Need suggestions about virtual managed network switches

J

jjuk

New Member
Jun 30, 2023
13
2
3
I'm planning to build a testing environment that the VMs are totally controlled by virtual network devices (A virtual router/firewall and a virtual switch) like below.
VM_network.jpg
After studying the online manual. I don't think the built-in PVE network features (Linux/OVS bridge, SDN) can fulfill the role of Virtual switch in the above diagram. SDN Simple zone + VNet match what I need but it can't define VLANs like managed switch does. I'd be appreciate any suggestions. Thanks guys.
 

Attachments

  • VM_network.jpg
    VM_network.jpg
    89.6 KB · Views: 12
Why virtual? I have achieved your end state using a physical managed switch, in a much simpler, more direct manner. My WAN connects to my pfSense box which connects to my managed switch. I have the port on my switch feeding my Proxmox machine set to be a tagged/trunked port. On Proxmox
my `/etc/network/interfaces` file reads as follows.

auto lo
iface lo inet loopback

iface enp18s0 inet manual

auto vmbr0.66
iface vmbr0.66 inet static
address 10.10.66.1/24
gateway 10.10.66.1

auto vmbr0
iface vmbr0 inet static
bridge-ports enp18s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

After that, it is just a matter of selecting which VLAN I want each VM to be assigned to. I do my IP addressing through reservations in pfSense (based on the MAC address which can be a made up value so long as it is unique), and I set the VM to DHCP

1689850421949.png
 
With pfSense running in a separate appliance, I can shut down my server at night, and still have my network protected, VLANs stay up, etc. I initially had pfSense virtualized, but quickly realized that was sub optimal (for my situation at least). Every time I needed to reboot my server or re-install proxmox (which I seem to do a lot early on as I was first coming up the learning curve) I would take down my home network and my family would squawk at me. I think its just a better practice to put pfSense in its own appliance. I still retain the ability to switch software firewalls if I want.
 
louie1961 said:
Why virtual? I have achieved your end state using a physical managed switch, in a much simpler, more direct manner. My WAN connects to my pfSense box which connects to my managed switch. I have the port on my switch feeding my Proxmox machine set to be a tagged/trunked port. On Proxmox
my `/etc/network/interfaces` file reads as follows.
Click to expand...
Hello louie. It's my fault that I didn't give enough details in my diagram that the external physical switch is an unmanaged one.
I appreciate your suggestion as you have experience on it and it's proved to be work. However, my plan is to make it fully virtual.
 
The easy way:
Spin up a second pf or opnsense as VM.
Setup the interfaces exactly same as on your physical appliance, means the interface names and op1/op2/wan/lan etc need to match exactly your physical appliance.

The physical network adapter doesn't matter, if it's virt nic or i226-lm doesn't matter, as long as you have the same vlans and same assignments (op1 -> vlan20, opt2 -> vlan21, and so on) and same interface names.

Make virtual carp ips, and setup HA between your virtual and physical appliance.

Configure your virtual appliance as backup and physical as master.

It's very easy, and i can surely help if you never did HA.
Im doing here HA with opnsense, but pfsense is surely almost the same.
If on appliance is virtual and the other physical, doesn't matter either.


----

Second, the hard way:
You can do almost everything with an linux bridge, vlan and everything is not an issue.
You can setup linux bridges vlan aware or create vlan bridges bound to specific vlans with the vmbr0.20 way.

However, what's not possible or at least i don't know how to do, is routing.
The only solution i know is spinning up an VM again with something lightweight like VYOS, and use that as a routing instance between vlans.
But as you spin up vyos, you can spinup pf/opnsense either....

But then you get the problem of 2 gateways in your network.

Means, you will need to configure routes.
The easiest way is to configure on your physical pfsense appliance static routes, to tell that the vlan networks you want to reach are behind the VYOS ip.
And on the vyos instance as default gateway the physical pfsense instance.

However, that's very suboptimal, because of:
- you get asymmetrical packet flow:
-- every packet that comes from behind vyos, will go directly to your pc. While your pc sends the packets first to pfsense and the pfsense to vyos.
This can be easily solved, but you will need to add static routing entrys to every pc... Which is not "comfortable"

Well the proper way to do this, would be to create a separate vlan, just for the communication between vyos and pfsense.
Then the packet flow is perfect and you don't need any static routes...
But you said that you want to turn off the pfsense appliance...
So that way is out of decision.

Anyway it's all suboptimal in my opinion.
I would highly suggest the HA between virtual and physical pfsense appliance.

Cheers
 
Last edited:
jjuk said:
the external physical switch is an unmanaged one.
Click to expand...
If you go this route, anything hanging on that switch will be outside of your VLANs. That would make it difficult, if not impossible for devices outside of your host to communicate with your VMs, depending on how open you want your firewall rules to be. At that point you start to lose the value of the VLANs. Why do you want to use VLANs? what are you hoping to accomplish?
 
louie1961 said:
If you go this route, anything hanging on that switch will be outside of your VLANs. That would make it difficult, if not impossible for devices outside of your host to communicate with your VMs, depending on how open you want your firewall rules to be. At that point you start to lose the value of the VLANs. Why do you want to use VLANs? what are you hoping to accomplish?
Click to expand...
As far i know, an unmanaged switch will drop anyway all Vlan packets.

I don't think that there is any unmanaged switch at all available that will dummy forward vlans from one port to all ports. If that's possible at all :)
 
Ramalama said:
As far i know, an unmanaged switch will drop anyway all Vlan packets.

I don't think that there is any unmanaged switch at all available that will dummy forward vlans from one port to all ports. If that's possible at all :)
Click to expand...
We are saying the same thing. You can modify the firewall rules for the VLAN to accept traffic from the unmanaged switch, but then what's the point of having the VLAN?
 
  • Like
Reactions: Ramalama
Ramalama said:
As far i know, an unmanaged switch will drop anyway all Vlan packets.

I don't think that there is any unmanaged switch at all available that will dummy forward vlans from one port to all ports. If that's possible at all :)
Click to expand...
My experience is the oposite:
unmanaged switches don't dare to look at vlan tags and act as all ports being "hybrid" ports. ( forward tagged and untagged packets "everywhere" )
 
Etienne Charlier said:
My experience is the oposite:
unmanaged switches don't dare to look at vlan tags and act as all ports being "hybrid" ports. ( forward tagged and untagged packets "everywhere" )
Click to expand...
Depends on the switch, most unmanaged ones see the packets simply as corrupted.

However, it's something i tested once and long ago.
So im not sure what happens.
Tbh, i never had since probably 10years any unmanaged switch, not even at home...
Not even in my Mum's home xD

So i actually don't know what modern unmanaged switches will do with vlan packets.
 
Hello guys. You can assume my plan is to create a simple network environment that is commonly seen in many household. The only different is that it is a virtual one. So, just ignore the physical router and the physical switch that are outside of the host.

In my diagram, imagine that
Code: 
"Linux/OVS Bridge" = "Internet";
"Virtual router / firewall" = "Broadband router"
"Virtual switch" = "Simple network switch"
"VM" = "Desktop / laptop"

Although the virtual router and switch that I'll use need to be have more functions than those that are used in household.
 
To be more specific. I need something that can act the role of the "Virtual managed network switch".
Some examples such as Cisco IOSv or Juniper virtual JunOS. These companies provide images that can run on KVM, ESXi, GNS3, etc.
However, they're not free nor open source. If Proxmox VE Linux/OVS or SDN can do the same things as a layer two switch, then it's fine. If not, I'm eager to know any similar virtual switch images that are available.
 
Evpn sdn zone can do all the routing without extra router vm. (And works with multiple hosts in cluster with vxlan overlay )
 
Hi,

Maybe another ideea for your situation.

You could simplify your network design, using a single virtual device(who can act as firewal and as a switch and many other network stuff who can be usefull)

You can use Mikrotik CHR, who is cheap about 20-30 euro liftime if I remember. You can also use on CHR a pakage(dude) as a monitoring system(auto discovery, snmp, graphics, notify system). You can alsu use free CHR version to get a ideea about(but any interface is limited at 10 Mbit if I remember, but tis is the only restriction) You have in GNS3 a CHR image.

Good luck / Bafta !
 
guletz said:
Hi,

Maybe another ideea for your situation.

You could simplify your network design, using a single virtual device(who can act as firewal and as a switch and many other network stuff who can be usefull)

You can use Mikrotik CHR, who is cheap about 20-30 euro liftime if I remember. You can also use on CHR a pakage(dude) as a monitoring system(auto discovery, snmp, graphics, notify system). You can alsu use free CHR version to get a ideea about(but any interface is limited at 10 Mbit if I remember, but tis is the only restriction) You have in GNS3 a CHR image.

Good luck / Bafta !
Click to expand...
I'm trying your suggestion now by using pfsense as a combination of virtual router/firewall + switch.
After studying pfsense document, I realise that it allows users to add unlimited number of virtual interfaces. Compared to IPFire which allows maximum 4 interfaces (zones) only.
The WAN port on pfsense is connected to OVS bridge which is the host physical interface.
The LAN/OPT ports are connected to several SDN Simple vNets to form different subnets.
The whole network may not need any VLAN at all.
My next goal is to set routing and firewall rules between the subnets.
 
Not sure why make it complicated, a Linux Bridge is a (virtual) switch.

So make a bridge for each 'internal' VLAN but don't connect it to any physical interface, only connect the VMs that need to talk to said "VLAN", controlling whether the hosts on the bridge need access to the Internet through OpnSense is just a matter of connecting the bridge to OpnSense. Then in OpnSense, set up DHCP, routing or firewall rules for each 'interface'.

You can do VLAN's on Linux bridges, the bridge doesn't "need to" be connected to a physical interface, still a good educational tool if you want to work with VLANs.
https://developers.redhat.com/blog/2017/09/14/vlan-filter-support-on-bridge
https://pve.proxmox.com/wiki/Network_Configuration#sysadmin_network_vlan
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back