Hide VMBR MAC?

Josh North

New Member
Nov 27, 2013
6
0
1
So I use Proxmox for a handful of clients who mostly have business-class ISP's with static IP addresses. Works great there, no issues.

I also have a proxmox server set up at my home running several test machines, file servers, etc - plus a container with iptables firewall and OpenVPN server. Also works great - mostly.

My question/problem is this:
My home ISP is Comcast residential cable. I have 2 bridges set up like below in the config list. vmbr0 is internal net and the NIC links to a switch. vmbr10 is external and links straight to my cable modem. vmbr10 has no IP assigned. About 50% of the time if I have to restart my Proxmox server, the vmbr10 MAC is seen by the cable modem and hence gets the only public IP I have available. THe other half of the time, the firewall container beats it to the punch and gains the Public IP - (this is what I want to happen all the time!)

Any ideas? It seems the cable modem defaults to handing the IP address to the first MAC it sees on the network, so I was thinking some way to block all traffic from the vmbr10 MAC would be ideal, so that the only traffic my cable modem sees comes straight from the firewall container MAC.

Notes:
DHCP is not enabled on Proxmox host
vmbr10 does NOT have any IP set as you can see in the config below
I have changed the container MAC address (and it's dhclient.conf MAC identifier) to an unused but perfectly valid MAC from a NIC that I put in the trash.

interfaces file from host:
Code:
# network interface settings
auto lo
iface lo inet loopback


iface eth1 inet manual


iface eth4 inet manual


iface eth0 inet manual


iface eth2 inet manual


iface eth3 inet manual


auto vmbr0
iface vmbr0 inet static
    address  192.168.101.201
    netmask  255.255.255.0
    gateway  192.168.101.11
    bridge_ports eth1
    bridge_stp off
    bridge_fd 0


auto vmbr10
iface vmbr10 inet manual
    bridge_ports eth4
    bridge_stp off
    bridge_fd 0

interfaces file from guest firewall container
Code:
auto lo
iface lo inet loopback


auto eth0
iface eth0 inet static
address 192.168.101.11
netmask 255.255.255.0


auto eth1
iface eth1 inet dhcp


And last, relevant vz conf file portion for network config on that container (with MAC's obscured for security)
Code:
NETIF="ifname=eth0,bridge=vmbr0,mac=00:00:00:00:00:00,host_ifname=veth101011.0,host_mac=00:00:00:00:00:00;ifname=eth1,bridge=vmbr10,mac=00:00:00:00:00:00,host_ifname=veth101011.1,host_mac=00:00:00:00:00:00"
 
Hello Josh,

First an understanding question:

It seems you have no DHCP client active except eth1 in the firewall container!? ARE YOU SURE?

If so probably your cable modem scans all existing ports (resp. waits for the first occurring mac address on the line) and makes by itself an IP assignment without (DHCP-)request.

In that case you should avoid sending any MAC address to the cable modem except the container´s eth1´s.

What I would do in such a case:

- trace the start-up traffic in order to detect how the cable modem figures out the (unwanted) MAC address

- prevent sending the messages with source mac others than container´s eth1 (or ensure that it is always the first one) by disabling the respective function/protocol.

- depends on trace results, maybe IPV6 messages. Look e.g. here http://namhuy.net/1419/disable-ipv6-ubuntu-linux-mint.html how to disable IPV6 (I succeeded only with the GRUB method; if IPV6 needed it can be reactivated after boot)

Success!

Mr.Holmes
 
Last edited:
First - thank you for your reply!
Hello Josh,First an understanding question:It seems you have no DHCP client active except eth1 in the firewall container!? ARE YOU SURE?
Pretty sure. At least that is how I want it to be. Plus, if I tail the syslog on the host, I do not see any DHCP REQ or ACK traffic. Not sure how else to check.
If so probably your cable modem scans all existing ports (resp. waits for the first occurring mac address on the line) and makes by itself an IP assignment without (DHCP-)request.In that case you should avoid sending any MAC address to the cable modem except the container´s eth1´s.
You got it, this is exactly what I think is occurring. I think somehow some traffic, maybe arp broadcast or something is showing up from the host VMBR MAC and that is what the modem sees.
What I would do in such a case:- trace the start-up traffic in order to detect how the cable modem figures out the (unwanted) MAC address- prevent sending the messages with source mac others than container´s eth1 (or ensure that it is always the first one) by disabling the respective function/protocol.- depends on trace results, maybe IPV6 messages. Look e.g. here http://namhuy.net/1419/disable-ipv6-ubuntu-linux-mint.html how to disable IPV6 (I succeeded only with the GRUB method; if IPV6 needed it can be reactivated after boot)Success!Mr.Holmes
Will try wireshark on the line this afternoon - thanks for the tip!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!