Issues Transitioning from VLAN to SDN with Proxmox

[n0one42]

Description:

I am currently in the process of transitioning from my existing VLAN topology to SDN but have encountered issues that I need assistance with.

Current Working Setup:

• Linux Bond: bond0 (802.3ad) (layer 3+4)
• Linux VLAN: VLAN90DMZ (raw device: bond0; VLAN Tag: 90)
• Linux Bridge: vmbr90 (Bridge ports: VLAN90DMZ)

In this setup, passing the vmbr90 to a VM works seamlessly. The VM itself is unaware of any VLAN tags as it operates untagged. Only the Linux VLAN is aware of the tag.

Objective:
I want to replicate this setup using SDN, but it is not working as expected.

Ideal Scenario:

• Maintain my router/switch with tagged ports (e.g., VLAN 90) with DHCP assigning IPs in the range 192.168.1.0/24.
• Default DHCP to use the range 192.168.1.100 - 192.168.1.200 for real servers.
• Utilize SDN for internal VMs, assigning the range 192.168.1.50 - 192.168.1.99.

Problem Encountered:
Despite several attempts, I am unable to convert the current setup to SDN. The VMs do not receive any IP addresses.

Request:
I need guidance on how to transition from my current VLAN topology to SDN while ensuring VMs receive appropriate IP addresses as per the defined ranges. Detailed steps or documentation references would be highly appreciated.

Thank you for your assistance.

Best regards

 

[sw-omit]

So to summarise:
You want to be able to connect a VM to a port (which for the VM itself is untagged) and also have the bond that is your connection to the rest of the network to be untagged, but have the traffic from the VM to your switch be tagged with VLAN90, receiving DHCP from your router outside of proxmox distributing on VLAN90?

If so, that's probably the same setup (minus the DHCP, since I use 99.9% static IPs, but do use DHCP for first-time setup so I know it works).

What I have is the following:
In Networking:
Linux Bond: bond0 (keep as is in your setup)
Linux Bridge: vmbr1 (Bridge Ports: bond0, no tags, optionally IP if you want to reach ProxMox on that untagged line.
In SDN:
Create a Zone of type: VLAN and Bridge Ports vmbr1
In the VNet section, Create your VNETS with the names and vlans, making them NOT VLAN-Aware, assigned to this Zone.

Bonus option; to prevent other admins from using the wrong device, give them their own accounts, and only give them access to this specific SDN-Zone, and not to the localnet zone. If you need help with this, ask and I can see how I set that part up again.

 

[n0one42]

So to summarise:
You want to be able to connect a VM to a port (which for the VM itself is untagged) and also have the bond that is your connection to the rest of the network to be untagged, but have the traffic from the VM to your switch be tagged with VLAN90, receiving DHCP from your router outside of proxmox distributing on VLAN90?

If so, that's probably the same setup (minus the DHCP, since I use 99.9% static IPs, but do use DHCP for first-time setup so I know it works).

What I have is the following:
In Networking:
Linux Bond: bond0 (keep as is in your setup)
Linux Bridge: vmbr1 (Bridge Ports: bond0, no tags, optionally IP if you want to reach ProxMox on that untagged line.
In SDN:
Create a Zone of type: VLAN and Bridge Ports vmbr1
In the VNet section, Create your VNETS with the names and vlans, making them NOT VLAN-Aware, assigned to this Zone.

Bonus option; to prevent other admins from using the wrong device, give them their own accounts, and only give them access to this specific SDN-Zone, and not to the localnet zone. If you need help with this, ask and I can see how I set that part up again.

Thank you for the response. Maybe you just misspelled but it must be tagged from the proxmox server to the switch and not from the vm.
Also bond connections are tagged with different vlans.
VM (untagged) --> bond0 (tagged) --> switch
Here is a better overview of my working system which I try to replicate as an SDN. Despite the DHCP I would want at least to just reproduce this behavior with SDN. Thats said, the vm should directly get from my DHCP an IP.

 

[n0one42]

Therefore I dried multiple versions. This is what comes close to yours except that I still do not get any IP. I also created a Subnets on this VNets.

 

[sw-omit]

With that last setup, if you manually configure an IP on this VM, is it then able to reach the router/internet?
Just to make sure it isn't an issue specifically with DHCP

As it does look exactly like what I have set up and is working, bar the type of bond I'm using (I'm currently using failover, still need to find the time to get it properly set up with multi-active)
I take it the firewall itself is turned off on cluster-level? Or if it is on there, have you tried with the firewall-option turned off on the VM-network-device

 

[n0one42]

This is a fresh proxmox testing server installed yesterday with version 8.2.4 so firewall is disabled at Datacenter level. However, I also disabled it explicitly on this network also.
Setting a static IP still gives me inside the vm:
ping: connect: Network is unreachable. This is pretty annoying.

I also followed the instructions even if I did install directly the latest proxmox version:

apt install libpve-network-perl
apt install dnsmasq
systemctl disable --now dnsmasq
apt install frr-pythontools

 

[cagataygurturk]

Hello, I hope I understand your problem correctly. If you are creating a VLAN type VNet, the DHCP plugin does not work. Check the remark here, DHCP plugin only works for Simple Zone, which is a quite useless thing:

https://pve.proxmox.com/pve-docs/chapter-pvesdn.html#_configuration

I switched to SDN successfully but for this reason, I am running a small VM with DHCP server to assign IP addresses.

 

[juliosene]

Hello! I have been using SDNs since they became available in Proxmox. I consider it a great step forward. However, the use of the Simple Zone SDN is still a problem for me, and for now, I cannot use it for an essential reason: I'm using a cluster, and the Simple Zone SDN does not act in an integrated manner between the hosts in the cluster, I mean, a VM in Simple Zone A cannot communicate with a VM in the same Simple Zone A on another host in the same cluster. Although I haven't found a specific item regarding this in the roadmap, I believe this point should be on the to-do list for the Proxmox development team.

I have a second problem with the Simple Zone SDN, but in a different scenario: when we don't want to use NAT and the SNAT flag is turned off in the VNet Subnet. In this scenario, communication between a VM in the Simple Zone SDN and a VM outside it would occur using the machines' own IPs, without the translation done by NAT. Again, the problem occurs when we use a cluster. Besides the already mentioned issue of communication between VMs on different hosts, we have the problem of packet return. This occurs because, as they are different networks, the external network needs to know to which IP address the packet would be returned, i.e., the IP of the Gateway on the external interface of the cluster. One solution is to create a VIP for the cluster and use this IP as the Gateway. Another solution is for all host IPs to be Gateways for the SDNs and route packets to them. However, this is also not possible today.

My solution, at least for now, is to use a router/firewall (OPNSense) running in a VM connected to the SDNs. I am only using VLAN type SDNs, and each SDN has a different VLAN ID; however, this ID is only configured in the SDN. For the VMs, including the OPNSense, the interfaces are connected to the SDNs without local VLAN configuration. The OPNSense has an interface in each SDN, providing DNS and DHCP for the SDNs, as well as controlling traffic between the SDNs.



All SDNs connected to OPNSense as VNets are under OSVLANs SDN Zone, type VLAN.



App Network example:

 

[cagataygurturk]

Please check

https://forum.proxmox.com/threads/sdn-vlan-zone-with-ipam-and-dhcp.143720/post-646134