A fresh install of proxmox 6.2-10. I am trying to configure port mirroring with open vswitch. I installed open vswitch via apt install openvswitch-switch. I am running version 2.12
root@pve:~# ovs-vsctl -V
ovs-vsctl (Open vSwitch) 2.12.0
DB Schema 8.0.0
Here is a screen shot of the PVE networking.
VMBR200 is the virtual interface used for the network. (VMBR0 is for management)
Here is the networking output from the proxmox host
root@pve:~# ip -brief a | sort
eno1 UP fe80::ae1f:6bff:feb5:6fee/64
eno2 UP fe80::ae1f:6bff:feb5:6fef/64
ens1f0 DOWN
ens1f1 DOWN
fwbr100i0 UP
fwbr101i0 UP
fwbr102i0 UP
fwln100o0 UNKNOWN
fwln101o0 UNKNOWN
fwln102o0 UNKNOWN
lo UNKNOWN 127.0.0.1/8 ::1/128
ovs-system DOWN
rename6 DOWN
rename7 DOWN
tap102i0 UNKNOWN
tap103i0 UNKNOWN
veth100i0@if2 UP
veth101i0@if2 UP
vmbr0 UNKNOWN 10.10.101.10/24 fe80::a8b3:19ff:fe74:f147/64
vmbr200 UNKNOWN fe80::d854:20ff:fea1:944f/64
I created two containers (100 and 101) and two VMs (102 and 103) for testing that are attached to VMBR200. When they are running I have the two taps (tap 102i0, 103i0), as well as fwbr102i0. I unchecked firewall from the network devices for VM 103 – that’s why there is no fwbr for that VM.
I found a post (https://github.com/0xvext/proxmox-seconiontap.sh/blob/master/proxmox-seconiontap.sh) that outlines how a user created a tap for Security Onion. I thought this was the post that explained the missing step. Initially when I tried to use the tap103i0 (103), with ovs-vsctl I received the following error:
root@pve:~# ovs-vsctl -- --id=@p get port tap103i0 \
> -- --id=@m create mirror name=span1 select-all=true output-port=@p \
> -- set bridge vmbr200 mirrors=@m
ovs-vsctl: Port does not contain a column whose name matches "--id"
Then I read about the firewall interface (fwbr102i0), and I tried to use it. The command successfully executed:
ovs-vsctl -- --id=@p get port fwln102o0 -- --id=@m create mirror name=span1 select-all=true output-port=@p \
-- set bridge vmbr200 mirrors=@m
I confirmed the mirror was successful:
root@pve:~# ovs-vsctl list mirror
_uuid : f6af350e-c0c7-415e-a589-0eeadade2d89
external_ids : {}
name : "span1"
output_port : da8c80fe-063d-4552-8542-6d89ab8b9fb4
output_vlan : []
select_all : true
select_dst_port : []
select_src_port : []
select_vlan : []
snaplen : []
statistics : {tx_bytes=342, tx_packets=6}
I went back to my VMs and from VM 104 (using VMBR200) I successfully started pinging www.google.de
I then went to VM 102 and started tcpdump
tcpdump -n -i ens18
I don’t see any traffic from VM 103 – I do see ICMP requests when they are directed at VM 102.
What have I done wrong? After creating the mirror I cannot ping between VMs – expected?
root@pve:~# ovs-vsctl -V
ovs-vsctl (Open vSwitch) 2.12.0
DB Schema 8.0.0
Here is a screen shot of the PVE networking.
VMBR200 is the virtual interface used for the network. (VMBR0 is for management)
Here is the networking output from the proxmox host
root@pve:~# ip -brief a | sort
eno1 UP fe80::ae1f:6bff:feb5:6fee/64
eno2 UP fe80::ae1f:6bff:feb5:6fef/64
ens1f0 DOWN
ens1f1 DOWN
fwbr100i0 UP
fwbr101i0 UP
fwbr102i0 UP
fwln100o0 UNKNOWN
fwln101o0 UNKNOWN
fwln102o0 UNKNOWN
lo UNKNOWN 127.0.0.1/8 ::1/128
ovs-system DOWN
rename6 DOWN
rename7 DOWN
tap102i0 UNKNOWN
tap103i0 UNKNOWN
veth100i0@if2 UP
veth101i0@if2 UP
vmbr0 UNKNOWN 10.10.101.10/24 fe80::a8b3:19ff:fe74:f147/64
vmbr200 UNKNOWN fe80::d854:20ff:fea1:944f/64
I created two containers (100 and 101) and two VMs (102 and 103) for testing that are attached to VMBR200. When they are running I have the two taps (tap 102i0, 103i0), as well as fwbr102i0. I unchecked firewall from the network devices for VM 103 – that’s why there is no fwbr for that VM.
I found a post (https://github.com/0xvext/proxmox-seconiontap.sh/blob/master/proxmox-seconiontap.sh) that outlines how a user created a tap for Security Onion. I thought this was the post that explained the missing step. Initially when I tried to use the tap103i0 (103), with ovs-vsctl I received the following error:
root@pve:~# ovs-vsctl -- --id=@p get port tap103i0 \
> -- --id=@m create mirror name=span1 select-all=true output-port=@p \
> -- set bridge vmbr200 mirrors=@m
ovs-vsctl: Port does not contain a column whose name matches "--id"
Then I read about the firewall interface (fwbr102i0), and I tried to use it. The command successfully executed:
ovs-vsctl -- --id=@p get port fwln102o0 -- --id=@m create mirror name=span1 select-all=true output-port=@p \
-- set bridge vmbr200 mirrors=@m
I confirmed the mirror was successful:
root@pve:~# ovs-vsctl list mirror
_uuid : f6af350e-c0c7-415e-a589-0eeadade2d89
external_ids : {}
name : "span1"
output_port : da8c80fe-063d-4552-8542-6d89ab8b9fb4
output_vlan : []
select_all : true
select_dst_port : []
select_src_port : []
select_vlan : []
snaplen : []
statistics : {tx_bytes=342, tx_packets=6}
I went back to my VMs and from VM 104 (using VMBR200) I successfully started pinging www.google.de
I then went to VM 102 and started tcpdump
tcpdump -n -i ens18
I don’t see any traffic from VM 103 – I do see ICMP requests when they are directed at VM 102.
What have I done wrong? After creating the mirror I cannot ping between VMs – expected?