[SOLVED] OpenvSwitch VLAN general question

silbro

Renowned Member
Aug 30, 2014
42
0
71
Hi all

I've got a general question. I'm new to OpenvSwitch. I have 3 proxmox servers in a cluster. I got openswitch installed on all of them. Each server has a bond of 2 network cards which I then connect to vmbr0. Everything works as excpected so far. Here is an example of a proxmox configuration:
1595853543646.png

When I use the vlan100 on VMs on the same host, they can talk to each other. If I setup the VMs on different hosts, they can't talk to each other. What would the correct way be to solve this?

1) Would I just need to make the physical switch have VLANs on the ports being used by the Proxmox hosts and also add trunks to the bond0?
2) Do I need to do this for all hosts in the cluster or is there a way to pass this info to all other hosts?
3) If I want the VMs to have access to the internet would you solve it with a virtual firewall (for example pfsense) or do this directly on the physical firewall?
4) When is GRE used and is it safe?
5) What would your recommended solution be?

This is a simple graphic of my setup:
1595854125283.png

My goal would be for VM1 to be able to talk to VM2 and also have Internet access. VM3 for example should be isolated from the other 2 but also have internet access.

Thanks for your opinions and help!
silbro
 
Hi,

why do you need OVS? the requirements you wrote here are can be done by Linux Network.

1) Would I just need to make the physical switch have VLANs on the ports being used by the Proxmox hosts and also add trunks to the bond0?
The HW switch must normally be configured and accept the VLAN.
On the host, the VLAN is managed by the vswitch not by the bond.

2) Do I need to do this for all hosts in the cluster or is there a way to pass this info to all other hosts?
You have to configure each host individually.
But you can copy the /etc/network/interfaces from host to host and change the IPs.

3) If I want the VMs to have access to the internet would you solve it with a virtual firewall (for example pfsense) or do this directly on the physical firewall?
This depends on the use case.
I would only use virtual firewalls is I have a multi-tenant setup.

4) When is GRE used and is it safe?
In what a way?
The traffic is not encrypted.

5) What would your recommended solution be?
I would recommend you Linux vswitch with VLAN awareness.
then just tag the vnics on the VM and add the VLANs on the HW switch.
 
Hi Wolfgang

Thanks so much for your answers! In the meantime I was able to solve most problems and I'm glad you have verified some of my steps taken.

1)
The HW switch must normally be configured and accept the VLAN.
On the host, the VLAN is managed by the vswitch not by the bond.
I configured the VLANs on the HW switch, made OVS IntPorts with the vlanXYZ as the name and then added the same VLAN Tag to the VM Network Device used in the VM. This worked perfectly. I don't know why I thought I needed to put the bridge into a vlan :rolleyes:

2)
You have to configure each host individually.
But you can copy the /etc/network/interfaces from host to host and change the IPs.
Ok thanks. I thought there might be something like a distributed switch that vmware uses.

3)
This depends on the use case.
I would only use virtual firewalls is I have a multi-tenant setup.
I would like a setup with the possibility to have multiple tenants. This is actually where I still don't have a solution. I would like to pass the public IP directly to the virtual firewall. Would I need another VLAN for this (so the VM traffic can't get to the mgmt network and other devices in the "normal" network) or what would your suggestion be? Does pfsense make sense to virtualize in this case?

4)
In what a way?
The traffic is not encrypted.
I read about this on a website, but I found out this is nothing I need or want. Especially that the traffic is not secured.

5)
I would recommend you Linux vswitch with VLAN awareness.
then just tag the vnics on the VM and add the VLANs on the HW switch.
This will definately be the way next time I have a setup like this.

thanks again, sincerely
silbro
 
Would I need another VLAN for this (so the VM traffic can't get to the mgmt network and other devices in the "normal" network) or what would your suggestion be?
You have one VLAN for WAN(uplink traffic) and one VLAN for the tenant traffic.
How you use the public IP in your router VM depend on your ISP and network topology.
The Router VM transport the WAN traffic to a gateway what can be your modem, HW Firewall, ....
Does pfsense make sense to virtualize in this case?
Yes, it is working perfectly for many users.
 
  • Like
Reactions: silbro

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!