Connect 2 bridges to the same network card

hakim

hakim

Well-Known Member
Oct 4, 2010
54
1
48
Hi,

I have a 2 proxmox servers, both with a network card (eth0) connected to a virtual rack (isolating the network trafic between these 2 servers).

I wanted to create 2 bridges (vmbr0 and vmbr1) for my VMs on the same network card (eth0 - connected to the virtual rack) so that I can use both :
- a network with a public range of IP adresses (connected to vmrb0)
- and a network with private range of IP adresses (connected to vmrb1)

Unfortunately, despite the different settings I have tried : vmbr0 uses eth0 (same MAC adress) and I can access the traffic on the virtual rack, but vmbr1 is associated to a different MAC adress and does not access the network trafic on the virtual lan.

Is my initial idea wrong and therefore cannot work, or is there a special way to achieve such a setting ?

Thanks for your help,
Hakim
 
I am confused on what you are trying to do.

You only have ONE ethernet device?

You want to create 2 bridges on that ONE eth device? For what purpose exactly? Are you wanting a private network on vmbr1 that is only accessible within the proxmox host/cluster? if so, you dont need to tie it to an eth device at all.

From your description, I really do not understand how you would have your public IP and your private LAN available on ONE eth device unless you are using VLANs...in which case, you just tag your guests with a VLAN number to put it in the right VLAN
 
Thanks for your answer.

pirateghost said:
You only have ONE ethernet device?
Click to expand...
Yes

pirateghost said:
I am confused on what you are trying to do.
Click to expand...
The virtuel rack does not support VLan, so I am trying to find a way to act like if I had a VLan.

Proxmox1 / vmbr1 / external IP range <= virtual rack => external IP range / vmbr1 / Proxmox2
Proxmox1 / vmbr2 / 192.168.21.0/24 <= virtual rack => 192.168.22.0/24 / vmbr2 / Proxmox2
Proxmox1 / vmbr3 / 192.168.31.0/24 <= virtual rack => 192.168.32.0/24 / vmbr3 / Proxmox2

That way, I could isolate the traffic generated by the VMs connected to vmbr2 from the traffic generated by the VMs connected to vmbr3, while the VMs connected on the vmbr2 on Proxmox1 and Proxmox2 will be able to communicate together (with proper routing).

I would like to avoid VPN between Proxmox1 and Proxmox2 to achieve this to avoid the overhead of the VPN, which is not really needed since the virtual rack isolate the traffic from Internet.

Just for info, the virtual rack provides a gateway for the traffic on external IP range.

Hope it is clearer,
Hakim
 
hakim said:
Thanks for your answer.


Yes


The virtuel rack does not support VLan, so I am trying to find a way to act like if I had a VLan.

Proxmox1 / vmbr1 / external IP range <= virtual rack => external IP range / vmbr1 / Proxmox2
Proxmox1 / vmbr2 / 192.168.21.0/24 <= virtual rack => 192.168.22.0/24 / vmbr2 / Proxmox2
Proxmox1 / vmbr3 / 192.168.31.0/24 <= virtual rack => 192.168.32.0/24 / vmbr3 / Proxmox2
Click to expand...

Doing the above, you didn't isolate the traffic, and in fact, you'll have even more troubles as the two vmbr2s and vmbr3s won't "see" each other from a layer3 perspective, as they are on separate subnets. To make them talk to each other, you'll need a router/firewall somewhere on the virtualrack, or you'll have to make the netmask a /23 to /16.

If you still want the above as illustrated above, given you can't get vlans on the virtualrack, you'll end up with tap interfaces connecting the vmbr2-vmbr3-vmbr1-eth0, and then it'll be easier to just have all the VMs connect to vmbr0-eth0, but using layer3 subnet obfuscation as bove, but they'll still be able to sniff broadcasted traffic....

That way, I could isolate the traffic generated by the VMs connected to vmbr2 from the traffic generated by the VMs connected to vmbr3, while the VMs connected on the vmbr2 on Proxmox1 and Proxmox2 will be able to communicate together (with proper routing).

I would like to avoid VPN between Proxmox1 and Proxmox2 to achieve this to avoid the overhead of the VPN, which is not really needed since the virtual rack isolate the traffic from Internet.
Click to expand...

Sorry, VPNing is the correct answer. Personally I'll do a pfsense firewall VM instance that'll have some tunnel(s) between then, and then linking the vmbr2/3s appropriately, as you in anycase need some router in between given the subnets/netmasks given above.

PS: VPN does not *HAVE* to have encryption, you could also use GRE/IPIP tunnels, okay, then you could add some filtering/etc. in the host as you connect things on the host, but that could become messy too quickly.

*My* advice from above requirement: Use a pfsense firewall in a vm, and use that with GRE tunnels between then to route/manage it... or you could use a Linux VMs on both sides and forsake the nice WebUI of pfsense ;)

However, if you
Just for info, the virtual rack provides a gateway for the traffic on external IP range.

Hope it is clearer,
Hakim
Click to expand...
 
hvisage said:
Doing the above, you didn't isolate the traffic, and in fact, you'll have even more troubles as the two vmbr2s and vmbr3s won't "see" each other from a layer3 perspective, as they are on separate subnets.
Click to expand...

Thanks for your feedback.

In fact the purpose is to isolate VMs behind vmbr2 and vmbr3, which is possible if using VMs with VENET network card.

I am already using pfSense on both servers but there a big overhead (without using VPN, in fact the pfSense VM is just routing - I finally choose not to use VPN since the whole trafic is isolated in the Virtual Rack).
But in my config the effective bandwidth (going through pfSense is 100 Mb/s - with a lot CPU usage) while the virtual rack bandwidth is 1 Gb/s ...
I just tried this morning the new version 2.2 which looks a lot better regarding the CPU usage, so maybe it will help also for the bandwith (I did not test yet).

Hakim
 
hakim said:
Thanks for your feedback.

In fact the purpose is to isolate VMs behind vmbr2 and vmbr3, which is possible if using VMs with VENET network card.

I am already using pfSense on both servers but there a big overhead (without using VPN, in fact the pfSense VM is just routing - I finally choose not to use VPN since the whole trafic is isolated in the Virtual Rack).
But in my config the effective bandwidth (going through pfSense is 100 Mb/s - with a lot CPU usage) while the virtual rack bandwidth is 1 Gb/s ...
I just tried this morning the new version 2.2 which looks a lot better regarding the CPU usage, so maybe it will help also for the bandwith (I did not test yet).

Hakim
Click to expand...
If all you are doing is routing and want some VPN tunnels, take a look at vyos. It will do firewall too if you need it.

Pfsense is just not quite the platform people make it out to be.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back