How to configure a trunked port for a kvm?

[valshare]

Hello,

i have a big problem with our configuration. I hope the community can help me.

We have 45 AccessPoints installed in our hospital for our patient. The goal is to route the devices from the patient direct to the internet. On the network are no critical datas ;-) This year, there is no money for new switches that supports isolate ports. We have had the idea to configure for each AP a vlan. Thats not the best solution but better then nothing. On the Proxmox we have installed kvm with a dhcp server for the clients. The 45 VLANs we have bridged on vmbr1000

auto bond0
iface bond0 inet manual
    slaves eth0 eth1 eth2 eth3
    bond_miimon 100
    bond_mode 802.3ad

auto vmbr1000
iface vmbr1000 inet manual
    bridge_ports bond0.1000 bond0.111 bond0.112 bond0.113 bond0.114 bond0.115 bond0.116 bond0.121 bond0.122 bond0.123 bond0.124 bond0.125 bond0.126 bond0.131 bond0.132 bond0.133 bond0.134 bond0.135 bond0.136 bond0.141 bond0.142 bond0.143 bond0.144 bond0.145 bond0.146 bond0.151 bond0.152 bond0.153 bond0.154 bond0.155 bond0.156 bond0.161 bond0.162 bond0.163 bond0.164 bond0.165 bond0.166 bond0.171 bond0.172 bond0.173 bond0.174 bond0.175 bond0.176
    bridge_stp off
    bridge_fd 0

Now we have the problem, that each client reach the other that we didn´t want. The switches are not the problem, that we have checked. If we shutdown vmbr1000 on the proxmox the communication between the clients stops. So now i think the vmbr1000 ist not right configured. I have 2 days searched the internet, how to configure the kvm to trunk the vlans directly to the dhcp server without the clients can communicate together. I didn´t can assign 45 network devices to the VM. How can i do a trunk port that all vlans routet to the dhcp server?

I know that i configure a FW on the dhcp to stop communicate between the clients there.

Regards, Valle




All APs hat the option to isolate Members. On the tests, i see that a Member

 

[dietmar]

I guess you need to use a separate bridge for each vlan.

 

[valshare]

Hi Dietmar,

thanx for answer. But i cant assign more than 20(?) bridges to a kvm, or?
There are no other way? I tried it with iptable rules .. but till now, i have no success.

I have tried it and there comes a pci error.

Regards, Valle.

 

[pitt]

Now we have the problem, that each client reach the other that we didn´t want.

Of course you have. The bridge is like a switch and by default all traffic is switched.
But you can use iptables and ebtables (like iptables but for the MAC layer) to control which traffic is allowed.

 

[valshare]

Hi pitt,

thanx for answer. Today i have solved the problem with iptables.

have created the follow rule for each interface:

-A interface-check -m physdev -j DROP --physdev-in bond0.111 ! --physdev-out tap200i1000d0

Till now it look good. Deeper tests i can make monday. Or do you have a better rule for iptables?

 

[pitt]

-A interface-check -m physdev -j DROP --physdev-in bond0.111 ! --physdev-out tap200i1000d0

Till now it look good. Deeper tests i can make monday. Or do you have a better rule for iptables?

Hard to say. There is more than one way to achieve this goal.
I would try something like:

-A FORWARD -i vmbr1000 -j interface-check
-A FORWARD -o vmbr1000 -j interface-check
-A interface-check -m physdev --physdev-out tap200i1000d0 -j ACCEPT
-A interface-check -m physdev --physdev-in tap200i1000d0 -j ACCEPT
-A interface-check -j DROP

(I didn't test anything up there...)

This way you shouldn't need a rule for every VLAN. If vmbr1000 is your main network connection keep in mind to allow all other needed traffic too. (But it would be much better to make an own bridge for the "AP-Isolation".)
Also keep in mind that iptables only affects IP. All other ethernet protocols still work. (You can use ebtables to allow only IP based traffic, but at least some ARP traffic is necessary too.)

 

[valshare]

This way you shouldn't need a rule for every VLAN. If vmbr1000 is your main network connection keep in mind to allow all other needed traffic too. (But it would be much better to make an own bridge for the "AP-Isolation".)
Also keep in mind that iptables only affects IP. All other ethernet protocols still work. (You can use ebtables to allow only IP based traffic, but at least some ARP traffic is necessary too.)

Hi Pitt,

i have now tried with iptables. I have one bridge only for the AP traffic. All traffic between the host are successful blocked. But i have the problem, that the hosts and the mac are visible for each other. ebtables filter layer 2 traffic. Do you have an example for me, how block the traffic on the vbmr1000 with ebtables?

Regards and thanx,

Valle

 

[pitt]

Do you have an example for me, how block the traffic on the vbmr1000 with ebtables?

ebtables --append FORWARD --proto ARP --logical-in vmbr1000 --out-if tap200i1000d0 -j ACCEPT
ebtables --append FORWARD --proto ARP --in-if tap200i1000d0 --logical-out vmbr1000 -j ACCEPT
ebtables --append FORWARD --proto IPv4 --logical-in vmbr1000 --out-if tap200i1000d0 -j ACCEPT
ebtables --append FORWARD --proto IPv4 --in-if tap200i1000d0 --logical-out vmbr1000 -j ACCEPT
ebtables --append FORWARD --logical-in vmbr1000 --logical-out vmbr1000 -j DROP

Could work. And as always, untested.
Keep in mind that ebtables is not stateful.

 

[valshare]

Hi Pitt,

thanx for the example. Yesterday i have created a rule

ebtables -A FORWARD -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 -j ACCEPT

and for each interface:
ebtables -A FORWARD --in-if bond0.111 ! --out-if tap200i1000d0 -j DROP

Look like, that this works. I have deletet the the iptables rules. Now i see no other user from a other access point.

What do you think? Any hints?

Regards and thanx,

valle