[SOLVED] apt blocked inside VXLAN

[henfur]

Hi,

I'm trying to setup and few vms and containers inside a VXLAN with a gateway to my local network and to the internet. Everything is working except for package updates (I've tried ubuntu, debian and centos). Every VM and container can communicate with each other inside the VLAN. Each VM and container also has a working internet connection trough the gateway with no apparent DNS issue (I tried to ping or do nslookups on multiple domains and they all worked, even the ubuntu repos).

When running apt update inside one the VMs connected to the VXLAN, I get stuck at 0% [Waiting for headers]

This only happens when the VM is only inside the VXLAN. I tried to clone VMs to put them inside my LAN and the package updates started working.

VXLAN subnet : 172.22.0.0/16
LAN: 192.168.1.0/24


ip a output from one of the VMs concerned :

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether b6:d9:ad:48:3d:6c brd ff:ff:ff:ff:ff:ff
    inet 172.22.6.1/16 brd 172.22.255.255 scope global ens18
       valid_lft forever preferred_lft forever
    inet6 fe80::b4d9:adff:fe48:3d6c/64 scope link
       valid_lft forever preferred_lft forever

Netplan configuration of the same VM :

network:
  ethernets:
    ens18:
      addresses:
      - 172.22.6.1/16
      gateway4: 172.22.0.254
      nameservers:
        addresses:
        - 8.8.8.8
        search: []
  version: 2

Content of the /etc/network/interface.d/sdn file :

auto vnet1
iface vnet1
        address 172.22.0.0/16
        bridge_ports vxlan_vnet1
        bridge_stp off
        bridge_fd 0
        mtu 1500

auto vxlan_vnet1
iface vxlan_vnet1
        vxlan-id 10
        mtu 1500

I've already tried changing my gateway's policy to ACCEPT, and turning off the firewalls inside Proxmox but it's still not working.

Any help is appreciated and let me know If I can provide any information that would help to resolve this issue.

Thanks

 

[spirit]

what is your physical interfaces mtu ?

if it's 1500, you should have 50 bytes lower (1450) for vxlan/vnet interfaces and also 1450 inside your guest.


(with apt update, I find it's using https protocol, which is using DF (do not fragment) in tcp stack)

 

[henfur]

I ended up solving the issue by creating a new VXLAN with an identical configuration (apart from from ip/cidr). Switching my machines to this new network worked. I didn't manage to find the exact cause of the problem.

I'm marking the thread as solved, and I'll post more information If I find something that could be useful to others in the same situation.

 

[eset]

Hi,

I'm trying to setup and few vms and containers inside a VXLAN with a gateway to my local network and to the internet. Everything is working except for package updates (I've tried ubuntu, debian and centos). Every VM and container can communicate with each other inside the VLAN. Each VM and container also has a working internet connection trough the gateway with no apparent DNS issue (I tried to ping or do nslookups on multiple domains and they all worked, even the ubuntu repos).

When running apt update inside one the VMs connected to the VXLAN, I get stuck at 0% [Waiting for headers]

This only happens when the VM is only inside the VXLAN. I tried to clone VMs to put them inside my LAN and the package updates started working.

VXLAN subnet : 172.22.0.0/16
LAN: 192.168.1.0/24


ip a output from one of the VMs concerned :

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether b6:d9:ad:48:3d:6c brd ff:ff:ff:ff:ff:ff
    inet 172.22.6.1/16 brd 172.22.255.255 scope global ens18
       valid_lft forever preferred_lft forever
    inet6 fe80::b4d9:adff:fe48:3d6c/64 scope link
       valid_lft forever preferred_lft forever

Netplan configuration of the same VM :

network:
  ethernets:
    ens18:
      addresses:
      - 172.22.6.1/16
      gateway4: 172.22.0.254
      nameservers:
        addresses:
        - 8.8.8.8
        search: []
  version: 2

Content of the /etc/network/interface.d/sdn file :

auto vnet1
iface vnet1
        address 172.22.0.0/16
        bridge_ports vxlan_vnet1
        bridge_stp off
        bridge_fd 0
        mtu 1500

auto vxlan_vnet1
iface vxlan_vnet1
        vxlan-id 10
        mtu 1500

I've already tried changing my gateway's policy to ACCEPT, and turning off the firewalls inside Proxmox but it's still not working.

Any help is appreciated and let me know If I can provide any information that would help to resolve this issue.

Thanks

How you manage to route traffic from VM (in VXLAN) to outside network (your local area network) any routing set on router or so on?

 

[jakoberpf]

Hi,

I'm trying to setup and few vms and containers inside a VXLAN with a gateway to my local network and to the internet. Everything is working except for package updates (I've tried ubuntu, debian and centos). Every VM and container can communicate with each other inside the VLAN. Each VM and container also has a working internet connection trough the gateway with no apparent DNS issue (I tried to ping or do nslookups on multiple domains and they all worked, even the ubuntu repos).

When running apt update inside one the VMs connected to the VXLAN, I get stuck at 0% [Waiting for headers]

This only happens when the VM is only inside the VXLAN. I tried to clone VMs to put them inside my LAN and the package updates started working.

VXLAN subnet : 172.22.0.0/16
LAN: 192.168.1.0/24


ip a output from one of the VMs concerned :

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether b6:d9:ad:48:3d:6c brd ff:ff:ff:ff:ff:ff
    inet 172.22.6.1/16 brd 172.22.255.255 scope global ens18
       valid_lft forever preferred_lft forever
    inet6 fe80::b4d9:adff:fe48:3d6c/64 scope link
       valid_lft forever preferred_lft forever

Netplan configuration of the same VM :

network:
  ethernets:
    ens18:
      addresses:
      - 172.22.6.1/16
      gateway4: 172.22.0.254
      nameservers:
        addresses:
        - 8.8.8.8
        search: []
  version: 2

Content of the /etc/network/interface.d/sdn file :

auto vnet1
iface vnet1
        address 172.22.0.0/16
        bridge_ports vxlan_vnet1
        bridge_stp off
        bridge_fd 0
        mtu 1500

auto vxlan_vnet1
iface vxlan_vnet1
        vxlan-id 10
        mtu 1500

I've already tried changing my gateway's policy to ACCEPT, and turning off the firewalls inside Proxmox but it's still not working.

Any help is appreciated and let me know If I can provide any information that would help to resolve this issue.

Thanks

Hey,

similar to @eset I would be quite interested how you configured local lan or internet access for your SDN VMs. I have a XVLAN Zone SDN with some VMs which can all ping each other but I don't know what configure the gateway4 to. Do i have to create a subnet with a cidr and gateway?

 

[spirit]

Hey,

similar to @eset I would be quite interested how you configured local lan or internet access for your SDN VMs. I have a XVLAN Zone SDN with some VMs which can all ping each other but I don't know what configure the gateway4 to. Do i have to create a subnet with a cidr and gateway?

if you use a vxlan zone, it's a non routed zone. (so subnet/gateway in sdn configuration won't do nothing).
you need ti implemented your how router yourself (maybe a vm with a nic in vxlan and other nic without vxlan).


only evpn zone allow routed vxlan with anycast gateway. (you need to define subnet/gateway in sdn + exit-nodes to route outisde.

 

[eset]

if you use a vxlan zone, it's a non routed zone. (so subnet/gateway in sdn configuration won't do nothing).
you need ti implemented your how router yourself (maybe a vm with a nic in vxlan and other nic without vxlan).


only evpn zone allow routed vxlan with anycast gateway. (you need to define subnet/gateway in sdn + exit-nodes to route outisde.

Sounds easy but EVPN+BGP controller doesn't sync with Mikrotik router. Unknown Capability it says in BGP Logs on Mikrotik. When I Add on Proxmox BGP controller, because there is such option, that Controller syncs. And I see network created in EVPN on Mikrotik but Can't ping VMs in specific subnets in that VNet related with that Zone.
So that's why it would be great to have a proper tutorial for this.

 

[spirit]

Sounds easy but EVPN+BGP controller doesn't sync with Mikrotik router. Unknown Capability it says in BGP Logs on Mikrotik. When I Add on Proxmox BGP controller, because there is such option, that Controller syncs. And I see network created in EVPN on Mikrotik but Can't ping VMs in specific subnets in that VNet related with that Zone.
So that's why it would be great to have a proper tutorial for this.

do you have the mikrotik documentation somewhere ? I think that evpn suppor is really new, and it's possible that implementation is not completed.

 

[eset]

@spirit I mean the MikroTik documentation is all over the Internet available But you explained in different topic that EVPN can be supported additionally by BGP settings to communicate with MikroTik. Ok I will try that again soon And let you know in the the previous topic where you explained that concept. P.S EVPN isn't supported in RouterOSv6. It is In RouterOSv7

 

[wavewrangler]

I had this issue. It turned out to be my firewalls IPS.

Name:

ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management

SID: 2013504
I don't know why they this was even enabled.
It would work fine on some other VMs because the IP was different, but it nabbed those pretty quick too.
Don't know if that's your issue, but an over-provisioned IPS can be a PITA. I use IPFire, by the way, which uses Suricata.
It's strange because APT worked for a long time, maybe an update enabled it.