How to prevent VM from seeing other devices on LAN with the firewall

This can be useful for setting up a separated sacrificial VM for testing known bad software, links etc.

Step 1: Create New Security Group

Datacenter - Firewall - Security Group

Create Group

Step 2: Add rules

Select the new security group and click 'Add'

Add the following rules:

IN ACCEPT -log nolog	#allows incoming traffic
OUT ACCEPT -dest 192.168.x.x	#allows access to DNS, only needed if DNS is not provided by gateway
OUT ACCEPT -dest 192.168.x.x	#allows access to gateway
OUT DROP -dest 192.168.0.0/16 #denies all access to rest of the LAN

NOTE THAT THE ORDER OF THE RULES IS IMPORTANT

Step 3: Enable Firewall on Datacenter

Datacenter - Firewall - Options - Firewall - "Yes"

Step 4: Add Security Group to VM

Select the VM - Firewall - Insert Security Group

If desired you can add the name of the interface so it only applies to that vNIC in the VM, however this is usually not required

Step 5: Enable Firewall on VM

Select the VM - Firewall - Options - Firewall - "Yes"

Sources:

https://forum.proxmox.com/threads/prevent-access-to-local-network-from-vm.116799/

Adding USB drive to proxmox

Adding file from external drive in to proxmox container

Reducing size of container LV

Increasing VM Disk size

How to prevent VM from seeing other devices on LAN with the firewall

How to prevent VM from seeing other devices on LAN with the firewall