SDN, IPAM & DHCP

B

boomam

Member
Jan 5, 2023
66
10
13
Hi,
Is anyone able to help me wrap my head around this -
  • I have SDN configured with some zones that have my phpIPAM system configured for their IPAM layer.
  • One zone is 'simple' the other is 'vxlan'.
  • Both zones have both subnets added to their vnets that match the ranges in phpIPAM, and have DHCP ranges set too.
  • In phpIPAM, both ranges for both zones/subnets are set to allow IP requests.
As a test, i have created an LXC with a vNIC on each zone.

Here is the issue - Neither in static mode where i am giving the vNICs IPs in the relevant CIDR block, nor in DHCP mode, are IPs captured or obtained in either phpIPAM, the IPAM management screen in PVE, the LXCs vNIC properties, etc.
Meaning that in dynamic nothing is coming from phpIPAM, and in static, nothing is getting pushed too it.

As another test, i followed these steps here - https://pve.proxmox.com/wiki/Setup_Simple_Zone_With_SNAT_and_DHCP
and created a third test zone, exclusively 'pve' for IPAM...still nothing.

Some reading around shows that this functionality as of 6-12 months ago was a little underbaked, with discrepancies & omissions in the docs reflecting that, but with the last few releases pushing SDN more and more, i would have thought it was operational somewhat by now in this regards.

Am i missing something here? Or is it just missing functionality at this time, to be added to a later release?

Thanks in advance!
 
Last edited:
Interestingly, if i waited a little longer, the two test zones do different things -

"Test" -
Type=Simple, IPAM=phpIPAM
I can see the test LXC in phpIPAM, but nothing in Datacenter->SDN->IPAM,

"Test 2" -
Type=Simple, IPAM=pve
I see information in Datacenter->SDN->IPAM.

However in neither test, do the vNIC's themselves get an IP allocated though that the LXC can use, or proxmox see's in the GUI.

So clearly communication to/from the IPAM services *is* working in some manner.
 
boomam said:
I can see the test LXC in phpIPAM, but nothing in Datacenter->SDN->IPAM,
Click to expand...
Yes, that is to be expected, the IPAM tab in Datacenter is what you pick when you choose `pve` as the IPAM option, otherwise the external plugin is used.

What's the exact sdn config?

Code: 
cat /etc/pve/sdn/zones.cfg
cat /etc/pve/sdn/vnets.cfg
cat /etc/pve/sdn/subnets.cfg

It seems like there are issues with DHCP itself. Is dnsmasq up and running properly?

Code: 
systemctl status 'dnsmasq@*'
head -n-0 /etc/dnsmasq.d/**/*
cat /etc/pve/sdn/pve-ipam-state.json

Inside a new test container with a NIC on a simple zone with DHCP enabled, what is the output of:
Code: 
dhclient -r
dhclient -v
 
Last edited:
  • Like
Reactions: Johannes S
shanreich said:
Yes, that is to be expected, the IPAM tab in Datacenter is what you pick when you choose `pve` as the IPAM option, otherwise the external plugin is used.

What's the exact sdn config?

Code: 
cat /etc/pve/sdn/zones.cfg
cat /etc/pve/sdn/vnets.cfg
cat /etc/pve/sdn/subnets.cfg

It seems like there are issues with DHCP itself. Is dnsmasq up and running properly?

Code: 
systemctl status 'dnsmasq@*'
head -n-0 /etc/dnsmasq.d/**/*
cat /etc/pve/sdn/pve-ipam-state.json

Inside a new test container with a NIC on a simple zone with DHCP enabled, what is the output of:
Code: 
dhclient -r
dhclient -v
Click to expand...
Morning,
To confirm, as there *is* conflicting information on the docs, wiki and forum - would you expect this to work with zone types that are not 'simple', and for those expected to communicate with whatever IPAM system, for IPs to allocate against a given vNIC?
As if the answer to either of those is 'not currently' then this is probably pointless to diagnose further.

As configs -

Zones.cfg
Bash: 
vxlan: proxy0
        ipam phpIPAM
        peers 192.168.200.21

simple: test
        dhcp dnsmasq
        ipam phpIPAM

simple: test2
        dhcp dnsmasq
        ipam pve

vnets.cfg
Bash: 
vnet: proxy0
        zone proxy0
        alias proxy0
        tag 1001

vnet: test
        zone test

vnet: test2
        zone test2

Subnets.cfg
Bash: 
subnet: proxy0-10.10.10.0-24
        vnet proxy0
        dhcp-range start-address=10.10.10.51,end-address=10.10.10.199

subnet: test-10.10.11.0-24
        vnet test
        dhcp-range start-address=10.10.11.10,end-address=10.10.11.20

subnet: test2-10.10.12.0-24
        vnet test2
        dhcp-range start-address=10.10.12.10,end-address=10.10.12.20
        gateway 10.10.12.1
        snat 1

"dhclient -r"
No output

"dhclient -v"
Hangs until i ctrl+c
A following 'ip addr show' shows no IP allocated however
 
boomam said:
To confirm, as there *is* conflicting information on the docs, wiki and forum - would you expect this to work with zone types that are not 'simple'
Click to expand...
I missed that part, sorry - it currently only works for the simple zone.
 
  • Like
Reactions: boomam
shanreich said:
I missed that part, sorry - it currently only works for the simple zone.
Click to expand...
ok, then for the latter - should a 'simple' zone also be allocating the IPs at vNIC level? or is it just tracking availability in the IPAM screen/external system?
 
boomam said:
ok, then for the latter - should a 'simple' zone also be allocating the IPs at vNIC level? or is it just tracking availability in the IPAM screen/external system?
Click to expand...
It allocates IPs per NIC and should also distribute them via DHCP - if the zone is configured to do so.
 
shanreich said:
It allocates IPs per NIC and should also distribute them via DHCP - if the zone is configured to do so.
Click to expand...
ok, then the issue im seeing persists in regards to IP allocations on a simple zone.

To be fair, once I've removed the test zones it wont be an issue, i can just wait for the expansion of the support into other zone types, but if its something we want to diagnose, happy to assist.
 
Can you please post the configuration of the respective container?

Code: 
pct config <CTID>

Additionally the output of the following commands:

Code: 
systemctl status 'dnsmasq@*'
head -n-0 /etc/dnsmasq.d/**/*
cat /etc/pve/sdn/pve-ipam-state.json
cat /etc/pve/sdn/mac-cache.json

Do you have the firewall enabled?
 
shanreich said:
Can you please post the configuration of the respective container?

Code: 
pct config <CTID>

Additionally the output of the following commands:

Code: 
systemctl status 'dnsmasq@*'
head -n-0 /etc/dnsmasq.d/**/*
cat /etc/pve/sdn/pve-ipam-state.json
cat /etc/pve/sdn/mac-cache.json

Do you have the firewall enabled?
Click to expand...

pct config -
Code: 
arch: amd64
cores: 1
features: nesting=1
hostname: test-01
memory: 512
net0: name=proxy0,bridge=test2,hwaddr=BC:24:11:7E:6F:9F,ip=dhcp,type=veth
net1: name=net1,bridge=test,hwaddr=BC:24:11:75:CC:8B,ip=dhcp,type=veth
ostype: ubuntu
rootfs: smb:200/vm-200-disk-0.raw,mountoptions=noatime,size=5G
swap: 512
unprivileged: 1

systemctl status 'dnsmasq@*'
Code: 
● dnsmasq@test.service - dnsmasq (test) - A lightweight DHCP and caching DNS server
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq@.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/dnsmasq@.service.d
             └─00-dnsmasq-after-networking.conf
     Active: active (running) since Mon 2026-05-25 21:26:11 EDT; 1 day 15h ago
 Invocation: b134516364ac4ecea9ee144affce6171
       Docs: man:dnsmasq(8)
   Main PID: 3642404 (dnsmasq)
      Tasks: 1 (limit: 16812)
     Memory: 1.1M (peak: 2.5M)
        CPU: 44ms
     CGroup: /system.slice/system-dnsmasq.slice/dnsmasq@test.service
             └─3642404 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.test.pid -u dnsmasq -7 "/etc/dnsmasq.d/test,*.conf" --conf-file=/dev/null --enable-dbus=uk.org.thekelleys.dnsmasq.test --local-serv>

May 25 21:26:11 prox-01a dnsmasq[3642404]: DBus support enabled: connected to system bus
May 25 21:26:11 prox-01a dnsmasq-dhcp[3642404]: DHCP, static leases only on 10.10.11.0, lease time infinite
May 25 21:26:11 prox-01a dnsmasq-dhcp[3642404]: IPv6 router advertisement enabled
May 25 21:26:11 prox-01a dnsmasq-dhcp[3642404]: DHCP, sockets bound exclusively to interface test
May 25 21:26:11 prox-01a dnsmasq[3642404]: reading /etc/resolv.conf
May 25 21:26:11 prox-01a dnsmasq[3642404]: using nameserver 192.168.1.1#53
May 25 21:26:11 prox-01a dnsmasq[3642404]: using nameserver 192.168.1.2#53
May 25 21:26:11 prox-01a dnsmasq[3642404]: cleared cache
May 25 21:26:11 prox-01a dnsmasq-dhcp[3642404]: read /etc/dnsmasq.d/test/ethers
May 25 21:26:11 prox-01a systemd[1]: Started dnsmasq@test.service - dnsmasq (test) - A lightweight DHCP and caching DNS server.

● dnsmasq@test2.service - dnsmasq (test2) - A lightweight DHCP and caching DNS server
     Loaded: loaded (/usr/lib/systemd/system/dnsmasq@.service; enabled; preset: enabled)
    Drop-In: /usr/lib/systemd/system/dnsmasq@.service.d
             └─00-dnsmasq-after-networking.conf
     Active: active (running) since Mon 2026-05-25 21:26:12 EDT; 1 day 15h ago
 Invocation: 9f1c48d99ec345bfa2235c5512bce756
       Docs: man:dnsmasq(8)
    Process: 3642459 ExecStartPre=/usr/share/dnsmasq/systemd-helper checkconfig test2 (code=exited, status=0/SUCCESS)
    Process: 3642464 ExecStart=/usr/share/dnsmasq/systemd-helper exec test2 (code=exited, status=0/SUCCESS)
    Process: 3642471 ExecStartPost=/usr/share/dnsmasq/systemd-helper start-resolvconf test2 (code=exited, status=0/SUCCESS)
   Main PID: 3642470 (dnsmasq)
      Tasks: 1 (limit: 16812)
     Memory: 664K (peak: 2.7M, swap: 56K, swap peak: 56K)
        CPU: 47ms
     CGroup: /system.slice/system-dnsmasq.slice/dnsmasq@test2.service
             └─3642470 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.test2.pid -u dnsmasq -7 "/etc/dnsmasq.d/test2,*.conf" --conf-file=/dev/null --enable-dbus=uk.org.thekelleys.dnsmasq.test2 --local-s>

May 25 21:26:12 prox-01a dnsmasq[3642470]: DBus support enabled: connected to system bus
May 25 21:26:12 prox-01a dnsmasq-dhcp[3642470]: DHCP, static leases only on 10.10.12.0, lease time infinite
May 25 21:26:12 prox-01a dnsmasq-dhcp[3642470]: IPv6 router advertisement enabled
May 25 21:26:12 prox-01a dnsmasq-dhcp[3642470]: DHCP, sockets bound exclusively to interface test2
May 25 21:26:12 prox-01a dnsmasq[3642470]: reading /etc/resolv.conf
May 25 21:26:12 prox-01a dnsmasq[3642470]: using nameserver 192.168.1.1#53
May 25 21:26:12 prox-01a dnsmasq[3642470]: using nameserver 192.168.1.2#53
May 25 21:26:12 prox-01a dnsmasq[3642470]: cleared cache
May 25 21:26:12 prox-01a dnsmasq-dhcp[3642470]: read /etc/dnsmasq.d/test2/ethers
May 25 21:26:12 prox-01a systemd[1]: Started dnsmasq@test2.service - dnsmasq (test2) - A lightweight DHCP and caching DNS server.

head -n-0 /etc/dnsmasq.d/**/*
Code: 
<standard/stock config>
...
==> /etc/dnsmasq.d/test2/10-test2.conf <==
dhcp-range=set:test2-10.10.12.0-24,10.10.12.0,static,255.255.255.0,infinite
dhcp-option=tag:test2-10.10.12.0-24,option:router,10.10.12.1
interface=test2

==> /etc/dnsmasq.d/test2/ethers <==
BC:24:11:7E:6F:9F,10.10.12.10

==> /etc/dnsmasq.d/test/ethers <==
BC:24:11:75:CC:8B,10.10.11.1

cat /etc/pve/sdn/pve-ipam-state.json
Code: 
{"zones":{"test2":{"subnets":{"10.10.12.0/24":{"ips":{"10.10.12.1":{"gateway":1},"10.10.12.10":{"mac":"BC:24:11:7E:6F:9F","vmid":"200","hostname":"test-01"}}}}},"proxy0":{"subnets":{}}}}

cat /etc/pve/sdn/mac-cache.json
Code: 
{"macs":{"BC:24:11:75:CC:8B":{"ip4":"10.10.11.1"},"BC:24:11:7E:6F:9F":{"ip4":"10.10.12.10","ip6":null}}}

Firewall on vNICS? No. Off on both.
 
You must log in or register to reply here.
Top Bottom
Back