This guide focuses on setting up an OpenWRT virtual machine on top of your Proxmox Server.
With this you can create and manage VLAN networks without the need for a layer 3 switch or a vlan capable physical firewall.
For this to work, you need to follow the steps in this guide first: https://prox.guide/en/vlans.
Here is the download link:
OpenWRT: https://downloads.openwrt.org/releases/.
Pick the latest version, in this case 23.05.4, then navigate to: 23.05.4/targets/x86/64/openwrt-23.05.4-x86-64-generic-ext4-combined-efi.img.gz.
Right click the link, and copy the download URL, so you can directly download it on Proxmox.
Create a new VM without disks or installation media, in this case we will name it DMZ-FW1.
Enable Qemu Agent and add an EFI storage. (Uncheck Pre-Enroll keys)
The hardware configuration I use is OVMF (UEFI), 1440fx, 1024 MB of RAM, 1 CPU core.
Connect to your Proxmox console and issue following command:
Command: wget https://downloads.openwrt.org/releases/23.05.4/targets/x86/64/openwrt-23.05.4-x86-64-generic-ext4-combined-efi.img.gz. (Use the URL you copied.)
Then extract the image:
Command: gunzip openwrt-23.05.4-x86-64-generic-ext4-combined-efi.img.gz.
Now run following command to import the disk to the VM:
Command: qm importdisk 100 openwrt-23.05.4-x86-64-generic-ext4-combined-efi.img local-zfs. (Replace the VM-ID and storage target.)
You can now see the new disk in our VMs Hardware configuration:
Now double click the Unused Disk 0 and attach it as scsi0:
Navigate to Options and change the boot order:
Confirm by clicking OK.
Now click Console and start up your VM for the first time.
Once booted you will see a screen like this:
Press enter into the console, to enter a root shell.
Type in following to open the network configuration:
Command: vi /etc/config/network.
Press i to enter insert mode. (The mode will be shown at the bottom left).
Then use your arrow keys to set the lan interface network configuration.
In our case we will use following configuration:
| Option | Value |
|---|---|
| ipaddr | 10.0.20.254 |
| netmask | 255.255.255.0 |
| gateway | 10.0.20.1 |
| dns | 1.1.1.1 |
Press ESC to exit insert mode.
Then type ":" and enter "wq" and press enter.
Now restart the network:
Command: /etc/init.d/network restart:
You can now try to access the Web-UI by accessing: https://<your-ip>/
Skip the certificate warning and you should see a login like this:
Press Log in, since we have not set a password yet.
Click on Go to password configuration and set a password.
We don't want IPv6 to interact with our network, so click on Network and navigate to Interfaces:
Click Devices and click Configure on eth0:
Set Enable IPv6 to disable, and hit Save:
Click Save & Apply as well.
Click System and then Software.
You should see a screen like this:
Click Update lists....
Then hit Dismiss and you should see some available packages.
Search for qemu-ga and install it:
Head back to the OpenWRT console and run reboot to reboot.
Navigate to Network and Interfaces:
Then click Add new interface.
Name it wan and set the protocol to Static address, also set the device to Bridge and put it in the firewall zone wan:
We will create a new dmz named lab.
Our dmz will be based on the vlan 50.
The dmz network will be 192.168.0.0/24
Go to your firewall VMs hardware and add a new network device with the vlan 50:
Great, you should have two network devices now:
For each demilitarized zone you want one network device on your VM with the according VLAN.
Head back to the Web-UI of OpenWRT, then navigate to Interfaces.
Click Add new interface:
Set the name to the name of your zone, in this case lab, and set the Protocol to Static address.
Also pick the new network device:
Click Create interface.
Now configure following items:
| IPv4 address | IPv4 netmask |
|---|---|
| 192.168.0.1 | 255.255.255.0 |
| Create firewall-zone |
|---|
| custom: lab |
Click Save & Apply to create the new interface.
Click Network then Firewall:
Set the default Output and Input to reject, and change it to the other zones to reject, except on wan.
Delete the lan => wan zone entry, then head to Network and Interfaces:
Edit the lan interface. Create a lan zone by assigning it to a zone named lan in the Firewall Settings tab:
Head back to the Network, then Firewall.
Set Input and Output to accept for wan.
When everything's good it should look like this:
Hit Save & Apply.
Click Network, then Firewall and then Traffic rules.
Delete all the default rules, as we will create our own set:
We don't want our demilitarized zones to access our lan.
Click Add, then configure like this: (Replace the destination with your network)
We do want to be able to access the internet from our lab zone.
Click Add and configure like this:
If you have more zones, you should configure an internet traffic rule as well for them.
Click Save & Apply.
We want to access our lab IP from our main network, for this I will use the IP 10.0.20.200.
Navigate to Network, then Interfaces and edit lan.
Next to the IPv4 address, click on "...".
Enter an available IP address:
Great, now save and click Save & Apply.
Now navigate to Network, then Firewall and then Port Forwards:
Click Add.
You can make this port forward specific to ports, however we will just redirect all ports from 10.0.20.200 to 192.168.0.2.
192.168.0.2 will be our test client win1 later on.
Configure the port forward so it looks like this:
In the Advanced Settings tab, select the IP address we just gave our lan interface.
Click Save, then Save & Apply.
Testing is important, always test your configurations to avoid unintentional access.
I create a new VM on our Proxmox, and install Windows 11 on it.
During the VM creation I set the network card to use VLAN 50:
Here's the network configuration within the VM:
With a ping we can confirm that we have internet:
We can also confirm that we have no access to our local lan, by pinging a device, in this case the Proxmox server:
I'll install openssh server on the Windows 11 machine, so I can test our port forwarding rule.
After that I head over to our Proxmox server console, and ssh into our Windows 11 VM, using 10.0.20.200:
As you can see, it works. We can access our VM, however the VM can't access our local lan.
You can create more demilitarized zones by adding more network interfaces your VM.
🎉 Congratulations, you now have a way to isolate virtual machines from your network.
