Dedicated interface for migration

frankz

Member
Nov 16, 2020
354
23
23
Hello everyone, I have long ago configured a pfsense with 3 interfaces or vmbr0 (lan) vmbr1 (wan) vmbr2 (cluster net). Looking at the logs with tcpdump or with pfsense network traffic I can see the traffic of the first 2 lan network interfaces, wan except in the cluster network dedicated by proxmox for data migration transfer between other nodes. I risk seeing some broadcast packets. Everything works regularly or in the vmbr2 network there are connected the three nodes that use it for data migration, 2 nfs servers that work regularly, and a proxmox backup for transferring the backup data of the nodes. I don't understand why pfsense doesn't see traffic! Can anyone help me?
3.png
 

Attachments

  • 1.png
    1.png
    40.9 KB · Views: 13
  • 2.png
    2.png
    30.1 KB · Views: 11
Since your host is called pve, do you even have a cluster? Without a cluster there is no migration traffic. ;)
And if you indeed have a cluster, did you even migrate between hosts? Do the other hosts go through the pfSense as well?
 
Since your host is called pve, do you even have a cluster? Without a cluster there is no migration traffic. ;)
And if you indeed have a cluster, did you even migrate between hosts? Do the other hosts go through the pfSense as well?
4.png
 

Attachments

  • 5.png
    5.png
    97.9 KB · Views: 9
  • 6.png
    6.png
    72.8 KB · Views: 10
Okay, I see. Just wanted to make sure. ;)

Now the second thing, do the other two nodes also route their traffic through the pfSense VM?
 
Okay, I see. Just wanted to make sure. ;)

Now the second thing, do the other two nodes also route their traffic through the pfSense VM?
No the pfsense has three network cards the knots have three network cards and the pfsense does the gateway only on vmbr0
 
And the "migration NIC" of the nodes go directly to a switch, I guess?
Then the traffic is switched to the respective recipients by the bridge, just like a normal switch would do it, which is why the pfSense doesn't see it.
 
And the "migration NIC" of the nodes go directly to a switch, I guess?
Then the traffic is switched to the respective recipients by the bridge, just like a normal switch would do it, which is why the pfSense doesn't see it.
And the "migration NIC" of the nodes go directly to a switch, I guess?
Then the traffic is switched to the respective recipients by the bridge, just like a normal switch would do it, which is why the pfSense doesn't see it.
 

Attachments

  • scheme-2.pdf
    161.5 KB · Views: 5
Yep, that's the switches doing their actual task. If the pfSense would see that traffic, they would behave like hubs.
So this is intended behavior.
 
Yep, that's the switches doing their actual task. If the pfSense would see that traffic, they would behave like hubs.
So this is intended behavior.
Sorry but I don't understand why in the other 2 interfaces such as vmbr0 evmbr1 (lan, wan) running the pfsense traffic monitor I see everything while in the nic vmbr2 (cluster dedicated to migration) I don't see the traffic but some broadcasts. Is it possible that the "secure" mode acts as a filter? Thank you
 
Secure means that the migration traffic is encrypted.
I highly doubt that you see traffic in the pfSense VM that goes from node to node via your switch.
What you see will be traffic from your other hosts/machines that connect to the internet through this VM.
 
  • Like
Reactions: frankz
Secure means that the migration traffic is encrypted.
I highly doubt that you see traffic in the pfSense VM that goes from node to node via your switch.
What you see will be traffic from your other hosts/machines that connect to the internet through this VM.
Ok, in fact that's what I wanted confirmation for. Thank you for your point of view.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!