[SOLVED] OpenvSwitch VLAN general question

S

silbro

Renowned Member
Aug 30, 2014
42
0
71
Hi all

I've got a general question. I'm new to OpenvSwitch. I have 3 proxmox servers in a cluster. I got openswitch installed on all of them. Each server has a bond of 2 network cards which I then connect to vmbr0. Everything works as excpected so far. Here is an example of a proxmox configuration:
1595853543646.png

When I use the vlan100 on VMs on the same host, they can talk to each other. If I setup the VMs on different hosts, they can't talk to each other. What would the correct way be to solve this?

1) Would I just need to make the physical switch have VLANs on the ports being used by the Proxmox hosts and also add trunks to the bond0?
2) Do I need to do this for all hosts in the cluster or is there a way to pass this info to all other hosts?
3) If I want the VMs to have access to the internet would you solve it with a virtual firewall (for example pfsense) or do this directly on the physical firewall?
4) When is GRE used and is it safe?
5) What would your recommended solution be?

This is a simple graphic of my setup:
1595854125283.png

My goal would be for VM1 to be able to talk to VM2 and also have Internet access. VM3 for example should be isolated from the other 2 but also have internet access.

Thanks for your opinions and help!
silbro
 
Hi,

why do you need OVS? the requirements you wrote here are can be done by Linux Network.

silbro said:
1) Would I just need to make the physical switch have VLANs on the ports being used by the Proxmox hosts and also add trunks to the bond0?
Click to expand...
The HW switch must normally be configured and accept the VLAN.
On the host, the VLAN is managed by the vswitch not by the bond.

silbro said:
2) Do I need to do this for all hosts in the cluster or is there a way to pass this info to all other hosts?
Click to expand...
You have to configure each host individually.
But you can copy the /etc/network/interfaces from host to host and change the IPs.

silbro said:
3) If I want the VMs to have access to the internet would you solve it with a virtual firewall (for example pfsense) or do this directly on the physical firewall?
Click to expand...
This depends on the use case.
I would only use virtual firewalls is I have a multi-tenant setup.

silbro said:
4) When is GRE used and is it safe?
Click to expand...
In what a way?
The traffic is not encrypted.

silbro said:
5) What would your recommended solution be?
Click to expand...
I would recommend you Linux vswitch with VLAN awareness.
then just tag the vnics on the VM and add the VLANs on the HW switch.
 
Hi Wolfgang

Thanks so much for your answers! In the meantime I was able to solve most problems and I'm glad you have verified some of my steps taken.

1)
The HW switch must normally be configured and accept the VLAN.
On the host, the VLAN is managed by the vswitch not by the bond.
Click to expand...
I configured the VLANs on the HW switch, made OVS IntPorts with the vlanXYZ as the name and then added the same VLAN Tag to the VM Network Device used in the VM. This worked perfectly. I don't know why I thought I needed to put the bridge into a vlan :rolleyes:

2)
You have to configure each host individually.
But you can copy the /etc/network/interfaces from host to host and change the IPs.
Click to expand...
Ok thanks. I thought there might be something like a distributed switch that vmware uses.

3)
This depends on the use case.
I would only use virtual firewalls is I have a multi-tenant setup.
Click to expand...
I would like a setup with the possibility to have multiple tenants. This is actually where I still don't have a solution. I would like to pass the public IP directly to the virtual firewall. Would I need another VLAN for this (so the VM traffic can't get to the mgmt network and other devices in the "normal" network) or what would your suggestion be? Does pfsense make sense to virtualize in this case?

4)
In what a way?
The traffic is not encrypted.
Click to expand...
I read about this on a website, but I found out this is nothing I need or want. Especially that the traffic is not secured.

5)
I would recommend you Linux vswitch with VLAN awareness.
then just tag the vnics on the VM and add the VLANs on the HW switch.
Click to expand...
This will definately be the way next time I have a setup like this.

thanks again, sincerely
silbro
 
silbro said:
Would I need another VLAN for this (so the VM traffic can't get to the mgmt network and other devices in the "normal" network) or what would your suggestion be?
Click to expand...
You have one VLAN for WAN(uplink traffic) and one VLAN for the tenant traffic.
How you use the public IP in your router VM depend on your ISP and network topology.
The Router VM transport the WAN traffic to a gateway what can be your modem, HW Firewall, ....
silbro said:
Does pfsense make sense to virtualize in this case?
Click to expand...
Yes, it is working perfectly for many users.
 
  • Like
Reactions: silbro
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back