Why does assigning IPv4/CIDR to Network Device Gives VMs Access to Proxmox GUI?

ProdigyNerd

New Member
Jul 17, 2023
3
1
1
I'm trying to learn networking and security in my homelab and have been using Proxmox to run some labs. The goal of my network setup is to isolate Proxmox VMs into their own vLANs so that they're unable to scan/access other VMs or any other devices on my network (including the Proxmox GUI or SSH, for example). My interest is in regards to how my network behavior changes when I do or don't assign a IPv4/CIDR to my vLAN Network Device. For example,

Code:
auto vmbr0.31
iface vmbr0.31 inet static
        address 192.168.20.1/24
# Kali Linux vLAN

versus,

Code:
auto vmbr0.31
iface vmbr0.31 inet static
# Kali Linux vLAN

In both scenarios, my Kali Linux VM has access to the internet and my pfSense Router is able to assign a IPv4 Address in the correct subnet (192.168.20.1/24). However, when I explicitly give the network device an IPv4 Address, the VM is able to able to access Proxmox GUI, SSH, and other host services which I thought would only be accessible from my managment vLAN. Why is this? /etc/hosts only shows the IP for the "correct" managment interface which is on a different vLAN and subnet.
 
What is called 'vmbr0' is both the name of a Linux Bridge and a (virtual) interface attached to that bridge which is used by your Proxmox Host.

So, any IP address you assign in your /etc/network/interfaces file is an IP address that your Proxmox Host can use - for routing packets or providing the GUI. As gurubert has said, by default your pveproxy service listens on all availiable IPs of your Proxmox Host.

So in your first example it is possible for all devices in the VLAN 31 to access the Proxmox GUI on the IP 192.168.20.1 .
 
Last edited:
I think I get it now, thank you! I was under the assumption that Proxmox Services (i.e., GUI, etc) only listened to IPs defined in /etc/hosts. Is there a different purpose for this file then?

Is it then best practice to leave the "address X" portion out of the config for interfaces I don't won't Proxmox Services to listen on as well as add firewall rules to block this traffic? If so, I've noticed that adding these firewall rules to the PVE node does not succeed in blocking this traffic and needs to be added to each and every VM firewall. Is there something I'm missing there?

Thanks again for the help! I'm new to all this and having a great time learning. :)
 
  • Like
Reactions: drauku

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!