Map all the traffic to a router VM

B

bit-xxl

Active Member
Apr 17, 2016
6
0
41
39
Hello everyone

Please help with network configuration

I want to setup the following network schema:

- All the traffic from real ETH0 passes to vmbr1, which is connected to a router's VM and nothing goes into Proxmox host directly.
- All the VM's and Proxmox host are connected to vmbr0 and got there all they need, passed through router VM.

I suppose it should be something like port mirroring between ETH0<>vmbr1, but have no exact idea. Also Proxmox host should ignore all the traffic, all the network activity of proxmox host with eth0 should contain port mirroring.
 
Why would you need port mirroring for this to work? This is actually a pretty standard setup.

Create a bridge with a NIC you want to use to a VMBRx, build a VM with that VMBR attached as it's 'WAN', and attach the other VMBR to the VM as it's LAN. Connect other VMs to the 'LAN' VMBR and tell Proxmox that it's gateway is the Router VM....
 
pirateghost said:
Why would you need port mirroring for this to work? This is actually a pretty standard setup.

Create a bridge with a NIC you want to use to a VMBRx, build a VM with that VMBR attached as it's 'WAN', and attach the other VMBR to the VM as it's LAN. Connect other VMs to the 'LAN' VMBR and tell Proxmox that it's gateway is the Router VM....
Click to expand...

Thank you very much, understood your answer, will try this night.
 
pirateghost said:
Why would you need port mirroring for this to work? This is actually a pretty standard setup.

Create a bridge with a NIC you want to use to a VMBRx, build a VM with that VMBR attached as it's 'WAN', and attach the other VMBR to the VM as it's LAN. Connect other VMs to the 'LAN' VMBR and tell Proxmox that it's gateway is the Router VM....
Click to expand...


That's good. But is it able to control the external 'white' IP with virtual router? In your schema i should use some bogon IP for a router wan. I need to bring all the packets from white IP to virtual router, even if i want to connect to ProxMox via SSH, it should pass through this VM. how to do that?
 
Some, approach as already described but you need to setup your Proxmox VE to have a private IP in your private LAN and give your public IP to your router VM (the interface that is bridged). Please also set autoboot for the router VM if you want to have a working network on the next boot.
 
I have the exact configuration you are trying to setup. My setup connects from a cable modem to a smart switch that is vlan aware. I have an internal vlan setup and an internet vlan. The cable modem port is an untagged internet vlan port. Each proxmox server receives the internal network untagged and the internet vlan tagged . Here is what my /etc/network/interfaces file looks like:
Code: 
# network interface settings                                                                                                                                                                                                                 
auto lo
iface lo inet loopback
iface eth0 inet manual


auto bond0
iface bond0 inet manual
        slaves eth0
        bond_miimon 100
        bond_mode 4



auto bond0.9
iface bond0.9 inet manual
        vlan-raw-device bond0

auto vmbr0
iface vmbr0 inet static
   address  192.168.1.20
   netmask  255.255.255.0
   gateway  192.168.1.1
   bridge_ports bond0
   bridge_stp off
   bridge_fd 0

auto vmbr1
iface vmbr1 inet manual
   bridge_ports bond0.9
   bridge_stp off
   bridge_fd 0
For the unfamiliar, the two bond interfaces separate vlan tagged data and untagged data. My proxmox host in turn has an IP address on the bridge for internal traffic but not on the internet bridge. My UTM gateway is the only device that connects to vmbr1 (internet) and everything else connects to vmbr0 (internal). By doing it this way I can migrate the UTM to any host in the proxmox cluster. If your switch doesn't support vlans you would need two ethernet interfaces to attain the same functionality.
 
  • Like
Reactions: bit-xxl
LnxBil said:
Some, approach as already described but you need to setup your Proxmox VE to have a private IP in your private LAN and give your public IP to your router VM (the interface that is bridged). Please also set autoboot for the router VM if you want to have a working network on the next boot.
Click to expand...

Thanks for answer. Can you give a hint about "you need to setup your Proxmox VE to have a private IP in your private LAN and give your public IP to your router VM" - routes, nat, something else?
 
You create a public bridge (eth0 assigned) without an IP, a private bridge without any external interface assigned. Then you create a VM with two interfaces, one from each bridge and set your public IP to the public bridge interface, activate ip forwarding and natting on your router and then you're good to go (from inside to outside).

For logging into your Proxmox VE, you should setup SSH-Forward on your router vm or vpn-forward to a VPN server inside your private LAN.

This setup can easily be testes in a nested Proxmox VE machine (so a PVE VM inside your PVE) and play around. This is very tricks do to live on the internet, because it can (and will most probably) lead to complete lockout.
 
LnxBil said:
You create a public bridge (eth0 assigned) without an IP, a private bridge without any external interface assigned. Then you create a VM with two interfaces, one from each bridge and set your public IP to the public bridge interface, activate ip forwarding and natting on your router and then you're good to go (from inside to outside).

For logging into your Proxmox VE, you should setup SSH-Forward on your router vm or vpn-forward to a VPN server inside your private LAN.

This setup can easily be testes in a nested Proxmox VE machine (so a PVE VM inside your PVE) and play around. This is very tricks do to live on the internet, because it can (and will most probably) lead to complete lockout.
Click to expand...

Tried to do so, but without success. After rebooting the external ip becomes unreachable, router VM cannot access the gateway. In the router VM there is set up ip-address and mask for WAN (connected to VMBR0), ip-address and mask for LAN (VMBR1, 172.16.100.1), default route to gateway, snat for WAN IP, dst-nat for SSH of ProxMox. Nothing is blocked in firewall (it's empty).

my /etc/network/interfaces is:

Code: 
auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet manual
<------>bridge_ports eth0
<------>bridge_stp off
<------>bridge_fd 0

auto vmbr1
iface vmbr1 inet static
<------>address 172.16.100.2
<------>netmask 255.255.255.0
<------>gateway 172.16.100.1
<------>bridge_ports none
<------>bridge_stp off
<------>bridge_fd 0

Maybe i missed some setup of firewall or networking in the ProxMox Node settings?
 
So it works for once and only after a reboot, nothing works? Have you checked inside a local VM to tweak in the case it does not work?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back