Dear Proxmox users, I set up a 3-node PVE cluster (PVE 7.1). Now I wonder if and how to configure a firewall. Therefore I would like to know your opinion on "best practice":
a) Don't use PVE firewall and set up firewalling on each guest machine b) Use PVE firewall instead of firewalling on guest machines Basically, I have the impression that (b) is the better option for me as it is easier to configure the firewall for all guests in a central location. First of all I'd like to know if the implementation of the PVE-Firewall is reliable or if it is to some degree buggy and thus leads to problems? What is your experience? Moreover I wonder if the firewall is compatible with OVS? I have the following interfaces set up with OVS: enp3s0 (10GBit Storage network) enp1s0 enp2s0 bond0 (LACP, consisting of enp1s0 and enp2s0) vmbr0 (Bridge on top of bond0) vlan1 (on top of vmbr0, PVE management network) vlan200 (on top of vmbr0, alternative PVE management network) tapxxxx several guest network devices In some way the PVE firewall has to know that it has to apply its rules on the host level on vlan1 / vlan200 - how does it know that? What exactly would happen if I enable the firewall on the datacenter level? Will it block any network interfaces, even the storage network? I happenend to try it out - basically I expected that I will be locked out of the management, however, it did nothing? Any best practices? Best Regards, Hermann -- Hermann Himmelbauer Martinstraße 18/2 3400 Klosterneuburg Mobile: +43-699-11492144 E-Mail: [email protected] GPG/PGP: 299893C7 (on keyservers) _______________________________________________ pve-user mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user
