Search results

yea so, corosync doesnt need to be dedicated but it depends on your switches and nic. if they can make sure you always have low latency even if the bond is saturated than yes you dont need to seperate it. i would however stress test this as i have seen switches dont do that exactly or even nic...

probably a ton of impact beause you deactiavte cpu features, but you dont need to keep it that way, you can set it back to host cpu after migration you cant ofc live migrate between different cpus, thats in its inherent nature. but you can offline migrate or your sure your application dont need...

to much depends on how much your clusternetwork traffic does. usually not to much but when you saturate that bond you risk outage of corosync. so if possible prioritize corosync vlan on your switch and or gurantee some bandwidth to it. 1mbit is enough, all we need is latency not bandwidth but...

yea personally i dislike maps a bit. while the idea is great the readability is a bit lacking, at least to me personally. btw these few rules are just a basic barebones example, answering 99% of the questions in that topic. i didnt wanted to destroy the table when there is a reload without a...

Ill post this as fresh because i have a hunch that this question will come up once people start using nftables 2 Things we gonna need -the file with the actual nat rules -a systemd service to load them Proxmox does not use /etc/nftables. The proxmox.firewall service manages that all directly...

thats the issue you cant seperate these things. people not just load that one plain simple docker file they will relentless copy paste github the nastiest composefile they stumble on and nothing will work the things you mention are just a tiny subset what docker does. implementing this is not...

ok i made a thing and iam gonna share it for someone stumling over this [Unit] Description=Load NAT nftables rules after Proxmox firewall After=proxmox-firewall.service Wants=proxmox-firewall.service PartOf=proxmox-firewall.service [Service] Type=oneshot ExecStartPre=/bin/sh -c 'grep -E...

yea and it never will if youw ant that you need portainer on baremetal but you basically loose VM functionality because networking will be destroyed by portainer these 2 thing dont go together, you really need to basically recreate portainer in you vm solution and even then you still have the...

ok seem i was not clear enough docker is not able todo this, docker cant be a replacement of a vm. its an application container and need and expect the infrastructure to give it what it wants and needs you are the wrong layer here. proxmox is the first layer after hardware. it does the...

docker on proxmox is the wrong level to view it at. i understand that user view docker and VMS kinda equivalent but they aint in a logical sense. they are applications. just a bit abstracted but in a logical view its like running your webserver on the proxmox host baremetal. it just looks not...

@m so forget the concepts of vmware, these are mostly vmware specific. proxmox is using barebones linux networking concepts, naming and schemes. while it will work to make subinterfaces of your bridge interface you should do it the other way around. so one or multiple bridges are used only...

i necro this a bit since pve9 is around the corner and well, its time for nftables :) type nat hook prerouting priority dstnat; policy accept; priority dstnat is (or should be) equivalent to -100 which is fine. write it how you like, id prefer the numeric value to not rely on a symbolic name...

probably ip is taken, you assign that ip within the dhcp range. or gateway requires ip by dhcp. certainly a gateway issue

the config i gave you does work, at least for VM, again i cant speak for lcx at all, i dont use lcx container. but does work def for vm ofc network config needs to be changed on the vm for vmbr0

no it is not reread again you confused routed with nat there the nat section even at hetzner (famous for some esoteric shit) it is basicalkly the same as i wrote you they write main interface has the ip, then bridge tget the private subnet, then you nat as it should be. if you need more than...

ok i dunno why i did this but i did here a working config auto lo iface lo inet loopback auto enp41s0 iface enp41s0 inet static address publicIP/26 gateway publicGW post-up iptables -w -t nat -A PREROUTING -i enp41s0 -p udp -m tcp -m multiport -d publicIP --dports 443,80...

no its not proof of a problem the additional command is nessesary to ad prerouting to the fwbr chain, which normaly is not needed there so it isnt in. if you do nat you need it in so presourting can get filtered by fwbr which in turn allows to set rules via the gui you dont need to add it to...

oh hold this is not the proper nat setup youre supposed to give the pubip to your network adapter then make vmbr0 a private network then you can nat to it

if firewall is enabled in the vnic but disabled in the firewall panel means the firewall is OFF, if you still having blocking issues it isnt the firewall at all. and i know what it is as i just made a post about it. when you activate the vnic firewall checkmark, regardless if firewall on or...

cannot speak of lcx container but it does work with the VM firewall if you put prerouting into the fwbr chain (line2)