Network with HUB behavior?

manzke89

Member
Sep 1, 2023
30
0
6
Hello, I have a few questions about Proxmox network configurations. I have a Proxmox server with multiple VMs, and some of them are on the same VLAN. The issue is that VMs sharing the same VLAN can see each other's traffic, as if vmbr were acting like a HUB. Is there a solution to this problem?
 
The issue is that VMs sharing the same VLAN can see each other's traffic, as if vmbr were acting like a HUB. Is there a solution to this problem?
For that there is the new SDN or you could use the PVE firewall to prevent communication between the VMs.
 
Can you post the output of the following commands?

Code:
ip link show master <bridge>
bridge fdb show br <bridge>
ip -details -pretty -json link show <bridge>
 
Can you post the output of the following commands?

Code:
ip link show master <bridge>
bridge fdb show br <bridge>
ip -details -pretty -json link show <bridge>
ip link show master vmbr0
6: enp65s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether 90:e2:ba:47:17:86 brd ff:ff:ff:ff:ff:ff
11: tap902i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 12:03:8a:1e:03:f3 brd ff:ff:ff:ff:ff:ff
12: tap902i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 6a:ae:8e:5a:48:65 brd ff:ff:ff:ff:ff:ff
13: tap903i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 36:15:5f:f3:a0:a4 brd ff:ff:ff:ff:ff:ff
14: tap901i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 2e:93:88:0c:3a:a7 brd ff:ff:ff:ff:ff:ff
15: tap901i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 72:d4:bb:68:bb:31 brd ff:ff:ff:ff:ff:ff
16: tap907i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 3e:db:34:73:f6:77 brd ff:ff:ff:ff:ff:ff
17: tap907i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 52:c2:25:78:62:d9 brd ff:ff:ff:ff:ff:ff
18: tap1001i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 4a:57:32:29:93:55 brd ff:ff:ff:ff:ff:ff
19: tap1001i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether e6:90:eb:be:df:12 brd ff:ff:ff:ff:ff:ff
22: fwpr1001p2@fwln1001i2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether c2:77:ba:42:61:a1 brd ff:ff:ff:ff:ff:ff
24: tap1001i3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether b6:d9:2b:58:74:34 brd ff:ff:ff:ff:ff:ff
57: fwpr9000p0@fwln9000i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether be:23:ea:08:e1:4f brd ff:ff:ff:ff:ff:ff
119: tap2002i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 4a:ce:52:87:88:b0 brd ff:ff:ff:ff:ff:ff
120: tap905i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 3a:15:46:66:de:e6 brd ff:ff:ff:ff:ff:ff
121: tap905i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 7a:13:58:3f:15:af brd ff:ff:ff:ff:ff:ff
122: tap905i2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether b6:f3:5c:50:7a:18 brd ff:ff:ff:ff:ff:ff
123: tap905i3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 6e:4b:aa:dd:ab:cf brd ff:ff:ff:ff:ff:ff
126: tap1002i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether ae:d1:e6:34:7f:2d brd ff:ff:ff:ff:ff:ff
127: tap1002i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether be:28:49:6a:ae:7e brd ff:ff:ff:ff:ff:ff
128: tap1002i2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 4e:79:e4:ee:18:74 brd ff:ff:ff:ff:ff:ff
129: tap1002i3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 12:27:15:37:a7:1f brd ff:ff:ff:ff:ff:ff
161: tap908i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 6e:f0:48:bd:35:ec brd ff:ff:ff:ff:ff:ff
162: tap908i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether be:e0:c9:bc:fd:2a brd ff:ff:ff:ff:ff:ff
163: tap908i2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 02:6e:7d:28:6f:28 brd ff:ff:ff:ff:ff:ff
164: tap908i3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 0a:33:b4:53:0a:5d brd ff:ff:ff:ff:ff:ff
165: tap908i4: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 82:6a:e4:3c:f9:eb brd ff:ff:ff:ff:ff:ff
166: tap908i5: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether da:c6:19:7a:d6:64 brd ff:ff:ff:ff:ff:ff
167: tap908i6: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 76:fc:85:34:ab:f6 brd ff:ff:ff:ff:ff:ff
168: veth9999i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP mode DEFAULT group default qlen 1000
link/ether fe:aa:62:33:7c:00 brd ff:ff:ff:ff:ff:ff link-netnsid 0
169: tap9998i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 8a:c6:76:da:9e:8a brd ff:ff:ff:ff:ff:ff
170: tap904i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether f2:78:b4:da:6d:d0 brd ff:ff:ff:ff:ff:ff
171: tap990i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 2a:0b:5f:39:f0:bf brd ff:ff:ff:ff:ff:ff
172: tap990i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether de:67:0c:d8:b8:c8 brd ff:ff:ff:ff:ff:ff
177: tap995i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether c6:7f:aa:68:46:79 brd ff:ff:ff:ff:ff:ff
182: tap2004i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 8e:df:08:23:b5:cd brd ff:ff:ff:ff:ff:ff

ip -details -pretty -json link show vmbr0
[ {
"ifindex": 9,
"ifname": "vmbr0",
"flags": [ "BROADCAST","MULTICAST","UP","LOWER_UP" ],
"mtu": 1500,
"qdisc": "noqueue",
"operstate": "UP",
"linkmode": "DEFAULT",
"group": "default",
"txqlen": 1000,
"link_type": "ether",
"address": "90:e2:ba:47:17:86",
"broadcast": "ff:ff:ff:ff:ff:ff",
"promiscuity": 1,
"allmulti": 1,
"min_mtu": 68,
"max_mtu": 65535,
"linkinfo": {
"info_kind": "bridge",
"info_data": {
"forward_delay": 0,
"hello_time": 200,
"max_age": 2000,
"ageing_time": 30000,
"stp_state": 0,
"priority": 32768,
"vlan_filtering": 1,
"vlan_protocol": "802.1Q",
"bridge_id": "8000.90:e2:ba:47:17:86",
"root_id": "8000.90:e2:ba:47:17:86",
"root_port": 0,
"root_path_cost": 0,
"topology_change": 0,
"topology_change_detected": 0,
"hello_timer": 0.00,
"tcn_timer": 0.00,
"topology_change_timer": 0.00,
"gc_timer": 1.75,
"vlan_default_pvid": 1,
"vlan_stats_enabled": 0,
"vlan_stats_per_port": 0,
"group_fwd_mask": "0",
"group_addr": "01:80:c2:00:00:00",
"mcast_snooping": 0,
"no_linklocal_learn": 0,
"mcast_vlan_snooping": 0,
"mcast_router": 1,
"mcast_query_use_ifaddr": 0,
"mcast_querier": 0,
"mcast_hash_elasticity": 16,
"mcast_hash_max": 512,
"mcast_last_member_cnt": 2,
"mcast_startup_query_cnt": 2,
"mcast_last_member_intvl": 100,
"mcast_membership_intvl": 26000,
"mcast_querier_intvl": 25500,
"mcast_query_intvl": 12500,
"mcast_query_response_intvl": 1000,
"mcast_startup_query_intvl": 3124,
"mcast_stats_enabled": 0,
"mcast_igmp_version": 2,
"mcast_mld_version": 1,
"nf_call_iptables": 0,
"nf_call_ip6tables": 0,
"nf_call_arptables": 0
}
},
"inet6_addr_gen_mode": "eui64",
"num_tx_queues": 1,
"num_rx_queues": 1,
"gso_max_size": 65536,
"gso_max_segs": 65535,
"tso_max_size": 65536,
"tso_max_segs": 65535,
"gro_max_size": 65536
} ]
 
How did you determine this? Are you really seeing ALL traffic, or just some? It is not true that switches isolate all traffic. Some things will appear on all ports even with a switched network.

For example, switches will forward broadcasts to all ports always so you will see things like ARP, IPv6 Neighbor Discovery, DHCP requests, etc, on all ports. You might see multicast traffic as well depending on whether IGMP snooping is enabled. You might also see one packet of a unicast when one of the nodes has aged out of the forwarding table.
 
  • Like
Reactions: leesteken
How did you determine this? Are you really seeing ALL traffic, or just some? It is not true that switches isolate all traffic. Some things will appear on all ports even with a switched network.

For example, switches will forward broadcasts to all ports always so you will see things like ARP, IPv6 Neighbor Discovery, DHCP requests, etc, on all ports. You might see multicast traffic as well depending on whether IGMP snooping is enabled. You might also see one packet of a unicast when one of the nodes has aged out of the forwarding table.
If I place a VM with a Linux or a CHR Mikrotik without putting an IP on the interface and putting a tcpdump, I see traffic from the other hosts both leaving and entering.
 
As I said, there are certain types of traffic that are supposed to get sent to all ports of a switch. I did not list them all (for example, certain Microsoft protocols). If you think something is broken or misconfigured you will have to be more specific about what traffic you think is being wrongly forwarded. Just saying that "I see traffic" means nothing because you normally will see some traffic.
 
If you really feel like there is traffic visible that shouldn't be visible please attach a tcpdump from inside the guest made with the following command, otherwise it will be hard to gauge.

Code:
tcpdump -envi <interface> -w output.pcap
 
Has this ever been solved? Seeing something like this here also....
 
There isn't anything to solve. Bridges broadcast some traffic to all ports.
I am not talking about some traffic.... it is "ALL" Traffic in a VLAN where we have about 15 opnsense Firewalls... all see "every" Traffic from every other node, even directed to foreign Addresses.... thats why I asked...
 
If you really feel like there is traffic visible that shouldn't be visible please attach a tcpdump from inside the guest made with the following command, otherwise it will be hard to gauge.

Code:
tcpdump -envi <interface> -w output.pcap
I am ready to provide this but don't want to upload it here in the Forum. Can I send it to you directly? There are public RIPE-IPs involved...
 
I am ready to provide this but don't want to upload it here in the Forum. Can I send it to you directly? There are public RIPE-IPs involved...
Yes, you can just send this to me via DM. Please also include the host networking configuration.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!