just for management. There are basically endless possibilities to increase the security and privacy by splitting your single LAN up into several separated subnets using VLAN with the pfsense in the middle controlling what might be routed and what not.
 
Last edited:
  • Like
Reactions: UdoB
Hello
You can probably reach your goal using Proxmox firewall host rules for the VM you do not want to communicate with others VMs.
Create an IPSet with all you VMs except the one you talk about and create a rule on your VM to block all trafic going to that IPSet.
It's a stupid answer as VLAN or FW (PFsense or OPNSense) will carry this far better but it may work ...
Regards
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back