OpenvSwitch, VLAN, containers and firewall ...

[2cadz]

Hi,

I configured OpenvSwitch on my Proxmox cluster (3 nodes) to have a private network (vxlan) between my containers. If everything works correctly when the firewall is deactivated (at VM level) as soon as it is activated, there is no longer any inter-containers communication (Destination Host Unreachable)
Is OVS with LXC containers and the firewall enabled supposed to work?

Thank you for your answers

Regards

 

[Gladio273]

For sure:
If you activate the firewall on this LXC, the interface is changing from the original interface to a firewall-interface. You cannot use a Layser 3/4 firewall on a Layer2-Switch/Bridge
e.g.:
ovs-vsctl show
911011b9-5617-4a98-895a-9b278d52442c
Bridge ovsbr0
Port vxlan10
Interface vxlan10
type: vxlan
options: {key="100", local_ip="1.1.1.1", remote_ip="2.2.2.2"}
Port vxlan11
Interface vxlan11
type: vxlan
options: {key="100", local_ip="1.1.1.1", remote_ip="3.3.3.3"}
Port ovsbr0
Interface ovsbr0
type: internal
ovs_version: "3.1.0"
---
This is without LXC-attached - Now the additional interface with LXC attached
---
Port veth4003i1
Interface veth4003i1
---
Means LXC ID 4003 - Interface 1
---
This is with firewall activated:
---
Port fwln4003o1
Interface fwln4003o1
type: internal
---
INMO - proxmox is plugging some other interface onto the LXC - What this exactly means - I don't know, but you are right - no ping possible then.