Tcpdump inside kvm reveals other client kvms traffic.

Sakis

Active Member
Aug 14, 2013
121
6
38
Hello,

This is my network configuration.
Code:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address x.x.x.x
        netmask x.x.x.x
        network x.x.x.x
        broadcast x.x.x.x
        gateway x.x.x.x

auto eth1
iface eth1 inet static
address 0.0.0.0
netmask 0.0.0.0

auto vmbr1
iface vmbr1 inet manual
        bridge_ports dummy0
        bridge_stp off
        bridge_fd 0
        post-up /etc/pve/kvm-networking.sh

auto vmbr0
iface vmbr0 inet static
address 0.0.0.0
netmask 0.0.0.0
bridge_ports eth1
bridge_stp off
bridge_fd 0

auto vmbr0:1
iface vmbr0:1 inet static
        address  192.168.1.4
        netmask  255.255.255.0
        broadcast  192.168.1.255
        network  192.168.1.0

If i tcpdump the eth0 inside a kvm client i get too much information from the vmbr0 interface.
Even http,nfs,ssh traffic from other clients in the same host.
Is this normal?
Can i isolate the traffic somehow?
 
New vlan tag for each kvm client?
This is too much i think. We create,destroy,migrate several kvms everyday. It will be too complicated to achieve this.
And also i cant use vlan tags in my datacenter. I have only one vlan that my eth1 listens at. And in this vlan all my public ips are routed.

I also found out that i cant use typical iptable rules at tap interfaces to isolate somehow the traffic only in certain ips.

Would the new proxmox update with firewall help in a situation like this?
 
Without vlan you cannot do this since all VM on the same network all share the same broadcast domain. This was the sole purpose of vlan, to isolate broadcast domains on the same network by adding a tag to the ethernet frame.
 
I didn't investigate this any further till now but I noticed that even using VLANs won't isolate all traffic, or to be more precise at least on my setup (which is maybe faulty). I got some DHCP request from the default VLAN into a specific VLAN which I didn't expect. I'm not sure why this happens but maybe this could even be a misconfigured switch or some bridge magic at the proxmox host. But you should double check that no senstive traffic leaves your subnet even with a VLAN setup.

PS: Just to make sure, I don't won't to blame proxmox, the kernel, my switch setup or anything else so far since I didn't had time so far to look why this happens. I just want to remark that even a VLAN setup which seems to work is maybe not what you expect.
 
Sorry for bringing up an old thread.

Just wondering if you managed to solve this?

I've noticed ARP requests being shown inside a kvm container when listening to eth0.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!