since port isolation is only local on the host. To get better port isolation, the VNET firewall can be used.
Signed-off-by: Aaron Lauterer <a.laute...@proxmox.com> --- pvesdn.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pvesdn.adoc b/pvesdn.adoc index 2e24dd2..1541e54 100644 --- a/pvesdn.adoc +++ b/pvesdn.adoc @@ -388,6 +388,10 @@ but not for the interface itself. This means guests can only send traffic to non-isolated bridge-ports, which is the bridge itself. In order for this setting to take effect, you need to restart the affected guest. +NOTE: Port isolation is local to each host. Use the +xref:pvesdn_firewall_integration[VNET Firewall] to further isolate traffic in +the VNET across nodes. For example, DROP by default and only allow traffic from +the IP subnet to the gateway and the vice versa. [[pvesdn_config_subnet]] Subnets -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
