Converting to OpenVswitch

[boredenchilada]

Hello,

I'm currently very confused on how i can set up my pve to work with openvswitch as i want to install and use Security onion properly.

Below is my current config, and highlighted are my 2 interfaces and current bridge with port eno3.


Basically I would want this same set up but in OVS. Everytime I seem to change something and apply it, i lose access to my PVE webgui and ssh access.

My network is set up this way:

Top level NGFW <-> dumb switch <-> Cisco switch 2960x <-> wifi router

Currently the proxmox server is connecting via one interface (eno3) to the cisco switch, the 2nd interface(enp5s0) connects back to the dumb switch.

 

[weehooey]

Have you installed the openvswitch-switch package?

 

[boredenchilada]

Have you installed the openvswitch-switch package?

Yes open switch package is installed and I have the ovs bridge bond and all in my Gui.

 

[weehooey]

Please post your

Yes open switch package is installed and I have the ovs bridge bond and all in my Gui.

Please post your /etc/network/interfaces file before you do the OVS config and after. If you do not have the before version, please post what you have.

 

[boredenchilada]

the config below is exactly the same as before and after install

auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

iface eno3 inet manual

iface eno4 inet manual

iface enp66s0 inet manual

auto enp5s0
iface enp5s0 inet manual

auto vmbr0
iface vmbr0 inet static
address 10.0.0.11/32
gateway 10.0.0.1
bridge-ports eno3
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

 

[weehooey]

Okay, below is an OVS interfaces file, which should provide an example from which you can build your own.

IMPORTANT: You are responsible for reviewing it and confirming it will work for your purposes. I have no way of knowing the configuration of the rest of your setup.

A few notes:

• vmbr0 is going to act like a switch. This means that packets will travel from the Cisco switch, in eno3, through vmbr0, out enp5s0 and to the dumb switch (and, of course, the other way).
• You had 10.0.0.11/32 but that is not possible, so I assume you intended 10.0.0.11/24. If your network is not a /24, you will need to change that.
• You can think of host0 as a port on vmbr0 where your PVE OS is plugged in.
• So, you will have the Cisco, dumb and PVE host all plugged into a switch called vmbr0.

Let me know how you make out.

# /etc/network/interfaces
# Example for illustration purposes only.

# === PHYSICAL INTERFACES ===

auto lo
iface lo inet loopback

iface eno1 inet manual
    ovs_type OVSPort
# Not used

iface eno2 inet manual
    ovs_type OVSPort
# Not used

auto eno3
iface eno3 inet manual
    ovs_type OVSPort
# Cisco switch 2960x

iface eno4 inet manual
    ovs_type OVSPort
# Not used

iface enp66s0 inet manual
    ovs_type OVSPort
# Not used

auto enp5s0
iface enp5s0 inet manual
    ovs_type OVSPort
# To dumb switch

# === INTERNAL INTERFACES ===

auto host0
iface host0 inet static
    address 10.0.0.11/24
    gateway 10.0.0.1
    ovs_type OVSIntPort
    ovs_bridge vmbr0
# PVE host access

# === BRIDGES ===

auto vmbr0
iface vmbr0 inet manual
    ovs_type OVSBridge
    ovs_ports enp5s0
# Main bridge

 

[boredenchilada]

Okay, below is an OVS interfaces file, which should provide an example from which you can build your own.

IMPORTANT: You are responsible for reviewing it and confirming it will work for your purposes. I have no way of knowing the configuration of the rest of your setup.

A few notes:

• vmbr0 is going to act like a switch. This means that packets will travel from the Cisco switch, in eno3, through vmbr0, out enp5s0 and to the dumb switch (and, of course, the other way).
• You had 10.0.0.11/32 but that is not possible, so I assume you intended 10.0.0.11/24. If your network is not a /24, you will need to change that.
• You can think of host0 as a port on vmbr0 where your PVE OS is plugged in.
• So, you will have the Cisco, dumb and PVE host all plugged into a switch called vmbr0.

Let me know how you make out.

# /etc/network/interfaces
# Example for illustration purposes only.

# === PHYSICAL INTERFACES ===

auto lo
iface lo inet loopback

iface eno1 inet manual
    ovs_type OVSPort
# Not used

iface eno2 inet manual
    ovs_type OVSPort
# Not used

auto eno3
iface eno3 inet manual
    ovs_type OVSPort
# Cisco switch 2960x

iface eno4 inet manual
    ovs_type OVSPort
# Not used

iface enp66s0 inet manual
    ovs_type OVSPort
# Not used

auto enp5s0
iface enp5s0 inet manual
    ovs_type OVSPort
# To dumb switch

# === INTERNAL INTERFACES ===

auto host0
iface host0 inet static
    address 10.0.0.11/24
    gateway 10.0.0.1
    ovs_type OVSIntPort
    ovs_bridge vmbr0
# PVE host access

# === BRIDGES ===

auto vmbr0
iface vmbr0 inet manual
    ovs_type OVSBridge
    ovs_ports enp5s0
# Main bridge

I will be testing this out shortly.

the /32 was added by proxmox itself upon install i think? but any hoot that's noted for next time.

I may need to refresh on my networking but is the main difference here in where the connections initates/terminate and how it flows? since we now have one in and one out instead of one in and out, second in and out.
And just to be sure I understand correctly, within the one in one out, the switch/router would be vmbr0 where the routing/switching is happening type of thing?
Should the bridge include eno3 as well or because of the ovs_bridge vmbr0 param, its like you said, a port of vmbr0? Host0 attaches/plugs into vmbr0 like a cat5e in the physical world? And on that port (port 1/host0) is where proxmox management IP is being virtually attributed (10.0.0.11:8006). So if i wanted a 2nd management IP in the same IP range i can just "plug" a new host1 config and so forth?

Virtualized networking has always rattled my brain...

Just want to thank you for taking the time to explain what you already provided to me.

okay so i tried the config and i got this:

warning: vmbr0: moved from being a bridge to a physical interface (non-logical interface).This interface will be downed.
If this was not intentional, please restore the original interface definition and execute ifreload

 

[weehooey]

Should the bridge include eno3 as well or because of the ovs_bridge vmbr0 param, its like you said, a port of vmbr0? Host0 attaches/plugs into vmbr0 like a cat5e in the physical world?

Good catch. Yes, you need to have eno3 and host0 on the bridge. I'm a little out of practice hand-building these. I wrote an Ansible script to build them for my deployments, and now, with SDN, I am moving things back to Linux bridging.

# === BRIDGES ===

auto vmbr0
iface vmbr0 inet manual
    ovs_type OVSBridge
    ovs_ports enp5s0 eno3 host0
# Main bridge

And just to be sure I understand correctly, within the one in one out, the switch/router would be vmbr0 where the routing/switching is happening type of thing?

Yes, the vmbr0 is a bridge which is very close to a physical switch (thus "Open vSwitch"). To be precise, it is not a router, as it does not do routing.

So if i wanted a 2nd management IP in the same IP range i can just "plug" a new host1 config and so forth?

Not sure of a use where a second IP address in the same subnet would be needed. A more common example would be if you wanted an IP address in a different subnet. For example, connecting to a NAS or SAN. You could connect one of the physical ports and a OVSIntPort with an IP address to vmbr1.

okay so i tried the config and i got this:

warning: vmbr0: moved from being a bridge to a physical interface (non-logical interface).This interface will be downed.
If this was not intentional, please restore the original interface definition and execute ifreload

You should be able to run ifreload -a
and have it work (once you fix the ports).