Networking issue

A

andy72

New Member
Dec 29, 2018
12
0
1
52
Hi,

I'm in the process of migrating from ESXi to Proxmox.

My last VM is the most complex; the firewall.

This VM has several network interfaces. I have an OVS defined in the Proxmox host which works really well. The switch only has three items;
  • The OVS switch itself.
  • The physical port on the host.
  • An OVS IntPort with the management IP of the host bound to it and the matching VLAN.
I add ports to the VMs with the correct VLAN number in the port config, and then packets are (I assume) tagged appropriately by the OVS before being forwarded to my physical switch.

I have a VM in a DMZ which has some management software running on my workstation (on the internal network) which communicates with a service running on the VM in the DMZ over a high-numbered port.

I have my firewall VM on the ESXi host where it works without issue. I can manage the software, the OS in the VM can reach the internet and patch, etc.

When I move the firewall VM to my Proxmox host, I get very strange things occurring;
  • I can ping the DMZ VM.
  • nmap from my internal workstation to the DMZ VM shows the high-numbered port open, as well as the SSH port.
  • The DMZ VM has an ARP entry for the firewall VM, and vice versa.
  • I can see rules passing traffic as I would expect in the firewall VM's filter log.
But;
  • I cannot SSH from my internal workstation to the DMZ VM.
  • The management SW from my workstation cannot connect to the service on the DMZ VM.
I span up another VM in the DMZ VLAN, and I can SSH from it to the other DMZ VMs without issue.

So it seems that IP is routing to the firewall VM, but not out again.

Proxmox has a built in firewall - could it be playing a part in this issue?

Thanks!
 
Hi
andy72 said:
Proxmox has a built in firewall - could it be playing a part in this issue?
Click to expand...
The default Firewall setting is off, so if you did not enable it there is no impact.

Why you use OVS. OVS is complex and for the most tasks not necessary.
 
Thanks Wolfgang, I just wanted to make sure I hadn't missed something. I'll keep trying.

I actually thought default Proxmox switching (does this mechanism have a name?) looked more complex! It seemed to require a switch per VLAN, and then moving guest ports between switches to manage VLAN assignments. OVS, once configured, is just a tag specified on the guest NIC.

I also thought OVS looked more like the direction that Proxmox/KVM would be heading in future releases.

Would you recommend moving away from OVS?
 
andy72 said:
does this mechanism have a name?
Click to expand...
linux bridges.

andy72 said:
looked more complex!
Click to expand...
It has fewer components and fewer interfaces.

andy72 said:
It seemed to require a switch per VLAN
Click to expand...
For this, there is a button "VLAN aware" this makes the Linux bridge capable to handle VLAN.

andy72 said:
Would you recommend moving away from OVS?
Click to expand...
Use Linux Bridges with VLAN awareness this is perfect for most cases.
OVS is nothing you like it is more a thing you need if you need it.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom