One physical NIC multiple subnets

[kmil]

Hi all,

I'm trying configure network with proxmox host but I am finding some problems.

my idea is configure 3 subnets on the same NIC.


subnet 1: 172.16.10.0/24
subnet2: 172.16.15.0/24
subnet3: 172.16.20.0/24


Router: 192.168.1.1

I created four bridge interfaces


vmbr0
vmbr10
vmbr15
vmbr20

My network configuration in Proxmox server is this:

Name Active Autostart Port/salves Ip address Subnet mask Gateway
eth0 yes No
vmbr0 yes yes eth0 192.168.1.254 255.255.255.0 192.168.1.1
vmbr10 yes yes vmbr0 172.16.10.254 255.255.255.0
vmbr15 yes yes vmbr0 172.16.15.254 255.255.255.0
vmbr20 yes yes vmbr0 172.16.20.254 255.255.255.0





first , I installed a virtual firewall in my infrastructure, virtual appliance ASTARO.


the Firewall has two interfaces, this config is the astaro guest config


External eth1: 192.168.1.100/24 GW:192.168.1.1
Internal eth0: 172.16.10.100/24


this config is the proxmox config with astaro gest:

Network Device (net0), bridge=vmbr0
Network Device (net1), bridge=vmbr10

My idea is that all the subnets pass using the firewall to exit the internet and go to the other networks.

I've gotten physical computers connected through the Internet network 172.16.10.0/24 go, but I have not gotten my VM with an CT.


in CT have tried to configure both interfaces as venet bridge and not working.


In summary:


- Multiple subnets on the same physical interface
- A firewall that controls the traffic on my network


If someone could help I would be very grateful that took several days with this and can not.


If you need more information as routing table, network configuration, etc... no problem.

 

[breakaway]

Hi Kmil,

Did you proceed with this set of configuration? I'm looking at the same situation currently and i'm wondering if you have anything concrete there.

Thanks.

/Bkwy

 

[spirit]

So, It I understand, you want to use proxmox as router + firewall ?

what you need is :

internet (192.168.1.1)---------->eth0----> (192.168.1.254) vmbr0 - vmbr10 (172.16.10.254)<---------------------------vm -(172.16.10.X with gateway 172.16.10.254)
                                                                 - vmbr15 (172.16.15.254
                                                                 - vmbr20 (172.16.20.254)

you don't need an internal ethx for vmbr10,15,20.

I think this setup should work

auto vmbr0
iface vmbr0 inet static
        address  192.166.1.254  
        netmask  255.255.255.0
        gateway 192.168.1.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward


auto vmbr10
iface vmbr10 inet static
        address  172.16.10.254  
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

auto vmbr15
iface vmbr10 inet static
        address  172.16.15.254  
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

auto vmbr20
iface vmbr10 inet static
        address  172.16.20.254  
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

 

[breakaway]

Thanks, Spirit. I'll give it a go and report back.

/breakaway

 

[breakaway]

Hi Spirit,

Fortunately/Unfortunately, this is half-working.

This is the /etc/network/interfaces in host. The parameters are referenced from Proxmox Wiki: Network Model.

auto lo
iface lo inet loopback


auto vmbr0
iface vmbr0 inet static
        address  192.168.145.104
        netmask  255.255.255.0
        gateway  192.168.145.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward


auto vmbr210
iface vmbr210 inet static
        address  192.168.210.104
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.210.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.210.0/24' -o eth0 -j MASQUERADE


auto vmbr220
iface vmbr220 inet static
        address  192.168.220.104
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.220.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.220.0/24' -o eth0 -j MASQUERADE


auto vmbr230
iface vmbr230 inet static
        address  192.168.230.104
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.230.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.230.0/24' -o eth0 -j MASQUERADE

This is the routing table on the host when 2 VMs boot up for vmbr210.

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.210.200 0.0.0.0         255.255.255.255 UH        0 0          0 venet0
192.168.210.201 0.0.0.0         255.255.255.255 UH        0 0          0 venet0
192.168.145.0   0.0.0.0         255.255.255.0   U         0 0          0 vmbr0
192.168.210.0   0.0.0.0         255.255.255.0   U         0 0          0 vmbr210
192.168.230.0   0.0.0.0         255.255.255.0   U         0 0          0 vmbr230
192.168.220.0   0.0.0.0         255.255.255.0   U         0 0          0 vmbr220
0.0.0.0         192.168.145.1   0.0.0.0         UG        0 0          0 vmbr0

=================================
Summary:
host: 192.168.145.104
VMs: 192.168.210.200; 192.168.210.201
=================================
Test case:
Pinging from host to VMs is good.
Pinging from VMs to host is good.

Pinging from other hosts (192.168.145.x) to VMs is not good.
Pinging from VMs to other hosts is not good either.

I've tried with veth as well in VMs, assigning static IPs of 192.168.210.xxx. That's giving the same behaviour.


For single NIC to have multiple subnet, and each VMs on the subnet to be able to access/be accessed.
Is it possible to have such a setup working?

/Breakaway

 

[breakaway]

--- removed due to duplication ---

 

[aderumier]

Hi Spirit,

Fortunately/Unfortunately, this is half-working.

This is the /etc/network/interfaces in host. The parameters are referenced from Proxmox Wiki: Network Model.

auto lo
iface lo inet loopback


auto vmbr0
iface vmbr0 inet static
        address  192.168.145.104
        netmask  255.255.255.0
        gateway  192.168.145.1
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward


auto vmbr210
iface vmbr210 inet static
        address  192.168.210.104
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.210.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.210.0/24' -o eth0 -j MASQUERADE


auto vmbr220
iface vmbr220 inet static
        address  192.168.220.104
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.220.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.220.0/24' -o eth0 -j MASQUERADE


auto vmbr230
iface vmbr230 inet static
        address  192.168.230.104
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.230.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.230.0/24' -o eth0 -j MASQUERADE

This is the routing table on the host when 2 VMs boot up for vmbr210.

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.210.200 0.0.0.0         255.255.255.255 UH        0 0          0 venet0
192.168.210.201 0.0.0.0         255.255.255.255 UH        0 0          0 venet0
192.168.145.0   0.0.0.0         255.255.255.0   U         0 0          0 vmbr0
192.168.210.0   0.0.0.0         255.255.255.0   U         0 0          0 vmbr210
192.168.230.0   0.0.0.0         255.255.255.0   U         0 0          0 vmbr230
192.168.220.0   0.0.0.0         255.255.255.0   U         0 0          0 vmbr220
0.0.0.0         192.168.145.1   0.0.0.0         UG        0 0          0 vmbr0

=================================
Summary:
host: 192.168.145.104
VMs: 192.168.210.200; 192.168.210.201
=================================
Test case:
Pinging from host to VMs is good.
Pinging from VMs to host is good.

Pinging from other hosts (192.168.145.x) to VMs is not good.
Pinging from VMs to other hosts is not good either.

I've tried with veth as well in VMs, assigning static IPs of 192.168.210.xxx. That's giving the same behaviour.


For single NIC to have multiple subnet, and each VMs on the subnet to be able to access/be accessed.
Is it possible to have such a setup working?

/Breakaway

Hi, I don't understand your setup. This is NAT and not Routing.

So with your setup, your vms ips are translated to your host ip (eth0).

Do you have tried with my setup ? (without the masquerading)

 

[spirit]

Hi, I don't understand your setup.
Your are doing NAT and not Routing, so yours vms ips addresses are translated to your host eth0 ip addresses.
You need to remove these maquerades iptables rules.

 

[breakaway]

You're right, Spirit.

I got confused. Been trying a lot of setup on the same server. Will remove masquerade rules and try it out again.