Bridge a physical interface inside a range
This is a proposal for enhancement that would fit some specific use cases.
I would like to be able to configure a physical interface of the proxmox server to be inside a range. The end goal is to expose one part of a range on the internet (the WAN part of the range). Proper filtering and routing of public IP would be performed by the upstream infrastructure outside of Ludus. This is possible to do with the proxmox interface once the range is set-up but that does not survive destroying/re-deploying.
I guess this could be done by bridging a second virtual interface of a VM to a physical interface in the range configuration. An example configuration could look like this:
network:
external_default: ACCEPT
inter_vlan_default: REJECT
bridges:
- name: "WAN connection for frontend reverse proxy"
vm_name: "{{ range_id }}-RPROXY"
phy_iface: "eno2"
rules:
- name: Only allow TCP 443 from VLAN 10 to VLAN 20
vlan_src: 10
vlan_dst: 20
protocol: tcp
ports: 443
action: ACCEPTMaybe bridging the internal router would be even better but that may require more modifications inside Ludus. For example:
network:
external_default: ACCEPT
inter_vlan_default: REJECT
physical_interfaces:
- name: "Range WAN"
iface: eno2
ip: 192.66.66.66
mask: 24
gateway: 192.66.66.254
forwards:
- name: "Port 80,443 to web server"
vm_name: "{{ range_id }}-RPROXY"
phy_iface: "eno2"
ports: "80,443"
- name: "Port 22 to SSH Bastion"
vm_name: "{{ range_id }}-BASTION"
phy_iface: "eno2"
ports: "22"
rules:
- name: Only allow TCP 443 from VLAN 10 to VLAN 20
vlan_src: 10
vlan_dst: 20
protocol: tcp
ports: 443
action: ACCEPTAttribution of a physical interface to a user should be done by an admin.