Can you help a rookie setting an ambitius goal with an openWRT CT?

[bright_plastik]

Hello fellow members. My sincere regards.
I disturb you because I didn't really find valuable resources, and I'm failing to understand how to configure my 6 NICs to suit my needs.

Specs:
Intel 3865U (active VT-D and AES-NI)
4Gb DDR3 1600MhZ (single slot)
6x I210 Intel NICs
512GB 2.5" sata SSD
One of the NICs is dedicated to proxmox for access through a linux bridge, as standard procedure.

This humble machine should substitute my Netgear R7800 in the routing of the traffic for 3 apartments, so VLAN tagging would be awesome.
The wireless will be executed from the R7800, in dumbAP, so I'd love to stick with openWRT as routing OS, possibly as a CT.

I alread setup the proxmox install, and a container of 22.03.5 openWRT, and the difference in resouces consumed between a CT and VM is quite high, particularly on such an underpowered machine.

So now the questions:
How can I set it up so that the remaining 5 NICs are assigned to openwrt so that one is the WAN port and the others are LAN?
Will these interfaces talk with other VMs in the future? (like for example if I spin up a Nextcloud, or a NGIX, or a PiHole instance on another VM)
What is needed to make a VLAN tagging so that one or two of these LAN ports will be segregated from my local traffic and only route my neighbours traffic?

I'm sure there is all the needed documentation upon this endeavour, but this is m first experience with proxmox, and I'm feeling a bit out of my comfort zone.

I'd appreciate a lot some knowhow on this matter.

Take care,
Gabriel

P.S: I can surely provide indepths and screenshots, if you need any detail on the configuration.

 

[Dunuin]

I'm sure there is all the needed documentation upon this endeavour, but this is m first experience with proxmox, and I'm feeling a bit out of my comfort zone.

You could for example create multiple vlan-aware linux bridges. One for each NIC or bond. Then create the same amount of virtual NICs for your router VM/LXC and attaching one of them to each bridge. See: https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_vlan

 

[bright_plastik]

You could for example create multiple vlan-aware linux bridges. One for each NIC or bond. Then create the same amount of virtual NICs for your router VM/LXC and attaching one of them to each bridge. See: https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_vlan

I will study that, so thanks...
but meanwhile, I'm confused.
Why the only way I can reach LuCi is by setting
this in proxmox:



and this in the CT:


I'm sure this is at least a very naive and unconscius way of setting things...
I know I have to start from making the least possible layers between host and guests, and I'm already failing at a simple interface setting.

Is the right approach linux bridge (proxmox) ----> br-lan (openwrt) ----> further segmentation in openwrt?
If yes, how do I set the CIDR and Gateway of my wannabe openwrt LAN ports in Proxmox?

 

[Dunuin]

this in proxmox:

and this in the CT:

IPs have to be unique. Don't set the same IP for the PVE host and the LXC.

 

[bright_plastik]

IPs have to be unique. Don't set the same IP for the PVE host and the LXC.

Of the many attempts (probably errors) I made, this was the only one that allowed me to access LuCi. I know it's wrong, but I clearly don't have a clue, here.
Would you be able to guide me, either by terminal or gui commands?
I know it's tedious, but I'm looking for some indications.
Thanks for your time, yet!

 

[bright_plastik]

Hello again...
specifically, the steps before entering the owrt container and setting everything to my will, are particularly misterious.
Why is this hapening?
Proxmox complains that I cannot put 4 different ports under the same gateway?
I would like ports from enp5s0 to enp2s0 to operate in the same domain, that would be 192.168.1.x, with the gateway on 192.168.1.1, and all the ports and devices connected to them defined by DHCP.

Can someone shed some light on this settings? Maybe @fowr0yl ...can you help a rookie in his first very stupid steps? I would only be happy to have 5 NICS numbered from 6 to 2, to start migrating my network to a containerized owrt. Openwrt is the only net os I am accustomed with, sort of.

@yazmeen, do I have to specify CIDR, addresses and gateway in the Linux bridges on proxmox, or I can set all these things after (just passing the NICs to the container), in the setup of the openwrt CT?

 

[Dunuin]

An OS shouldn't use multiple gateways or have multiple IPs in the same subnet. So what you are trying is conceptual wrong.

 

[bright_plastik]

An OS shouldn't use multiple gateways or have multiple IPs in the same subnet. So what you are trying is conceptual wrong.

Hello Duduin! I'm 100% sure that I'm not mastering the underlying concepts of networking! This is the only clear thing to me.
I come from a router that as soon as turned on, gives me 5 ports, all under the same subnet. One dedicated to WAN, and the others to LAN.
This is premade in openwrt routers, so it's not clear to me what are the prerequisites in proxmox so that when I run the openwrt container I'm welcomed by eth0 (heading to be WAN) eth1 (4 ports bonded in a switch?) and br-lan.
Ths is something I have to build myself this time, and I think I have to do it in proxmox, but lack the commands and knowledge to do it.

 

[Dunuin]

by eth0 (heading to be WAN) eth1 (4 ports bonded in a switch?) and br-lan.

They are not bonded but bridged. So like a dumb switch.

I come from a router that as soon as turned on, gives me 5 ports, all under the same subnet. One dedicated to WAN, and the others to LAN.

Then use two vlan-aware bridges in PVE. One for WAN (lets say vmbr0), one for LAN (lets say vmbr1). Bridge 1 physical NIC to vmbr0 and connect your modem/router to it. Bridge the 5 other physical NICs to vmbr1 and use it as your WAN LAN.
But thats in my opinion a waste of ressources as your are wasting 4 NICs as a dumb switch and you could get the same result by only using 2 NICs and adding a 7€ 5-Port-switch.

 

[bright_plastik]

Bridge the 5 other physical NICs to vmbr1 and use it as your WAN.

(I'm sure you meant LAN, but that's not a problem) Can you please elaborate on this? if I add enp2s0, enp3s0, enp4s0, enp5s0 and enp6s0 to vmbr1, do I have to add anything in CIDR and Gateway settings to access and assign these ports in the lxc?

And

But thats in my opinion a waste of ressources as your are wasting 4 NICs as a dumb switch and you could get the same result by only using 2 NICs and adding a 7€ 5-Port-switch.

I'd like to assign the other NICs to different VLANs and local networks. Some of the cables attached to them are going to different houses, different LANS.
The more I can do with each device turned on in my apartment, the better. I already need the Netgear R7800 sucking power for wlan, so I'd better use the onboard ports of my humble firewall, instead of another switch.
Is this sort of good to go, in your opinion?

 

[Dunuin]

(I'm sure you meant LAN, but that's not a problem)

Yes, typo...

I already need the Netgear R7800 sucking power for wlan, so I'd better use the onboard ports of my humble firewall, instead of another switch.

4 NICs usually should consume more electricity than 1 NIC + unmanaged switch. My Quad-Port Intel NIC for example needs 5W while a 5-port-switch only needs 2-3W.

if I add enp2s0, enp3s0, enp4s0, enp5s0 and enp6s0 to vmbr1, do I have to add anything in CIDR and Gateway settings to access and assign these ports in the lxc?

IPs and a gateway you set in the PVE webUI are for the PVE host only. Not for VMs/LXCs attached to that bridge. So PVE needs an IP and gateway to go online to do updates (so you usually want that on your LAN side) and to provide the webUI/SSH for management.
LXCs and VMs can still use the bridges even if you don'T set a IP or gateway there, as you can still assign that guestOS a IP and gateway from within the guestOS.

I'd like to assign the other NICs to different VLANs and local networks. Some of the cables attached to them are going to different houses, different LANS.

Then you should give each apartment it's own isolated subnet with different IP ranges and let the router VM NAT/router between the different subnets. In that case you want a dedicated bridge and NIC with its own subnet for each apartment unless you got a vlan-capable managed switch between PVE and the apartments.

 

[bright_plastik]

(so you usually want that on your LAN side)

If I reach a point in which I can access LuCi, and I'm satisfied by the level of mastering of proxmox and the virtualized openwrt container, the idea is to use only this little pc/firewall to route the 3 different subnets, and recycle the netgear only as dumb wifi AP, plus its ports, as they can be used as managed switch.
But at the moment I accessed luci only once, by doing this strange duplication.
There's something I don't get, for sure.
If I don't specify any CIDR and gateway in the settings of vmbr1, the ports don't even turn on, and I cannot access LuCi.