Hi! I have a 4 node proxmox cluster, configured as follows:
* All nodes are connected to a switch, in the 172.16.0.0/24 IP range with one of their eth interfaces.
* One of the nodes has an additional ethernet interface acting as a VLAN trunk. This node also contains a VM with PFsense, managing the traffic on a bunch of VLANs.
* proxmox API/interface can be reached from any vlan in the .0 IP address, or in their 172.16.0.X address.
This architecture evolved over time in a rather chaotic way, and I'm now looking to improve and stabilize it. However, most if not all of the changes I want to make are not trivial to do and/or can't be done with the web interface, and I'm looking for advice on what the best way to proceed would be. I'm also looking for a sanity check, just in case any of my ideas are unsound.
1) I would like to have the node communication traffic in their own internal, physically separate network. This is in preparation for a 10Gb network upgrade further down the road, both for cluster traffic and shared storage. I've found a bunch of old manual procedures on the internet, but they all seem a bit sketchy and I'm not sure they are up to date anymore. I've looked on the web GUI and there's no option for this there either. Deleting/wiping nodes, re-creating the cluster, or starting from scratch is not viable. Would a managed switch be beneficial here or would using any of the remaining ethernet interfaces with a normal switch be enough?
This future upgrade will also include a physical, actual netgate appliance. Until then, WAN traffic would have to come in through the node which is now managing the VLANs. I'm fully aware of how shitty this arrangement is.
2) I want all the nodes to have access to the same VLANs, both for ease of deployment of new containers in the right networks across nodes, but also to allow us to use HA capabilities more easily. Would you recommend to have a shared VLAN trunk in one of the interfaces on each node, or would it be better to use the SDN feature? The SDN feature looks both what I need and also complete overkill. I don't really need separate zones for the different nodes or any of the advanced features, but I need, say, a machine in VLAN 99 to have HA capabilities across nodes.
3) I want to limit access to the web interface and API to a particular VLAN. This is one of the reasons to have an internal network. However, I've seen that the .0 IP address in each VLAN does have a proxmox interface/API available. Is there any way to specify in proxmox where this is served without breaking cluster communications, rather than filtering it externally?
4) Any other suggestions, things I may be missing, or best practices I may not be following for lack of experience are more than welcome.
* All nodes are connected to a switch, in the 172.16.0.0/24 IP range with one of their eth interfaces.
* One of the nodes has an additional ethernet interface acting as a VLAN trunk. This node also contains a VM with PFsense, managing the traffic on a bunch of VLANs.
* proxmox API/interface can be reached from any vlan in the .0 IP address, or in their 172.16.0.X address.
This architecture evolved over time in a rather chaotic way, and I'm now looking to improve and stabilize it. However, most if not all of the changes I want to make are not trivial to do and/or can't be done with the web interface, and I'm looking for advice on what the best way to proceed would be. I'm also looking for a sanity check, just in case any of my ideas are unsound.
1) I would like to have the node communication traffic in their own internal, physically separate network. This is in preparation for a 10Gb network upgrade further down the road, both for cluster traffic and shared storage. I've found a bunch of old manual procedures on the internet, but they all seem a bit sketchy and I'm not sure they are up to date anymore. I've looked on the web GUI and there's no option for this there either. Deleting/wiping nodes, re-creating the cluster, or starting from scratch is not viable. Would a managed switch be beneficial here or would using any of the remaining ethernet interfaces with a normal switch be enough?
This future upgrade will also include a physical, actual netgate appliance. Until then, WAN traffic would have to come in through the node which is now managing the VLANs. I'm fully aware of how shitty this arrangement is.
2) I want all the nodes to have access to the same VLANs, both for ease of deployment of new containers in the right networks across nodes, but also to allow us to use HA capabilities more easily. Would you recommend to have a shared VLAN trunk in one of the interfaces on each node, or would it be better to use the SDN feature? The SDN feature looks both what I need and also complete overkill. I don't really need separate zones for the different nodes or any of the advanced features, but I need, say, a machine in VLAN 99 to have HA capabilities across nodes.
3) I want to limit access to the web interface and API to a particular VLAN. This is one of the reasons to have an internal network. However, I've seen that the .0 IP address in each VLAN does have a proxmox interface/API available. Is there any way to specify in proxmox where this is served without breaking cluster communications, rather than filtering it externally?
4) Any other suggestions, things I may be missing, or best practices I may not be following for lack of experience are more than welcome.