vmbr1 vm communication isolation

[Tsvyatko Kriviradev]

Hello ProxMox Forum,

I have the following setup:
VM1 to VM15 --> VLAN6 ---> vmbr1 ---> bond --> hw-swtich --> pfsense

I would like basically to prevent VM's member of same VLAN to communicate between each other, except the router. (I like to prevent any sniffing on L2 etc.)
On logical level I have few VM's having public IP's in same L2 and my physical pfsense.

I've see network where router/firewall is presenting itself as any mac address in the network.
Another option I've research is using ebtables block traffic on bridge level and allow only pfsense mac.


Based on those two links I found two possible solutions first is port isolation
https://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges

bridge link set dev tap1 isolated on

Now the bridge ports tap0 and tap1 won't be able to send or receive any packet to or from the other port, but will still communicate normally with any other port of the bridge. You can choose to isolate all ports except one, used in the role of default promiscuous/uplink port.

So in my case will be

ip link set dev tap0 master bond0

bridge link set dev tap105i0 isolated on

Second is using ebtables
https://stackoverflow.com/questions/32619904/linux-port-isolation-on-a-bridge-to-use-olsr-correctly

ebtables -P FORWARD DROP
ip link set br0 promisc on

Here I would use:

ebtables -P FORWARD DROP
ip link set bond0 promisc on

Can you suggest me a way to accomplish this?

 

[spirit]

Why don't you use proxmox firewall for this ? you can use ebtables for ip spoofing/mac address spoofing, and iptables for classic ip filtering.

Note that a vm can't see traffic of other vms. (or maybe only broadcast,arp, but not unicast traffic where destination ip is the ip of other vm).

So, if you can't spoof ip/mac, you are safe.

 

[Tsvyatko Kriviradev]

Thank you the suggestion.

I will think about this solution, I am still using my ProxMox Cluster without enabled firewall service.
However I may have to change this.

 

[Arvyr]

Mh, what you want is something like Private-VLANs.

I found this article that might be what you want:
https://docs.openvswitch.org/en/latest/howto/vlan/

 

[Tsvyatko Kriviradev]

Mh, what you want is something like Private-VLANs.

I found this article that might be what you want:
https://docs.openvswitch.org/en/latest/howto/vlan/

Hello,

Thank you for the suggestion. This exactly what I have right now.
There is only one place this design has issue.

VM1 to VM15 --> VLAN6 ---> vmbr1 ---> bond --> hw-swtich --> pfsense
VM5 to VM30 --> VLAN6 ---> vmbr1 ---> bond --> hw-swtich --> pfsense

I don't want VM5 to VM30 and VM1 to VM15 to see each other, because they are all members of the same VLAN where they can talk with my core router and they can receive public IP address from common DHCP pool.

What I need is called port isolation in the bridge itself, however I think OVS don't support native simple port-isolation.
Therefor I have to go for complicated OpenFlow setup.

So I am thinking what if I create one dedicated br3 just for the propose of port isolation?


So the only thing I have to do in Linux based Bridge is to mar my main bond (the connection wiht my pfsense) as master.
All the rest of the tap interfaces as isolated.

ip link set dev tap0 master bond0
bridge link set dev tap105i0 isolated on

This setup has one issue, there is no default behavior of the bridge to provide isolation by default for all target so I have just mark my bond0 once as master.

If I go with ebtables, this is solved. So I don't have to keep an eye on this or automate it.

3rd option will be with firewall rules.

I am looking for suggestion in case someone has such edge case to cover.