Proxmox Firewall Setup [Single NODE or CLUSTER] | Proxmox Home Server Series

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone and thank you much for watching this is me Mr P and this is another episode in a proxos Home Server Series in this video I will talk to you about proxmox firewall there is a three places where you can set up firewall inside a proxmox server under data center if you scroll down inside your option list you will find an option for firewall the same option shows up under your nodes or node depending if you run prox as a as a cluster or a single node and there is one underneath YX container orm the way that the firewall Works inside proxo server is in three stages of three separate instances the data center firewall has a Global Effect across entire proxo server or proxo cluster the node firewall takes effect only for that node whatever rule I will set up for pv1 the same rules won't work for pv2 as they won't show up here and the third one is inside the Lex container VM whatever rules you will set up inside the Lexi container VM will function only for that specific instant it will not function inside the P inside the node or Data Center and to demonstrate one of the use cases for this kind of setup for with the firewalls inside the proxmox I will use what I set up in one of my previous videos under the data center if I scroll down there is an option for permissions and then users in one of the previous videos I gave you a demo how to create a user and how to Grant access for that user to one of your VM or Lexi container so I have a user Frank with his custom rols roll to access that VM or LX container and he has his own LX container that he can access via his browser when Frank access our proximo server he has access only to this LXE container and he can go and use the LXE containers he wants so he can go and ping Google or Cloud FL he can go and pin Google Google DNS server to be exact and he can go and update packages and install packages but one thing that I don't like do this kind of setup is that the Jeff not Jeff the Frank has access to ping my local devices like for example I'm right now pinging the VM which runs my Docker containers and if somebody gets access to Frank account basically Frank's account gets compromised and someone gains access they can scan my local network and then try to brute force in Brute Force SSH into VMS and other the devices like for example if I'm going to use Frank's account to access his Alex container and try to S into the VM which host my all my Docker containers and here we go I can access my Docker VM via Frank's account I don't like that I would like that to be restricted that Frank only uses Alexi container to access internet but he don't have access to my rest of my local network and this is why we're going to use right now firewalls and I'll will show you how to set up setting up firewall when you have prox Mars with a single node and prox mo as a cluster there is slight slightly difference between them the prox mo cluster requires a couple of more extra steps to to get done I'll I'll show you both ways I will explain what you need to do when you have only one node or and what you need to do when you have multiple nodes so Step One is going into a data center scroll down until you find the firewall and it needs to be more options or should be more options underneath so click on the triangle to reveal more and if you click on the options it says firewall is no that means firewall is offline and input policy is dropped that means that if I turn this on default input or default incoming traffic policy is Dro if I will turn this on without setting up my first rule inside data center firewalls I will lose access to my dashboard I just going to have to physically try to go and connect to a server and byas CLI and try to resolve this way so before you turn this on leave this as says firewall no go into a firewall option click add and we need to set up our first firewall rule to gain access to to to allow access to a dashboard so traffic direction will be incoming traffic will be accepted by interface vmbr0 and why I picked vmbr0 Z I will show you in a second then this rule will be activated and destination will be 86 86 is a default port number for web GUI for proxo Server so it's going to be incoming traffic will be accepted if it's coming via vmb Zer interface regardless where it came from as long as the destination is 86 and protocol needs to be TCP that means that access needs to be happening via HTTP or https protocol and we're going to click add so once that added before I turn this on I will show you how you how to find out if it is pmbb z if you click on your proxmox node and under systems you will find option called Network click on that and here we go the line where you will find thep address to that you're using to access your proxmox web Gooby next to it in the at the beginning you will find under the name column the name of your interface I would say 9 out of 10 times this will be vmb Z unless you install prox very specific and the custom configurations most likely this is going to say vmb Z and it is the same on pv2 and pv3 so once I confirm that they all vmb are zero I can go back in the data center and if you're running a single node prox MOX setup so only one node not a cluster you can turn this on if you're running proxmox as a cluster you need to do extra steps proxmox proxmox node one 2 and three are linked between and I'm using SEF for the storage so if I click on pv1 I scroll down under SEF options if I click on that I can see my SEF cluster is healthy and SEF can see each Monitor and manager if I click on a monitor here we go there is a specific Port that seph uses to communicate to each other so PVE 1 2 and three between each other they're communicating via Port 6789 and if I click on a node and click on a firewall options default entry is firewall yes data center firewall settings under data center firewall and options this is you can treat this as a global switch if I click on a pv1 and go under options and I want to turn this off I'll get the warning saying that the data center level firewall at the data center level is turned off so data center firewall switch it's like a Global Effect if you will switch that on without properly setting up nodes inside your proxmox cluster for SEF communication SEF will stop functioning so right now we need to go and set that up there's multiple ways how you can specify the prox MOX nodes I will show you more specific one where I'm going to specify exact uh exact the um IP address but you can do as a as a wild card and I'll show you how so I have pv1 which ends with 87 IP address pv2 is 98 and pv3 is 82 so 87 98 and 822 under the data center I scroll down and on the firewalls there's more options here more options showing up here IP set if I click on that and I'll create the first IP set IP set is more like a list instead of writing thep addresses um every time on and on like comp basically going same same step same IP address entering over and over and over again you can create IP set so I'm going to name this prox MOX cluster I'm going to say Mr P Channel cluster oh can type today cluster nodes like that so I have my IP set prox MOX cluster and a comment and now on the right hand side I can specify IP address cidrs so first IP address is 192 168 178 90 98 I do believe I already forgot 98 82 and 87 so next one is going to be 82 and next one is going to be 87 that's fine let's for example say 87 it says pb1 so I can double click and say in in the comments that is pv1 so we can name them 82 is going to be fre and here we go I have all my notes specified so instead of entering the same IP addresses over and over again I can specify the IP set list next I will click Alias and I will create two records first record will be Gateway this is basically the IP address of your router this will allow nodes to access internet download updates and Etc and the next one I will type just knck and this is going to be the computer that I'm right now using to record this video IP address this way I will make sure that I still have SSH access to any of these nodes if I need to go and do a maintenance on them Etc so right now I have ipv IP set created with all free nodes and alas added in when I mention about wild card you can create a while card for example local net like that for example and enter the IP address of your local network as the subnet so right now what that means that any local IP address any local device has access to one of these nodes and and every node can communicate to each other I'm going to add I will leave that in and will show you what how to set this up so this is all done so next thing what we need to do we need to go under pv1 though by the way there is an option to create a security group it's is basically means that you predefine the security the firewall options uh and then you can add the security group per each node but this is out U this is a bit more steps required I'm just going to show you a more simpler way so under PVE one if I go in and click on a firewall I will add first rule first rule means that any traffic in uh as long as the source is the local proxo cluster so that means traffic from proxmox cluster nodes will be accepted an interface you don't need to specify that in this case so every every every traffic incoming from any of these nodes in to pv1 so technically it makes like pv1 will try to connect to each other but that's that's just the the way the list is set up so node two and three has access to node one add next outcoming traffic is accepted as long as the destination is my Gateway that means that outcoming outgoing traffic is is accepted and incoming traffic accepted as long as the source is knock accept and I can be more specific to add here SSH that means that the KN only has access vsh but I'm just going to leave that knock computer has full full access to this node one okay so basically going quickly through the list I'm just going to make sure that they're in order CU ordering is very important outgoing traffic is accepted incoming traffic but from ack is accepted and like this and in incoming traffic from proxo cluster is accepted now I need to repeat all these three steps per each node so right now every node has exactly the same rule set up node three has accept traffic out in from any proxos cluster and then if it's a knock and the same here and the same here so that means that right now incoming traffic is accepted and I as long as it's com is coming from one of these notes all my knock and outcoming traffic is accepted because I want to make sure I get updates coming in to the note to the to the nodes so once all these free all the nodes has exactly the same uh firewall rule setup I can go to a data center scroll down double check if I have in accepted bmbi Z via Port 86 I can go to options and turn this on once this on it takes about 5 Seconds to take effect let's refresh that's happened and I still have access to dashboard so that's great so dashboard um the data center firewall is working correctly let's check what a nodes doing so if I go to SEF there is no warning showing up it's actually a relief and everything is clean so it means that the the nodes communicated to each other with no problems and let's right now click on for example node two I'll go to update click refresh click okay and let's see if it's going hitting the internet and fetching the list of the new packages task is completed so it does have access uh to the internet to retrieve the updates and my my knock let's quickly run the CMD and let's see if I can go nsh into one of the nodes let's say for example let's take uh the PV PV not pv2 um night8 yes and I do have access to pv2 so my knock is accept the the prox MOX cluster or nodes accepting traffic from my my computer so once everything is set up right now we can go and set up the rules on the Frank lxc container to make sure that Frank will not don't have access to local devices I'm click on a Frank um LX container and now inside the firewall and the options currently is been off and input traffic is dropped and output policy is accept so right now what I need to do I click on a firewall I need to add the first rule so incoming traffic is accepted that means that any traffic coming in is accepted any traffic going out to the source of Gateway is accepted and add any traffic that going out will be rejected if a destination is my local network local net if I cck on this and that local network is the Alias we created under the data center firewall and then Alias list so local network represents every single device in my network but this every single device in the network includes the includes the route as well so this is why like I said the ordering is very important first of all we accept the traffic in we accept the traffic out to the internet and we reject the traffic to local network the way it works that first of all all the traffic in will be accepted and if lxc container tries to access anything let's say google.com it will go via Gateway and it will work but if if the alexc container tries to access let's say my Docker VM with IP address ending one to4 it will Skip To Rule Number Two And as this one says reject so once set in under options for this Alexy container firewall and options I will turn this on so that's this is on so let's go back to Frank's browser let's refresh this usually takes about 5 Seconds 5 6 seconds to take effect for the firewall and right now as you let's go and try to Ping Cloud FL DNS Cloud FL DNS is working let's try to ping my router which is like that and obviously right now it says not working so no it's not Source sorry it needs to be destination Gateway may we go messed up and now go back to Frank let's try again here we go now it's working so the Ping to a cloud F does work ping to my Gateway is working what about ping to my doabm it's not working so if I go to the command where I try to SSH into my Docker VM I press enter connection refused firewall is blocking connection from Alx container to a local network only the Gateway only the route is accepted everything else is rejected and yes I done a little mistake here adding this one in a wrong place if you want to go and mess around with a firewall and you afraid that you're going to break your BRX MOX server I did a video how you can create proxmox sandbox I will leave a link to that video in description below proxmox sandbox is nothing else as just a virtualize proxmox inside the proxmox so you virtualize the proxmox instant inside your m the proxmox server and you can go in that sandbox proxmox setup and mess around the firewall without fear that you're going to break your main proxmox cluster or proxmox server this is how I learned everything this is how I try to teach myself everything I'm not going straight away to my main proxmox instant I always go to a Sandbox mess around there break it fix it learn it correct it and once I'm capable and once I'm I'm confident capable to set everything up and I know that what I'm about to set up will not break then I move stuff to let's say a production so you get yourself a staging proxo setup inside the proxos host anyway so that's it quick rundown under the data center we have a firewall turned on because it's a Global Effect across your proxo server but before turning this on we created the first rule which allows traffic HTTP or https traffic to a dashboard without this rule I won't be able to access dashboard or web anymore and before switching on if you're running the proximo cluster before switching this on you need to make sure that each node has a specific rules added which allows no Noe communication between each other and most specifically SEF and add your main computer as a in accepted just to for you to be able to SSH into each of the noes and outgoing traffic is accepted as long as destination is internet in this case is my Gateway the same rule needs to be applied across the board once all this done you can go and switch the the firewall on on the server on the data center and options and once that's on you can go and set up other rules there is a multiple ways you can set this up what I just did now like I said you can go inside the data center firewalls and security groups and you can create a security group here already that you just add once and that is it there's a multiple multiple multiple ways you can get this done just please make sure that you do the steps in the right order otherwise you'll lose access to your proxmox server and if you're not sure like I said set up yourself a proxmox sandbox for you to go and test it out anyway thank you much for watching I hope you enjoyed this video I hope you found this video helpful and like always I'll see you in the next video goodbye

Info

Channel: MRP

Views: 8,535

Rating: undefined out of 5

Keywords: proxmox home server, proxmox home server series, mrp, proxmox firewall, proxmox cluster firewall, proxmox firewall setup, proxmox access restriction

Id: lcb3d-AT5iA

Channel Id: undefined

Length: 19min 40sec (1180 seconds)

Published: Mon Dec 25 2023