0

I will do the best I can to describe what I'm actually looking to do here, but first - the setup. I have a whole internal network connected together with a managed layer 2 or 3 network switch, with many devices that communicate within that network, and I want to host outward facing servers (Game servers such as minecraft and etc.) running Ubuntu Server 22.04 on a Proxmox VE cluster that I am hosting within the network. I've gotten this all working and it's fine and good, but I see attempts from unknown IP's trying to get IN to the network. Their firewalls have been instructed to reject all traffic from all but two ports - one for SSH, and one for the server itself. The port used for the server itself is the only one that is forwarded to the internet and it is device specific, so these attempts are definitely coming from the game server port. I have Xfinity, and so these attempts are usually blocked - but I don't want to just trust that.

I am looking to isolate these virtual machines from my main network - I use long complex passwords in a password manager with an even longer password and yadda yadda but passwords only do so much. I want these to be able to communicate over the internet, and I want to be able to join in and play on those servers with friends, but I don't want the servers getting access to my network if it just so happens to be compromised. Being able to access them via SSH would be nice for server management, but at this point I consider that a luxury. Everything I have read so far tells me this is possible, but depending on what info I trust it is either super simple or wickedly complex.

The method I am looking at is from a Reddit post which states that I can create a virtual machine with pfSense (I may try to do this with OPNsense instead) and use this as an internal router, giving it two virtual NICs. The first vNIC will be attached to the main vSwitch (With Internal Network Access, attached to the physical NIC) and the secondary vNIC will be attached to a secondary vSwitch (No internal network access, not attached to any physical NIC). Using pfSense, you can set the WAN interface to use the main vSwitch, and the LAN interface to use the secondary. You can configure this to block all traffic from going through, but I just need it to keep the server from gaining internal network access to my other devices.

There is a method (sort of) seen in this Proxmox Forum post which is also sort of what I was looking for, but once again not what I am actually looking for. I have tried this anyway, and have had difficulty even getting this to work at all.

The servers I want to isolate need a specific port forwarded to the internet. That's how the servers actually communicate out - and an eventual step to this process will be port redirection, but that is not something I am ready to tackle yet. The port forward makes the machine vulnerable, and in the event of the machine being compromised I want it fully isolated from my network. My Xfinity router allows port forwarding isolated to a specific device, and it does see those VMs as specific devices so I believe that port won't be open for other devices.

Does anyone have a functional way to do this? In summary, I want...

  1. Internet-Facing game server VMs, that are
  2. Isolated from my internal LAN network, but
  3. That can still get internet access
  4. (Bonus Item retain SSH access in some way/shape so I don't have to manually type out a 20+ character randomized password)

Please let me know if any additional information is needed!

Improve this question
3
  • Where do you see said attempts – in your router or in the game server itself? That is, are they logged before or after the router's NAT and firewall? Commented Jul 16, 2024 at 9:53
  • @grawity_u1686 The attempts show up in Xfinity's security section on their mobile app. The IP's themselves never actually reach the server itself, the Xfinity router blocked it. Hence why I wanted to keep the Xfinity router, but wanted to isolate the VM's just in case... Commented Jul 17, 2024 at 5:23
  • I have began the process of creating a OPNsense "router" that will go in between the home network and my internal LAN network/lab devices. That way the missus and kiddo's network traffic is 1. Isolated from the servers and lab equipment, and 2. So the traffic going to that router is still being filtered by Xfinity's firewall, and I can add to it if I want to. Also it gives me more options to isolate out the VM's from the internal LAN network, which I'm still not sure how to do but should be far easier on a router that isn't locked down tighter than Fort Knox. Commented Jul 17, 2024 at 5:27

1 Answer 1

Reset to default
0

Set up a router VM, then create firewall rules that allow packets to Internet but not to your 'main' LAN subnet.

But I'm guessing the Xfinity router does not support "static route" configuration, meaning that you won't be able to define a path from LAN and Internet to the server in the regular way.

If that's the case, it will make inbound HTTP and SSH to the 'server' subnet somewhat annoying to set up – still possible, but it means you'll need to have two layers of port-forwarding rules; once from the Xfinity router to pfSense, and then a second time from pfSense to the real server.

I see attempts from unknown IP's trying to get IN to the network.

The attempts show up in Xfinity's security section on their mobile app. The IP's themselves never actually reach the server itself, the Xfinity router blocked

You cannot avoid this. Firewalls can only block traffic from traveling beyond the firewall, but cannot outright stop it from arriving at the firewall – i.e. you cannot refuse to receive a packet. So as long as you have an IP address on the Internet, you'll be on the receiving end of many botnets and "researchers" that poke at every IP address.

Your Xfinity router isn't doing anything special here, though – you will get the same result from practically any router with a firewall set to "block by default".

Their firewalls have been instructed to reject all traffic from all but two ports - one for SSH, and one for the server itself. The port used for the server itself is the only one that is forwarded to the internet and it is device specific, so these attempts are definitely coming from the game server port.

I'm pretty sure you have your ports completely backwards – initial packets for connections to an SSH service never come from the SSH or game server port, they come to the SSH port or the game server port; and likewise "port forwarding" generally deals with inbound packets (from the internet, not to the internet) – and you really need to get that part straight as a prerequisite for being able to configure firewalls.

You can configure this to block all traffic from going through, but I just need it to keep the server from gaining internal network access to my other devices.

You can do this using the same kind of configuration, only by making the firewall rules more narrow. That is, you would have a packet filtering rule that blocks packets from game_server_address to lan_subnet, and a rule that allows all other packets. That is:

  1. from=any to=[serv_subnet]/24 protocol=tcp dst-port=22 action=accept
  2. from=[serv_subnet]/24 to=[lan_subnet]/24 action=reject
  3. from=[serv_subnet]/24 to=any action=accept

(For Linux iptables style, it would be exactly in this order, as the first match wins; whereas pfSense/OpnSense 'pf' style is usually reverse. The last time I used pfSense I had a habit of marking rules 'quick' so that the first matching rule would win.)

Typically you only need to create rules in the direction that the first packet goes, while "reply" packets will be automatically allowed – e.g. rule 1 will have no effect on replies from the server, so you shouldn't need a separate rule to permit src-port=22.

Improve this answer
4
  • Thank you for your descriptive answers - I need to be more careful with my terminology. Most of what you said makes sense to me, and I don't think my port setup is backwards - but I can see how it sure sounds like that based on how I described it. It was not correct for me to say the blocked traffic is coming from the game server port, I should have instead said that the blocked traffic was attempting to come to the game server port, through my port forward. Does this make more sense? I am very much still a novice at this and so I'm still learning what I do and don't know. Commented Jul 17, 2024 at 15:12
  • Also, the part about creating a firewall rule to block traffic to a specific subnet - this makes sense to me, and if I can do this through Proxmox (I think I can) then it's exactly what I would be looking to do! Commented Jul 17, 2024 at 15:19
  • Yes – it's not so much the terminology in itself that's the point, but the fact that you'll have to deal with "source port" and "destination port" in most if not all firewall configurations, so you'll need to know that e.g. for incoming SSH connections only the destination port is 22 but the source port is not (so traffic 'to' the SSH server is 'to' port 22 and vice versa). Keeping track of terminology might preempt a bit of troubleshooting later on. Commented Jul 17, 2024 at 15:24
  • As for Proxmox, I don't know anything about its configuration – I only know that it's Linux-based so in theory should have full routing capabilities (i.e. should be able to easily create a dedicated subnet for some VMs and set up firewall rules using regular Linux iptables/nftables), but I have no idea where that's exposed, if it's exposed at all. Commented Jul 17, 2024 at 15:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.