Block IP's inbound/outbound of specific virtual machine on bridge

[Hakisak]

Hello,

I am running TrueNAS scale on bare metal.
I have a few Virtual-Machines and TrueNAS on one bridge sharing a single 10Gbe NIC (all the VM's are using Virtio drivers).
I want to create a Guest Virtual machine but don't want it to be able to talk to certain systems on the bridge AND outside the bridge.

For example:
The Guest VM will have an IP of 192.168.1.4
I want to block data from 192.168.1.4 to all address between 192.168.1.5 : 192.168.1.254

My network switch is a QSW-M408-2C, it has ACL but can't do IP ranges :(

What way can I do this?
Virtual L3 Switch?
Preferably something with a UI would be nice.

Side note:
I do have a ER7206 router that can do ACL, I could dedicate a 1Gbe onboard NIC and a single cable going to the router and do ACL on that (it can do IP Ranges). but then It would be limited to 1Gbe (not a bid deal, would be a last resort)

 

[morganL]

Its probably better to put the "special" VM on a separate subnet....and perhaps separate VLAN and bridge.
TrueNAS does not act as a firewall.

 

[Hakisak]

Its probably better to put the "special" VM on a separate subnet....and perhaps separate VLAN and bridge.
TrueNAS does not act as a firewall.

thought so, I think using the ACL on my router will be the only way.

it would be nice if a product exists of a PCIe-card that can do level3 stuff through hardware. like if you could install pfsense onto a pcie-card, it would do all the routing and vlan's and virtual nics.

 

[sretalla]

You can probably do what you want as @morganL suggests...

Code:

     VM (the one to be protected)
br1   +----------------------------------+
                                       FW VM (running some kind of firewall)
br2      +-------------------------------+
     Host NIC