Setting up a separate network for your virtual machines is a great idea, especially since that allows you to segregate your management network. In class 13 of LearnLinuxTV’s Proxmox series, we’ll set up a new network and you’ll see how to set up your virtual machines to use it.
Hi Jay! Man I love this series. I Have used them for my own proxmox home lab. However this episode has/had me baffled over a part. Today I finally figured it out. I’m sharing it here so other people, who might run in to the same question, can see my explanation and use the two solutions I found. (In the great Linux way, there are multiple ways to a solution.)
You are speaking of segregating the VM network from the management network. It is without a doubt a best practice. But I could not follow your setup as you were entering an IP address with a .0 at the end. I tried your configuration of the bridge. With an IP address ending on .0 (classic broadcast address) with a ping, it doesn’t ping the address wich is good, as it is the broadcast address.
But with an arp scan I got the IP address with the MAC address.
What I found after some google-fu and reading a couple of man pages.
I fount that a bridge doesn’t need an IP Address. So I did not fill in an IP address at the bridge. I have VLANS for my network, so enabled “vlan aware”. If your network doesn’t have VLAN’s you don’t need to tick this box.
On the creation of the VM use an IP address for the virtual network card with the range of your own network. (or a with VLAN tag if you have VLAN’s)
So if you don’t assign a ip address for your bridge your separation of VM and management networks is enabled. mind you, that you set an ip address on your bridge on the management network.
There is also a way to block access to the proxmox gui by configuring the pveproxy daemon.
(This daemon exposes the whole Proxmox VE API on TCP port 8006 using HTTPS).
manpage pveproxy
Host based Access Control
It is possible to configure “apache2”-like access control lists. Values are read from file /etc/default/pveproxy. For example:
IP addresses can be specified using any syntax understood by Net::IP. The name all is an alias for 0/0 and ::/0 (meaning all IPv4 and IPv6 addresses).
hope you guys can use this to your own advantage.
Cheers!!