Advanced Network Segmentation in Proxmox: VLANs, Namespaces & Firewalls
Introduction
This guide walks you through setting up network segmentation in a Proxmox environment using native Linux tools like VLANs, network namespaces, bridges, and iptables. The setup creates an isolated lab environment that mimics corporate network zones, ideal for secure testing and experimentation.
Why Segment Networks?
Network segmentation enhances security and functionality in lab environments by:
- Simulating real-world networks: Replicates complex corporate architectures for testing and training.
- Improving security: Isolates threats or misconfigurations to protect the host and other networks.
- Enabling safe testing: Supports malware analysis, penetration testing, and incident response drills without risking production systems.
Tools Used
- Proxmox VE: A robust hypervisor for managing virtual machines and containers.
- Linux Network Namespaces: Isolates network stacks within a single OS.
- VLANs: Logically separates traffic to emulate physical network segmentation.
- Bridges: Connects virtual interfaces for communication within or across namespaces/VMs.
- Iptables: Enforces traffic policies between network zones.
Lab Topology
| VLAN ID | Purpose | Sample CIDR |
|---|---|---|
| 100 | Management | 192.168.X.0/24 |
| 200 | External Simulation | 10.100.X.0/24 |
| 300 | Internal Services | 172.16.X.0/24 |
| 400 | Security Operations | 10.50.X.0/24 |
| 999 | Malware Analysis | 192.168.254.0/30 |
Note: X represents variable octets for anonymization.
This topology simulates distinct security zones for controlled attacks, forensic analysis, and containment testing.
Expected Traffic Flow
- VLAN 200 (External Simulation): Can initiate connections to VLAN 300 only.
- VLAN 300 (Internal Services): Responds only to VLAN 200 requests.
- VLAN 400 (Security Operations): Accesses VLAN 300 and external networks.
- VLAN 999 (Malware Analysis): Fully isolated, with no access to other networks.
This enforces strict access controls, mirroring real-world security practices.
Step-by-Step Setup
1. Create Namespaces and Bridges
# Create an isolated namespace
ip netns add analysis-env
# Set up a virtual bridge
ip link add lab-br type bridge
ip link set lab-br netns analysis-env
ip netns exec analysis-env ip link set lab-br up
Tip: Namespaces simulate routers or firewalls within a single host.
2. Connect with veth Pairs
ip link add veth0 type veth peer name veth1
ip link set veth1 netns analysis-env
ip link set veth0 up
ip netns exec analysis-env ip link set veth1 up
ip netns exec analysis-env ip link set veth1 master lab-br
Note: veth pairs act as virtual cables linking the host to the namespace.
3. Configure VLANs
ip netns exec analysis-env ip link add link lab-br name vlan200 type vlan id 200
ip netns exec analysis-env ip link set vlan200 up
# Repeat for VLANs 100, 300, 400, and 999 as needed
Tip: Script this step for larger setups to save time.
4. Assign IPs
ip netns exec analysis-env ip addr add 10.100.0.1/24 dev vlan200
# Assign IPs for other VLANs based on the topology
Ensure interfaces align with your planned IP scheme and subnet masks.
5. Set Up Routing and Firewall Rules
ip netns exec analysis-env iptables -A FORWARD -i vlan200 -o vlan300 -j ACCEPT
ip netns exec analysis-env iptables -A FORWARD -i vlan300 -o vlan200 -m state --state ESTABLISHED,RELATED -j ACCEPT
Recommendation: Use a default-deny policy (iptables -P FORWARD DROP) and allow only necessary traffic.
Validation
Verify the setup with these commands:
ip netns exec analysis-env ip addr show
ip netns exec analysis-env ip route show
ip netns exec analysis-env iptables -L -v -n
Test connectivity (e.g., ping, traceroute) between VLANs to confirm isolation and rule enforcement.
Next Topic: Building an isolated malware analysis environment with VLANs and namespaces.
Discuss this post: Bluesky
