CTs in different VLANs are able to communicate with each other

dqq

Member
Jan 30, 2020
34
1
6
52
Hi,

I have following configuration:

- vmbr2 OVS bridge (attached image 1)
- Bridge ports: vlan01, vlan02

- vlan01 OVSIntPort (attached image 2)
- OVS Bridge: vmbr2
- VLAN Tag: 1
- IPv4/CIDR: 99.0.1.254/24

- vlan02 OVSIntPort (attached image 3)
- OVS Bridge: vmbr2
- VLAN Tag: 2
- IPv4/CIDR: 99.0.2.254/24


When I create 2 CTs and:
1) add CT1 to vlan01 (attached image 4)
2) add CT2 to vlan02 (attached image 5)

They are not able to ping themselves (as supposed), but when I add manually routes:
1) in CT1: ip route add 99.0.2.254/24 via 99.0.1.254
2) in CT2: ip route add 99.0.1.254/24 via 99.0.2.254

They are able to communicate with each other again.
With my understanding that should not be possible due to different VLAN tags set up in interfaces and OVSIntPorts.

1) Is there a way to avoid such a behaviour?
3) Is there any way for VM1 to still communicate with CT1 and CT2 but CT1 and CT2 not being able to communicate witch each other?
 

Attachments

  • 1.png
    1.png
    20.9 KB · Views: 12
  • 2.png
    2.png
    21.3 KB · Views: 10
  • 3.png
    3.png
    20.7 KB · Views: 11
  • 4.png
    4.png
    8.7 KB · Views: 11
  • 5.png
    5.png
    8.7 KB · Views: 11

dqq

Member
Jan 30, 2020
34
1
6
52
IT seems, that I have missed subforum - sould any mod move it to network configuration? Thanks
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
7,418
1,192
164
Consider using regular linux bridges instead of OVS - takes one component out of the setup - which reduces complexity

is ip_forwarding enabled?
 

dqq

Member
Jan 30, 2020
34
1
6
52
@Stoiko Ivanov - yes it is

Additionally, what I have found in OpenVswitch documentation ( I attach image)

Is it possible that this is the intended way of linux kernel and I have to use additional firewall?
 

Attachments

  • 2020-02-06.png
    2020-02-06.png
    35.8 KB · Views: 11

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!