Hello everyone - my first post.
I've been messing around with EVPN overlay networks with BGP peering to my FortiGate, and I'm wondering if what I'm trying to achieve is possible.
Originally, I deployed an EVPN controller on a separate transit network (10.255.255.0/28) that would act as my underlay from my PVE node to my FortiGate, with my pve host as my exit node. I then deployed a BGP controller that peered with my FortiGate on this same network. I created a VNET with 172.16.200.0/24, verified that the FortiGate was peered with the node via the transit network, and saw that 172.16.200.0/24 was being advertised from the peer. All seemed well at first, and then I tested VM traffic out to the internet.
In a debug flow on the FortiGate, the traffic was instead egressing the management IP of the pve node (10.1.130.1), and was failing an rpf check and getting implicitly denied. This is because 172.16.200.0/24 was being learned on the transit network, but was instead egressing a completely different interface.
It seems proxmox out of the box wants you to use the exit nodes primary IP address for all evpn overlay networks instead of the peer addresses you define on the controller and zones. I assume I'm just configuring this incorrectly and need pointed in the right direction, as I prefer my management VLAN to only carry traffic for that network, and not any overlay network traffic. Below is a high level of what I'm trying to do:
BGP underlay network:
PVE: 10.255.255.2
Forti: 10.255.255.1
Peer BGP between the two for VNET advertisements, and to facilitate north-south traffic.
PVE management IP: 10.1.130.1
Management gateway: 10.1.130.254.
Performing the BGP peering on the management network makes this traffic work without a hitch, but I would prefer this traffic traverse a separate VLAN subinterface. What am I doing wrong here? Any help is appreciated. Thank you!
I've been messing around with EVPN overlay networks with BGP peering to my FortiGate, and I'm wondering if what I'm trying to achieve is possible.
Originally, I deployed an EVPN controller on a separate transit network (10.255.255.0/28) that would act as my underlay from my PVE node to my FortiGate, with my pve host as my exit node. I then deployed a BGP controller that peered with my FortiGate on this same network. I created a VNET with 172.16.200.0/24, verified that the FortiGate was peered with the node via the transit network, and saw that 172.16.200.0/24 was being advertised from the peer. All seemed well at first, and then I tested VM traffic out to the internet.
In a debug flow on the FortiGate, the traffic was instead egressing the management IP of the pve node (10.1.130.1), and was failing an rpf check and getting implicitly denied. This is because 172.16.200.0/24 was being learned on the transit network, but was instead egressing a completely different interface.
It seems proxmox out of the box wants you to use the exit nodes primary IP address for all evpn overlay networks instead of the peer addresses you define on the controller and zones. I assume I'm just configuring this incorrectly and need pointed in the right direction, as I prefer my management VLAN to only carry traffic for that network, and not any overlay network traffic. Below is a high level of what I'm trying to do:
BGP underlay network:
PVE: 10.255.255.2
Forti: 10.255.255.1
Peer BGP between the two for VNET advertisements, and to facilitate north-south traffic.
PVE management IP: 10.1.130.1
Management gateway: 10.1.130.254.
Performing the BGP peering on the management network makes this traffic work without a hitch, but I would prefer this traffic traverse a separate VLAN subinterface. What am I doing wrong here? Any help is appreciated. Thank you!