I’m pretty new to Proxmox and also to running it in a datacenter environment, so I’d love some feedback on whether my current setup makes sense or if I’m missing anything important.
Here’s how it looks right now (I’ve attached a diagram to show the layout more clearly):
I have two internet connections:
One goes through a UniFi Gateway.
One goes directly into the server on a physical port, but without its own CIDR. This is only used for VMs on the server to communicate outward.
I have a management LAN (VLAN 1) where Proxmox has its own CIDR. This network is behind the UniFi gateway.
I also have a VLAN 5 where we run a proxy gateway and some LXC containers that need to communicate on the LAN. The proxy can also reach the internet, but still goes through the firewall.
My questions are:
Is this a reasonable setup for Proxmox in a datacenter, or are there better/safer approaches?
Should I rethink having a port with direct internet into the server?
How do others usually handle management networks vs. external networks in a similar setup?
Any advice or best practices would be really appreciated
With good firewall rules, there’s certainly no reason not to give the PVE box a WAN connection. Since you’ve already got the UniFi gateway there, I’d use that as a VPN gateway for you to secure access to the PVE management interface.
I’d recommend looking into PVE’s software defined networking for your LAN, though. Since you’ve only got a single node, all of the containers/VMs can be on an internal connection, which gives you nominally a 10Gb line for free rather than the gateway’s one gig LAN.
To clarify: all three VLANs are on different physical ports. The two VMs located on the WAN network are both Ubuntu servers, and they each have their own firewalls enabled. One of them is the new Unifi Controller. I was concerned there might be a conflict if I routed it through the Unifi firewall.
The other is a web hosting service running CloudPanel. That service runs in an LXC container, paired with a proxy manager on VLAN 5. This setup is in a DMZ network. I’m not sure whether that’s an advantage or a disadvantage.
