Abstract

Microsegmentation prevents lateral movement in virtualized environments by isolating VMs even within the same network segment. This article demonstrates how to achieve true microsegmentation in Proxmox VE using a layered approach: SDN with VLAN zones for network management, the integrated VNet firewall for Layer 3 isolation, and ebtables for Layer 2 (ARP) filtering. The scope of this article is limited to IPv4 environments.

Key takeaways: The Proxmox firewall alone cannot provide complete isolation since it operates only at Layer 3. Ebtables rules are deployed cluster-wide via ifupdown2 hooks for seamless integration with Proxmox SDN. This solution is particularly relevant for multi-tenant environments or integration with external SDN controllers like Cisco ACI.

1. Introduction: Why Microsegmentation?

Traditional network security focuses on the perimeter: firewalls protect the boundary between trusted and untrusted networks. Microsegmentation takes a different approach. It assumes threats may already exist inside the network and therefore restricts communication between workloads, even when they share the same network segment. Common usecases include multi-tenant hosting environments, compliance requirements such as PCI-DSS or HIPAA, Zero Trust implementations, and isolating development or lab workloads from production systems.

In a Proxmox VE environment, VMs connected to the same bridge can communicate freely by default – both at Layer 3 (IP) and Layer 2 (ARP, broadcast). An attacker who compromises one VM can discover and attack neighboring VMs through ARP scanning, even before attempting any IP-based exploits.

The Proxmox VE firewall, including the VNet firewall introduced with SDN, operates at Layer 3. It can block IP traffic between VMs effectively. However, ARP requests pass through unfiltered. VMs can still discover each other's MAC addresses and detect their presence on the network.

True microsegmentation requires control at both layers. This article presents a solution that combines Proxmox SDN, the VNet firewall, and ebtables to achieve complete VM isolation within shared network segments.

2. Solution Overview

The solution combines three components, each addressing a specific layer of isolation.

Proxmox SDN with VLAN Zones provides the network foundation. A VLAN zone maps VNets to physical network infrastructure through VLAN tags. Within a VNet, the "Isolate Ports" option prevents direct communication between VMs on the same node by configuring port isolation at the bridge level. However, this only works locally – VMs on different cluster nodes can still communicate.

The VNet Firewall extends isolation across the cluster. It operates at the datacenter level and filters Layer 3 traffic for all VMs attached to a VNet, regardless of which node they run on. Rules permit traffic between VMs and the gateway while blocking direct VM-to-VM communication. The firewall uses IPSets with the notation +sdn/<vnet-name>-all to dynamically reference all IPs within a VNet.

Ebtables closes the remaining gap at Layer 2. Since the VNet firewall cannot filter ARP traffic, VMs could still discover each other through ARP requests. Ebtables rules applied to the VNet bridge restrict ARP communication to the gateway only. All other intra-bridge ARP traffic is dropped.

The three layers work together: SDN provides structure and local isolation, the VNet firewall handles cluster-wide Layer 3 blocking, and ebtables prevents Layer 2 discovery. Traffic to and from the gateway remains unaffected, allowing VMs to communicate with external networks while being completely isolated from each other.

3. Configuration

This section walks through the complete setup using a concrete example:

A PVE cluster with four nodes (vl-srv1-4).

External connection for VLAN is provided by vmbr2.

A VNet named vnet144 with VLAN tag 144 and gateway 172.31.144.1.

3.1 SDN Zone and VNet Setup

First, create a VLAN zone under Datacenter - SDN - Zones.

create a VLAN zone

Select SDN - Zones and Add a VLAN zone

Configure the zone with an ID

Configure the zone with an ID and select the bridge that connects to your physical network infrastructure. MTU setting depends on the physical network, mine requires 1450.

VLAN Zone is created

VLAN Zone is created

Next, create a VNet under Datacenter - SDN - VNets.

Create VNet

Create VNet

Configure VNet

Configure VNet - Assign the VNet to your VLAN zone, set the VLAN tag, and enable Isolate Ports for local node isolation.

VNet is created

VNet is created

Each VNet requires at least one subnet for the VNet firewall to reference VM IPs correctly.

Configure Subnet

Configure Subnet

Subnet for VNet is added

Subnet for VNet is added

Microsegmentation with Proxmox VE, SDN, and VLAN Zones

Need help implementing SDN + VNet firewall + ebtables in your Proxmox cluster?