[SOLVED] Firewall failover shuts down the fibre box

J

j.hedin

New Member
Mar 15, 2024
8
0
1
Hi

I have a very strange problem. I have a 3 node Proxmox cluster at home. The network is a ring of 10GB. Two of the nodes are connected to local LAN. All this handled by RSTP and it works well (openvswitch and Unifi play along nicely). For the internet connection, all three nodes are connected to the fibre box via an unmanaged TP-link switch. Internally in the Proxmox there is an additional openvswitch bridge that filters away any RSTP. To complicate things a bit further, there is a Debian trafic shaper in front of the firewall since the OpenBSD QoS is not as good as the Linux one.

Code: 
 3 x Proxmox
+--------------------------------------------------+
| +---------+              +--------+              |               +---------+   +-----------+
| | OpenBSD |--> vmbr0 --> | Debian | --> vmbr1 ---+--- Ethernet --+ TP-link +---+ Fibre Box |
| +---------+              +--------+              |               +---------+   +-----------+
+--------------------------------------------------+

This means that the Debian machine will answer on the OpenBSD MAC on vmbr1.

Now for the problem. If I do a live migration, or even if a do a stop/migrate/start of the Debian load balancer, the WAN led on the fibre box sometimes goes blank. The only way to recover is to restart the fibre box. How can the fibre box even know that the MAC of the FW has moved between two ports on the dumb switch?
 
Last edited:
Update: I can migrate the FW on OpenBSD without any problems. The VLAN used on vmbr0 is trunked via the 10GB ring.
 
Update: I think i found the reason. On live migration, someone sends a rarp with the MAC of the Debian QoS bridge interface.

Code: 
22:07:13.026437 ARP, Reverse Request who-is d2:fb:6f:af:67:88 tell d2:fb:6f:af:67:88, length 46

This makes the fibre box think that there are 2 MAC on the fiberbox and blocks the port. Just need to find out how to prevent live migration to send rarp for this machine.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back