Will my network isolation plan work?

[busfactor]

Hey all, I want to isolate a set of virtual machines. I don't want them to be able to reach any other device outside of its LAN, but I want them to be able to access the internet.

I have planned how to do it, but I am pretty new to this, so I am seeking advice.

Some useful information:

1. Network CIDR in which the PVE server is located: 192.168.0.0/24
2. The IP for the router which has access to the internet : 192.168.0.1
3. The interface vmbr0 is attached to the only NIC I have, which is wired to the router (192.168.0.1)

The steps I am planning to follow:

1. Create a new bridge interface (vmbr1 - 172.16.0.0/24)
2. Create a pfSense VM
   1. Attach both interfaces into it (vmbr0 and vmbr1)
   2. Set its IP for the vmbr1 network to be 172.16.0.1
   3. Set it as the gateway for the vmbr1 bridge network
3. Create a VM which I want to isolate (let's call it VM01)
   1. Attach the vmbr1 interface to it
4. Configure pfSense to run as a NAT router for the vmbr1 network
5. Drop all packets in which the source interface is vmbr1, the destination interface is vmbr0, and the destination IP is in a private CIDR range (e.g., 192.168.0.0/16)

Does it make sense? Is there an easier way to do it?

 

[Dunuin]

Yes, thats a way to setup a DMZ. Did something similar here with my OPNsense VM, just that I also isolated them via VLANs.

 

[louie1961]

I think that will work but it seems like doing it the hard way. I have my pfSense running outside of my proxmox node on one of these routers. I then have a managed switch and everything including my wireless access point hangs off the switch. I have 6 VLANs configured: trusted devices, Ring cameras, televisions, a guest network, my server management VLAN (only the proxmox node is on this one) and an untrusted zone for stuff I expose to the internet (through a cloudflare tunnel). That way I can have multiple VMs in any of those VLANs. I have Home assistant running in the same VLAN as the Ring cameras, I have Wordpress and Nextcloud in the untrusted zone behind a cloudflare tunnel so anyone from the internet can see them, I have a VM running Monica, Grocy, Mealie, and Photoprism running in the trusted devices VLAN, etc. All of the VLANs are isolated by firewall rules, so that the trusted zone can access everything, but all the other zones can only get to the WAN and nowhere else. I also have multiple SSIDs on my WAP, all segregated by VLANs as well. My kids all have to use the guest network so they can't monkey with my server.

 

[busfactor]

Yes, thats a way to setup a DMZ. Did something similar here with my OPNsense VM

Nice!

just that I also isolated them via VLANs

What do you mean? The VMs can't reach each other? This is what I want to achieve also, but for this specific set I don't care if they see each other.

 

[Dunuin]

When you got an isolated network, either by VLANs or by a bridge only connected to a firewall, all the VMs part of that isolated network can still communicate with each other. There point there is only that you want the VMs in a DMZ, so when a VMs get hacked, the attacker can't that easily access your other computers in your LAN, on the other network.
If you want that VMs can't communicate with each other you need to use the PVE firewall for each VMs to limit who can access what.

 

[louie1961]

What do you mean? The VMs can't reach each other? This is what I want to achieve also, but for this specific set I don't care if they see each other.

You can tag individual VMs to a specific VLAN when you create them or even afterwards. Once tagged to a specific VLAN, VMs will only be able to talk with other devices or VMs in the same VLAN, unless you configure an exception in your firewall rules (assuming the rest of your network and firewall rules are properly configured).

 

[busfactor]

You can tag individual VMs to a specific VLAN when you create them or even afterwards. Once tagged to a specific VLAN, VMs will only be able to talk with other devices or VMs in the same VLAN, unless you configure an exception in your firewall rules (assuming the rest of your network and firewall rules are properly configured).

This is indeed an option. The issue is that it blocks all outgoing connections to the internet also. I would have to hardcode IPs in the firewall since it's not VLAN-aware, correct?

Deploying a pfsense/opnsense seems more effort, but I think it gives me more flexibility and fewer hardcoded firewall rules every time I spin up something new.

 

[Dunuin]

You can give that *sense a virtual NIC on every bridge or alternatively let *sense manage all those VLANs over a single virtual NICwith tagged VLAN. Then the *sense can act as a gateway for that VLAN/bridge and NAT between the isolated network and the WAN. All you then have to do is set the *senses IP as the gateway for all your guests.

 

[louie1961]

This is indeed an option. The issue is that it blocks all outgoing connections to the internet also. I would have to hardcode IPs in the firewall since it's not VLAN-aware, correct?

Deploying a pfsense/opnsense seems more effort, but I think it gives me more flexibility and fewer hardcoded firewall rules every time I spin up something new.

Actually no. Everything in my network is VLAN aware (except maybe the cable modem). I manage my VLANs from within pfSense as shown by the firewall rules below. My 2.5gbe switch, my WAP, and Proxmox are all VLAN aware as well.

I have it set up such that from within an untrusted VLAN, devices can not access the management console of pfSense, and can not access other VLANs, But they can access the internet and anything else on the same VLAN. The VLAN "servermgmt" has only one device on it, my Proxmox node (I only have one server). So VMs in proxmox can't even access the node technically. I don't use the Proxmox firewall at all. All of my LXC containers and VMs are either in the home2ghz, home, or server VLANs. The only issue I have run into is with LXC containers. I have to set a DNS entry for them manually, as they don't seem to be able to see DNS using the default. The same is not true for VMs

I also don't hard code IP addresses in my VMs. Everything is done as an address reservation based on the MAC address, within pfSense.