Zelogx MSL Setup – The Multi-tenant Enabler for Proxmox.

Most security incidents begin
from 'vulnerable dev environments' or from an outsourced engineer's PC and propagate through the network. What matters is separating the networks so you can limit the blast radius.：

• Viruses unknowingly stepped on by outsourced engineers. Leakage of VPN/VDI/SSH connection information on infected PCs
• Large company MC systems are isolated, but small and medium-sized companies and startups are often not isolated.
• Even if isolated, secondary damage spreads by accessing virus-infected development environments from VDI
• Vulnerable VM instances in the cloud with public IPs
• Test environments for different clients accidentally logging in just by entering the wrong destination IP
• VMs forgotten to shut down
• Copying files and code from development environments to networks connected by MC systems

Developers are not malicious. The problem is the lack of mechanisms to safely operate development environment infrastructure.

When development environments proliferate without control, the following occurs:

• Past instances that no one knows about are left abandoned
• Increasing cloud charges, even stopped VM instances are charged for storage maintenance.
• Outbound traffic to the Internet side is pay-as-you-go beyond a certain level
• Most instances built by engineers who are not familiar with security have Public IPs directly and expose vulnerable application servers such as Tomcat.
• Default security groups have insufficient IP address restrictions
• Just one client PC stepping on a virus can put all your businesses at risk.
• And mysteriously placed executable files. Infection spread to internal VPCs. These are all just examples.

Result: Not having a controlled development environment exposes companies to ransomware attacks and data breach risks.
"In the end, on-premises with control was superior in terms of risk and cost."

MSL Setup takes the opposite approach:

• Run on self-owned (or rented) high-performance hardware (OPEX reduction, performance improvement, forced application of security settings, etc.)
• Provide each project with its own fully isolated Layer 2 network. All communication within the project is allowed. Communication outside the project is restricted
• Dedicated VPN instances for each project are automatically provisioned. VPN clients can only communicate within the specified project. Even if you change the client-side settings, you can only communicate on the specified route.
• Proxmox RBAC allows VM instance creation, start, stop, backup, and snapshot control within the assigned project (Corporate Edition only automatic settings)
• Completely separate the main LAN from the development LAN. Development networks are isolated to prevent intrusion into the core LAN
• Controlled security rules are pre-provisioned, no configuration required for each VM build
• Easily start & stop dedicated VPN servers for active projects, easy VPN user management. Suspend and resume with one click. VPN connection status is also visualized.
• You will no longer waste time managing VPN client keys.
• Even if a VPN client PC is hijacked, the impact is limited to VMs within that project only.

Controlled security rules and operational rules are always applied, suppressing wasteful traffic to the main LAN. You can obtain a permanent, isolated development environment.

MSL Setup can be used for various purposes such as all software development companies, OT, game server fault localization, etc.:

• Want to quickly prepare a high-performance distributed development environment on-premises
• Need an environment where demos, PoC environments, and verifications can be prepared easily, securely, and cost-efficiently
• Want to isolate each network to localize faults from various threats
• Client projects must be strictly separated from each other
• Want to conduct vulnerability testing in a closed network
• Want to quickly launch an MSP lab
• Want to quickly launch many virtual appliance integration test environments with L2-level isolated networks
• Want to reduce the risk to the production environment by building development and staging environments in-house
• Want to efficiently manage VMs without worrying about costs such as snapshots and backup generations
• Want to efficiently manage customer training environments on a single server

This is why this project exists: to provide a way to quickly deploy multi-tenant environments — without turning every environment into a security incident waiting to happen.

The first thing to clarify is which VM will be reachable from outside.

In its default state, Proxmox connects all VMs to the same bridge (vmbr0), so they can communicate with each other. If you configure port forwarding and expose a VM to the internet in that state, then if that VM is compromised, an attacker may be able to reach other VMs on the same network, the host itself, your home LAN, or even your corporate LAN.

There are three things to consider before publishing a VM:

• Separate the public VM from other VMs and LANs (network isolation)
• Allow only the traffic required for the exposed service (firewall rules)
• Minimize the impact if the VM is compromised (blast radius design)

The simplest way to do this on Proxmox is to place the VM into a dedicated isolated network using Proxmox SDN (VXLAN Zone + VNet) and control traffic with the PVE firewall.

MSL Setup automates this configuration.

Port forwarding only opens a path from outside to a VM. It does not prevent lateral movement after that VM has been compromised.

A typical risk scenario looks like this:

• A public-facing web application has a vulnerability, and the attacker gets a shell
• From that VM, the attacker reaches other VMs on the same network, such as databases or backup servers, using SSH or ARP scanning
• Eventually, the attacker reaches the Proxmox host itself or the internal corporate network

Port forwarding is just a router feature. It does nothing to control what happens after a VM has been breached. What you need is VM-level network isolation.

With Proxmox, you can place the exposed VM into a dedicated segment using SDN VXLAN Zones and VNets, then block lateral movement from that segment with host-level firewall rules. MSL Setup builds this automatically.

Blast radius means the scope of impact when one part of a system is compromised.

The core principle of reducing blast radius is to design as if compromise will happen. In other words, it is not enough to focus only on prevention. You also need a structure where damage does not spread even if an attacker gets in.

To minimize blast radius in a Proxmox environment:

• Network isolation: Place public-facing VMs and VMs for different purposes into separate SDN VNets. Different VNets cannot communicate by default, so compromise does not spread automatically.
• Firewall rules: Use the PVE firewall so that each VM can communicate only where it actually needs to.
• VPN-based access: Restrict management access through VPN and minimize direct exposure to the internet.

MSL Setup packages these ideas into a repeatable pattern: project-based L2-isolated networks with dedicated VPN access, deployed automatically without configuration mistakes.

They serve different roles.

VLAN can also be used entirely inside Proxmox, but once your operational scope reaches the physical network, you often need VLAN-capable switches and the knowledge to configure and manage them. Depending on the environment, that can become a high barrier.

pfSense / OPNsense are router VMs. They are powerful, but operationally more complex. You have to design and maintain routing, NAT, and firewall policies yourself. If you deploy one router VM per project, each of them consumes CPU, memory, and storage. Configuration also tends to become fragmented, which turns management into a puzzle of figuring out which rules live in which router.

Proxmox SDN is built into Proxmox 8.x and later. By creating VNets inside the host, it provides L2-level isolation without extra physical appliances or router VMs. Configuration is centralized in the Proxmox GUI and SDN config, so you can see which project owns which network in one place.

MSL Setup automatically configures Proxmox SDN VXLAN Zones, VNets, and the PVE firewall so that this isolation can be deployed in minutes.

No, not if you use Proxmox SDN.

With VLAN-based isolation, once you need communication across nodes or need VLANs carried through physical switches, you often need VLAN-capable switches and the knowledge to configure them. By contrast, Proxmox SDN VXLAN Zones create isolated L2 networks inside the host, so they do not depend on switch-side VLAN configuration.

What Proxmox SDN can do without a switch:

• Create fully isolated L2 networks (VNets) per project
• Block communication between VNets by default
• Apply firewall rules at the VNet level

MSL Setup automates this configuration, so you can build a safe isolated environment without needing network appliance expertise.

No. By combining Proxmox SDN with the PVE firewall, you can isolate multiple projects at L2 level without external network appliances.

When people hear "separate multiple projects on one server," they often assume they need VLAN switches or router VMs such as pfSense or OPNsense. But with Proxmox SDN VXLAN Zones, you can create VNets inside the host and give each project its own fully isolated L2 network.

MSL Setup adds automatic per-project VPN deployment on top of that. Each project member can reach only that project's network over VPN, which prevents cross-project leakage by design.

Yes. But the word "safely" depends on the network design.

If you simply place multiple VMs on the same bridge (vmbr0), they are not isolated from one another. To separate them safely, each project needs its own network boundary.

With Proxmox SDN VXLAN Zones and VNets:

• Project A VMs and Project B VMs are placed into different VNets
• The VXLAN-based networks themselves are routable in principle, but MSL Setup blocks inter-VNet communication with the PVE firewall
• As a result, lateral movement between projects is prevented

MSL Setup automatically generates these isolated networks for the required number of projects and attaches a dedicated VPN to each one. A VPN user for one project can reach only that project's VNet.

Not exactly. It serves a different role. It is closer to a design that removes the need for pfSense / OPNsense in many Proxmox isolation scenarios.

pfSense and OPNsense are router VMs. They provide routing, NAT, firewalling, DHCP, and more from inside a VM. They are powerful, but they require routing knowledge and carry operational costs for updates, troubleshooting, and maintenance.

MSL Setup isolates VMs using Proxmox host-level mechanisms. There is no extra router VM to deploy. The Proxmox host itself becomes the isolation boundary.

That means:

• No router VM overhead
• Fewer settings and fewer opportunities for mistakes
• No need for deep network appliance knowledge to deploy it

There is also a difference in isolation trust. Separation with pfSense / OPNsense depends on the configuration of that router VM, so misconfiguration or compromise of the router can weaken the boundary. MSL Setup enforces isolation at the Proxmox host level, so even if someone inside a VM tries to change the network structure, for example by creating VLANs internally, the project boundary is still maintained by the host. VM-side actions do not collapse the isolation wall.

That said, if you need complex WAN routing policies or deep packet inspection, pfSense / OPNsense may still be the better fit.

It automates the following in about 20 minutes:

Network setup:

• Creation of Proxmox SDN Zones, VNets, and Subnets for the required number of projects
• Configuration of PVE firewall IPSets and rules
• Host-level firewall enforcement to strengthen L2 isolation

VPN setup:

• Deployment of a Pritunl VM (Ubuntu cloud-init based)
• Automatic creation of per-project VPN servers, organizations, and users

Documentation generation:

• Automatic generation of a network diagram displayed in the Proxmox dashboard
• Automatic generation of an operation guide displayed in the Pritunl VM notes

Corporate Edition only:

• Automatic RBAC setup (Pools, Groups, Users)
• A self-care portal that allows VPN users to manage VMs inside their own project

Use Proxmox SDN with VXLAN Zones + VNets.

In Proxmox 8.x and later, you can create L2-isolated networks inside the host directly from the GUI by defining Zones and VNets. No additional hardware is required.

However, once you include firewall rules, VPN access, and documentation management, doing everything manually still takes time and requires knowledge.

MSL Setup automates the full workflow with interactive shell scripts. Even without deep network design experience, you can build an enterprise-grade isolated environment just by answering the prompts.