Setting up VM with two NICs, to act as bridge?

V

victorhooi

Active Member
Apr 3, 2018
250
20
38
37
I'm looking at installing Ntopng Edge in inline mode on Proxmox 5.2

My server has one Mellanox ConnectX-3 card, and four on-board NICs.

I was thinking of using the Mellanox card for the management interface, and then setting up a VM with two of the NICs, to act in pass-through (or inline) mode.

Is there a way to dedicate those two NICs to that VM, and have it operate in this way?
 
victorhooi said:
I was thinking of using the Mellanox card for the management interface, and then setting up a VM with two of the NICs, to act in pass-through (or inline) mode.
Click to expand...

For passthrough see https://pve.proxmox.com/wiki/Pci_passthrough

Note that passthrough is experimental - may work but no guarantee.

victorhooi said:
Is there a way to dedicate those two NICs to that VM, and have it operate in this way?
Click to expand...


You can assign the NICs to a bridge (for each of them a different bridge, don't need an IP address in the host) and then assign the VM's NICs to those bridges.
 
  • Like
Reactions: DerDanilo
I'm sorry, but I'm still finding this really confusing =(.

If we use PCI passthrough fo the NICs - do we still need to assign them to a bridgein Proxmox?

Or are they essentially "invisible" to Proxmox?

There are two separate ways we were thinking of setting this up:

First, for other physical hosts plugged into a switch, the idea is to run Proxmox with ntopng Edge in a VM, and have all network traffic pass through that:

Code: 
Physical hosts -> Network Switch -> ntopng Edge (running under Proxmox) -> Router (WAN)

(Not sure how to get VMs on Proxmox to also go through this - although they would be using separate NICs on the Proxmox host)

Secondly, for other VMs on the same Proxmox host - is there a way to have their traffic pass through the ntopng Edge VM, before passing out to WAN?
 
victorhooi said:
If we use PCI passthrough fo the NICs - do we still need to assign them to a bridgein Proxmox?
Click to expand...

No


victorhooi said:
Or are they essentially "invisible" to Proxmox?
Click to expand...

Yes


victorhooi said:
Secondly, for other VMs on the same Proxmox host - is there a way to have their traffic pass through the ntopng Edge VM, before passing out to WAN?
Click to expand...


Yes - assuming you use bridges (and not passthrough) e.g.:

* one bridge (vmbr0) connected to WAN (Router)

* one bridge (vmbr1) connected to VMs with applications

* Edge VM ist connected to both vmbr0 and vmbr1

Packet from a VM to WAN will be transported as follows:

VM-virtual_NIC -> vmbr1 -> virtual_NIC-EdgeVM-virtual_NIC -> vmbr0 -> physical_NIC-WAN-connection
 
I think you also need a bridge inside the vm, if you really want it in transparent (layer2) mode.


Another way could be to install Ntopng Edge directly on the proxmox host, configure it with nfqueue mode,
then configure proxmox firewall ips
(https://pve.proxmox.com/wiki/Firewall, see suricata ips section, it's the same config)
 
@spirit - To clarify, when you ay you need a bridge in VM - this only applies when you're using ntopng Edge inside a VM, to filter for other VMs, right?

As in, you don't need this bridge if you are simply passing through the NIC direct to the VM, right?

The nfqueue and Proxmox firewall sounds interesting - I can't seem to find much on Ntopng Edge and nfqueue mode. Do you have any docs on this?
 
victorhooi said:
@spirit - To clarify, when you ay you need a bridge in VM - this only applies when you're using ntopng Edge inside a VM, to filter for other VMs, right?
Click to expand...
I don't known how Ntopng Edge is working, but it seem that it's doing it from it's gui
https://www.ntop.org/guides/nedge/bridging.html

(so you only need to have both interfaces in the vm, and ntppng do the bridge internaly in the vm)

As in, you don't need this bridge if you are simply passing through the NIC direct to the VM, right?
Click to expand...
no, it's not related. You can passthrough nic directly in the vm if you want.

The nfqueue and Proxmox firewall sounds interesting - I can't seem to find much on Ntopng Edge and nfqueue mode. Do you have any docs on this?
Click to expand...

I only have seen this
https://www.ntop.org/guides/ntopng/cli_options.html

Available interfaces (-i <interface index>):
...
13. nfqueue


So it seem possible to make it listen to a nfqueue , and then send traffic from iptables to this nfqueue.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back