Not sure if anyone else here is doing this kind of thing, but over the past couple of weeks I’ve been messing around with running several completely isolated L2 networks on a single Proxmox box. Not VLANs, not EVPN, just the built-in SDN stuff (Simple Zone + a bunch of VNets).
The idea was basically: I’ve got different projects that all need their own sandbox, and I don’t want them touching each other, or my main LAN, no matter what kind of nonsense I (or future-me at 2AM) do inside the VMs. Pure L2 bubbles.
Surprisingly, it actually works pretty cleanly. The SDN bits aren’t fancy, but they’re “just enough” to carve out separate little islands. Everything routes out to the internet fine, nothing leaks sideways, and the Proxmox host can still reach everything for management.
The part I didn’t expect was that Proxmox will happily render an SVG if you drop it in `/usr/share/pve-manager/images/` and reference it from the Notes field. So I ended up turning the whole plan into an animated diagram and stuck it right there in the VM notes. Helps me remember what I was thinking.
If anyone’s curious, I tossed the diagram and the tiny bit of structure I used here:
GitHub - zelogx/proxmox-msl-setup-basic: Zelogx™ Multi-Project Secure Lab Setup (AKA MSL setup) is an open-source toolkit for creating secure, project-isolated development environments on Proxmox, using Proxmox SDN, Firewall (Security Groups), and Pritunl. Build multi-tenant, zero-trust, L2-isolated labs with repeatable architecture and best practices.
It’s nothing crazy — I’m just wondering if anyone else is isolating dev networks like this instead of going down the VLAN/EVPN rabbit hole. Would be nice to hear how other people approach it.
If this looked like a F*cking PITA, here’s the automation demo.
Project-isolated VPNs powered by Pritunl
User management is handled through the Pritunl GUI. Clean, intuitive, and ridiculously easy to operate.
Pritunl acts as the backend for generating fully isolated VPN endpoints — one per project.
- VPN-A → Only sees Project A’s VMs
- VPN-B → Only sees Project B’s VMs
- mainLAN → Completely invisible
Pritunl Dashboard
- Add / modify / suspend / remove VPN users
- Manage organizations (one org per project)
- Client VPN profiles are auto-generated on user creation
- Download the config directly or share a download link
- Assign organizations to their dedicated per-project VPN server
- Start/stop VPN servers per project
- Each VPN server maps cleanly to its own isolated VNet (project LAN)
In short:
Each project gets its own virtual LAN, its own VPN gateway, and its own access boundary —
all provisioned automatically, and all managed through a clean GUI.
