Creating an Isolated Network Inside Proxmox

Creating an Isolated Network in Proxmox

There are many tutorials online about creating a separate subnet for your VM, but very little about creating an isolated network.

This network needs to be completely isolated from the “main” or default network of proxmox.

I have a web server that I really didn’t want being able to access my other VMs.

Steps Taken

In Proxmox:
  • Open the Shell for your Datacenter
  • Install dependencies apt update && apt install libpve-network-perl ifupdown2 dnsmasq -y
  • Disable dnsmasq, it’s just needed for proxmox to create the interfaces systemctl disable --now dnsmasq
  • Click on Datacenter > SDN > Zones
  • Create one with the ID isol (for isolation)
  • Click on the isol zone, check the Advanced checkbox, enable automatic DHCP, and click OK
  • Click SDN > VNets > Create
  • Name it isonet with the isol zone and click Create
  • Click on isonet > Subnets (on the right hand side) > Create
    • Subnet - Give it a private IP subnet like 10.0.5.0/24
    • Gateway - 10.0.5.1
    • SNAT - Enabled
    • DNS Prefix - Leave blank
    • Hit the DHCP Ranges tab and put in your usable addresses, ie 10.0.5.2 - 10.0.5.254
  • Click OK
  • Go back to the SDN menu option and hit Apply
  • Go to a VM’s Hardware Settings > Network Device
  • Add isonet as the bridge

Now, we have a network in place and your VM should have gotten an IP via DHCP. However, it’s wide open. It’s bridged so it can see any network proxmox can see. We need iptables to sort the rest out.

iptables:
  • Go to your Datacenter in proxmox and open its shell
  • Install iptables-persistent by running apt update && apt install iptables-persistent -y
  • Run the rules below, making sure you replace the interface names and subnets to match your setup
iptables -I FORWARD 1 -i isonet -o vmbr0 -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
iptables -I FORWARD 2 -i vmbr0 -o isonet -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
iptables -I FORWARD 3 -i vmbr0 -o isonet -d 10.0.5.0/24 -j DROP
iptables -I FORWARD 4 -i isonet -o vmbr0 -d 192.168.0.0/24 -j DROP
iptables -I FORWARD 5 -i isonet -o vmbr0 -j ACCEPT
  • Save your iptables iptables-save > /etc/iptables/rules.v4
  • Make them persistent netfilter-persistent save
  • Restart iptables to make sure they save systemctl restart iptables
  • List iptables with line numbers iptables -L -v -n --line-numbers

And that’s it, test by trying to ping the network you’re trying to block from your VM. You shouldn’t see any traffic going through from either side. But, you should have internet out.

References: