Hello, this is more of a proxmox question than a Zerotier one, but there does seem to be a lot of people using both from my reading of this forum, so I figured I’d post this here in case anyone has any insights.
For starters, this is my first time trying to use proxmox. I have a web development background, but extremely limited networking / IT knowledge. So this is all very new to me; I’m just saying that in case it helps formulate responses.
In my Proxmox setup, I have two VMs. One is a ubuntu server 22.04.3 for the sole purpose of self-hosting a zerotier controller (using ztnet which has an excellent UI for self-hosted network controllers). The other is another ubuntu server instance hosting web-based services. My hopes are to create a zerotier private network to allow members to access these services. It’s volunteer work for a local spiritual / religious organization, so security isn’t of utmost importance, but I want to use this as a good learning experience.
I followed instructions I could find to setting up the firewall in proxmox and applying it to each of the VMs. I am trying to make sure that the only access can be through either the local network, or the zerotier network, and that the only ports that can be accessed are the ones for the services on that VM. It took a bit of reading, but I was able to get everything to work with one gaping exception - accessing the devices using their IP address on the zerotier network completely bypasses the firewall. Once I turned the firewall on (before adding rules), it properly blocked me from using SSH or accessing the services on their local IPs (for example, 192.168.1.44:3777) but I could still SSH and access them if I used the zerotier IP (10.12.35.123:3777).
After doing quite a bit of reading, I found that in proxmox firewall needs to be enabled on the Network Device for the VM in order for it to work properly. Zerotier creates its own network device, inside the VM. My best guess here is that I somehow need to make sure that the firewall is being applied to this network device as well.
Looking in the proxmox webgui, if I go to the VM > Hardware, I can see ‘Network Device’ there with the one it created, where I have enabled the firewall. When SSH’d into the VM, I can use ifconfig to see the network device that I see in the web gui, with the same MAC address. Also, using ifconfig, I can see the network device created by Zerotier, with its MAC address. I am wondering if I can somehow make the firewall apply to that network device. I see that I can add more network devices, but my gut tells me I can’t just add a new one, using the MAC address that I see for the zerotier device in the VM, and have it work like I want. I haven’t even tried that yet because I am concerned about creating some type of conflict.
So, I am wondering how I can make sure that the firewall rules apply to the members of the zerotier network accessing the VM. That being said, I am a total neophyte to this and I realize that what I am trying to do might not be the best way to try to accomplish my goals. I’ve read stuff about bridging but honestly this is all still quite a bit over my head. I know that zerotier also has some abilities that are similar to what a firewall does, but I am not familiar with those and would need some guidance there as well if that’s a better solution. If I’m not following best practices here, or my approach is just completely wrong, I’d be happy to be pointed in the right direction.