Prevent VM's from sniffing in bridge interface

A

alebeta

Well-Known Member
Mar 20, 2018
45
3
48
34
gonkar.com
Hello friends,

I have a bridge interface vmbr2 which is serving VLANs and not subnets not inside of a VLAN.

When I assign a IP from a subnet that is not inside of a VLAN, that VM can sniff all the traffic going through the bridge (YEP... really really bad...).

I would like to know if there is a way to stop VMs to have the possibility to see the bridge all traffic. So far VLAN for that specific network is not possible.

If more details are needed please let me know

all the best
 
This is not normal, you shouldn't see traffic of other vms.

it could happen if the bridge is configured with "bridge_maxage 0", where it don't remember mac address table, and flood traffic on all ports.

do you have any special tuning on your bridge ?
 
spirit said:
This is not normal, you shouldn't see traffic of other vms.

it could happen if the bridge is configured with "bridge_maxage 0", where it don't remember mac address table, and flood traffic on all ports.

do you have any special tuning on your bridge ?
Click to expand...

Hi Spirit thanks for your answer,

the configured had been done with OVS creating a vmbr2 bridge interface with the physical interface of server

Here are relevant config from `interfaces` file:


Code: 
allow-vmbr2 eno2
iface eno2 inet manual
    ovs_type OVSPort
    ovs_bridge vmbr2

auto vmbr2
iface vmbr2 inet manual
    ovs_type OVSBridge
    ovs_ports eno2

Then the VMs are using vmbr2 as bridge, and the ones who need to use the subnet without vlan tag are the ones with the issue.

thanks in advance
 
do you see the problem, if you isolate the vmbr2 from external world with removing eno2, and create 3 vms on this vmbr2 (1without vlan tag, and 2 others in a vlan). can you also see the traffic on the vm without vlan tag ?

I would like to verify that it could come from somewhere outside the server (physical network or other server)
 
Maybe this blog cloud help you, if it's really a mac learning problem

http://arthurchiao.art/blog/ovs-unknown-unicast-flooding-under-distributed-gw/

try, you should see mac address on the vm on right port/tap interface

"ovs-appctl fdb/show vmbr2"

it's also possible to increase aging time:

ovs-vsctl set bridge vmbr2 other_config:mac-aging-time=600.

(you should check your physical switch mac aging time)

(10min is generally ok to be bigger than almost all os arp timeout)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom