OpenVSwitch for virtualized Firewall, not working

N

nicedevil

Member
Aug 5, 2021
112
11
23
Hey guys I run into a problem that maybe caused by the vmbridges but I'm not absolutly sure.

Right now I have a Host with intel 11th gen 4xcore CPU that should me more than enough to run any firewall for homeusesage.
On this proxmox host I have installed a Sophos XG.
As done all day long before on my other proxmox hosts I merged 5 of 6 LAN ports to vmbr0 and the last one to vmbr1.
Those vmbrs are available for the Sophos XG, one for WAN and one for LAN.

My ISP provides an internetspeed of 1 gbit down/50mbit upload and I'm only able to reach about 8 MB/s download (so less than 100 mbit).
If I test the same file on download with my PC connected directly to the modem I can reach up to 106 MB/s. So ISP is not the problem, modem and my PC as well.

A friend told me now that it might the issue that the virtual bridges need a lot performance on the networkchip so maybe it should be a better idea to passthrough the networkcards directly to the firewall and the sophos XG should do its part on switching or creating bridges between those ports instead of proxmox.

So now I want to ask you guys what is the recommended way to get rid of this bottleneck (if this is the bottleneck).

Thank you in advance.
 
Since yesterday I found the OpenvSwitch dokumentation and I guess I made everything right.. at least I was able to connect to my PVE after setting everything up. What didn't work was my firewall and its DHCP server, so I couldn't connect to anything except devices with static IP adresses.

Maybe some of you can take a look on what I have configured?

This is my /etc/network/interfaces after setup OpenVSwitch
Bash: 
auto lo
iface lo inet loopback

iface enp3s0 inet manual

iface enp5s0 inet manual

iface enp6s0 inet manual

iface enp7s0 inet manual

iface enp8s0 inet manual

iface enp9s0 inet manual

# Bridge for our eth0 physical interfaces and vlan virtual interfaces (our VMs will
# also attach to this bridge)

# LAN Bridge
auto vmbr0
iface vmbr0 inet manual
  ovs_type OVSBridge
  ovs_ports enp3s0 enp5s0 enp6s0 enp7s0 enp8s0 vlan1
  ovs_mtu 9000

# WAN Interface
auto vmbr1
iface vmbr1 inet manual
  ovs_type OVSBridge
  ovs_ports enp9s0 vlan2
  ovs_mtu 9000

# Physical interface for traffic coming into the system.  Retag untagged
# traffic into vlan 1, but pass through other tags.
auto enp3s0
iface enp3s0 inet manual
  ovs_bridge vmbr0
  ovs_type OVSPort
  ovs_options tag=1 vlan_mode=native-untagged
  # Alternatively if you want to also restrict what vlans are allowed through
  # you could use:
  # ovs_options tag=1 vlan_mode=native-untagged trunks=10,20,30,40
  ovs_mtu 9000

auto enp5s0
iface enp5s0 inet manual
  ovs_bridge vmbr0
  ovs_type OVSPort
  ovs_options tag=1 vlan_mode=native-untagged
  ovs_mtu 9000

auto enp6s0
iface enp6s0 inet manual
  ovs_bridge vmbr0
  ovs_type OVSPort
  ovs_options tag=1 vlan_mode=native-untagged
  ovs_mtu 9000

auto enp7s0
iface enp7s0 inet manual
  ovs_bridge vmbr0
  ovs_type OVSPort
  ovs_options tag=1 vlan_mode=native-untagged
  ovs_mtu 9000

auto enp8s0
iface enp8s0 inet manual
  ovs_bridge vmbr0
  ovs_type OVSPort
  ovs_options tag=1 vlan_mode=native-untagged
  ovs_mtu 9000

auto enp9s0
iface enp9s0 inet manual
  ovs_bridge vmbr1
  ovs_type OVSPort
  ovs_options tag=2 vlan_mode=native-untagged
  ovs_mtu 9000

# Virtual interface to take advantage of originally untagged traffic
auto vlan1
iface vlan1 inet static
  ovs_type OVSIntPort
  ovs_bridge vmbr0
  ovs_options tag=1
  address 10.0.4.11
  netmask 255.255.255.0
  gateway 10.0.4.1
  ovs_mtu 1500

auto vlan2
iface vlan2 inet manual
  ovs_type OVSIntPort
  ovs_bridge vmbr1
  ovs_options tag=2
  ovs_mtu 1500

And this here was my default one that is working:

Bash: 
auto lo
iface lo inet loopback

iface enp3s0 inet manual

iface enp5s0 inet manual

iface enp6s0 inet manual

iface enp7s0 inet manual

iface enp8s0 inet manual

iface enp9s0 inet manual

auto vmbr0
iface vmbr0 inet static
    address 10.0.4.11/24
    gateway 10.0.4.1
    bridge-ports enp3s0 enp5s0 enp6s0 enp7s0 enp8s0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp9s0
    bridge-stp off
    bridge-fd 0
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back