pFsense and OVS switch with VLANs

S

supermario87

Renowned Member
Mar 19, 2012
28
1
68
Hi

I've this setup on my lab

Network.jpg

Since I need to separate the VMS into vlans and I dont have any real switch between pFsense and Proxmox Server, I need to setup a virtual switch on proxmox host and then attach al vms to the bridge as vlans/OVSIntport

The bond should see all the vlans since I manage the server from vpn or office subnets and I should firewall traffic from pfsense virtual interfaces.

This is my setup taken from wiki but i'm not sure that is functional.

Any help on a skeleton that I can the grow according to my needs?

With this setup I can reache the Proxmox webgui and all the vms attached to vmbr0 with vlan id=1 on the host can reach internet

Code: 
auto lo
iface lo inet loopback


allow-vmbr0 bond0
iface bond0 inet manual
    ovs_bonds eth0 eth1
    ovs_type OVSBond
    ovs_bridge vmbr0
    ovs_options bond_mode=balance-tcp lacp=active other_config:lacp-time=fast vlan_mode=native-untagged

auto vmbr0
allow-ovs vmbr0
iface vmbr0 inet manual   
        ovs_type OVSBridge
    ovs_ports bond0 vlan1

auto vlan1
allow-vmbr0 vlan1
iface vlan1 inet static
    ovs_type OVSIntPort
    ovs_bridge vmbr0
    ovs_options vlan_mode=access tag=1
    ovs_extra set interface ${IFACE} external-ids:iface-id=$(hostname -s)-${IFACE}-vif
    address 10.0.1.2
    netmask 255.255.255.0
    gateway 10.0.1.1
 
I am not a specialist of open-vswitch (open-vswitch in proxmox was added by external contributors)

according to
https://forum.proxmox.com/threads/open-vswitch-and-vlan-trunking.18367/

bond0 should be in trunking mode by default, ie it will receice all tagged packets

now after you defined your VLANs in pfSense, you should set the corresponding VLAN in the nic tab of your VM, and pfSense and your VM should be able to communicate via the VLAN

( you should not need to configure anything extra in /etc/network/interfaces as the tap device of the VM will automatically be assigned the proper VLAN tag when the VM is started, you can check that with ovs-vsctl show)
 
Thanks for your answer.

So you're referring to "vlan_mode=native-untagged" in bond0 options? This option is in fact irrelevant since I added another vlan and both vlans pass through bond0.

I also noticed that saying "vlan_mode=access tag=1" or "tag=1" is the same since setting tag options automatically set the port to access mode.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back