Comment on Feedback on Network Design and Proxmox VM Isolation
teslasaur@lemmy.world 8 months ago
By making a bridge in the opensense interfaces you have created a layer2 network. This means that all the devices connected on that network are broadcasting their Mac addresses and are added to the ARP table on the opensense. Since they all are on the same physical network and the same subnet, none of the traffic will ever hit the layer 3 rules on your opensense.
If you want opensense to handle the rules of the traffic you will need to put the devices on different subnets and separate clans. Create a gateway address for every vlan on the opensense and point your devices to the opensense as their gateway.
Pete90@feddit.de 8 months ago
Ah, I did not no that. So I guess I will create several VLANs with different subnets. This works as I intended it, trafic coming from one VM has to go through OPNsense.
Now I just have to figure out, if I’m being to paranoid. Should I simply group several devices together (eg, 10=Servers, 20=PC, 30=IoT; this is what I see mostly being used) or should I sacrifice usability for a more fine grained segeration (each server gets its own VLAN). Seems overkill, now that I think about it.
atzanteol@sh.itjust.works 8 months ago
You’re definitely being paranoid. There’s little to gain from giving each machine its own network. You’re just over complicating things.
You can achieve your goal better by just using the host firewalls or the one in proxmox. You can easily automate it with ansible or terraform if you want to centrally manage your VMs (and you do).