[PVE-User] Advices - Proxmox behind L3 or L2 network

Alexandre Kouznetsov alk at ondore.com
Thu Nov 7 22:57:50 CET 2013


El 07/11/13 15:09, Leslie-Alexandre DENIS escribió:
> I'm currently designing a Proxmox based virtualization solution and I'm
> wondering how guys do you manage your edge connection.
> Do you prefer to route and setup your own L3 network before exposing the
> server ? Or just let the server with a WAN IP ?
> What is your ideas regarding network security (BCP, RP Filtering...) ?

My Proxmox nodes are multihomed.

One interface goes to a "public" L2 manageable switch. The VMs hosted on 
Proxmox usually have a virtual network interface with some VLAN tag. The 
Internet access of those VLANs is handeled by other means, outside of 
the Proxmox cluster. The addresses used in those VLANs are private and 

Other interface is used for administration and storage (mostly backup 
and migration, the VMs use local sotrage). It also goes to a manageable 
L2 switch, but the VLAN capability is not used, ethernet connections are 
untagged. This network uses strictly private addressing and there is a 
router/firewall between it and Internet. It's completely independent 
form the router used by public VLAN's. I access the nodes for 
administration via VPN (my router provides that) or a reverse proxy 
(Nginx on the router). Special trick (DNAT+SNAT) was required on the 
router in order to be able to access the VNC console from the web 
interface. The preferred method of connection is VPN, reverse proxy is 


Alexandre Kouznetsov

More information about the pve-user mailing list