I have serveral VLANs defined in my switches and I defined all of them within PVE.
However, when I try to ping an external device (i.e. one not in PVE) from either a VM or the host node itself, I can't. Strangely enough, I can ping the core switch IP on that very VLAN.
Real life example: I use VLAN 100 (on which I have configured subnet 172.27.100.0/24) as the management interface for the proxmox nodes (and also, this is where I have most of the VMs only interface).
I intend to use a new VLAN 3 (on which I have configured subnet 10.11.12.0/22) as the management VLAN (where I will eventually migrate the PVE nodes).
On this VLAN 3, the core switch (to which indirectly connect all the PVE nodes) has a virtual IP (10.11.12.1) which I can ping from any node (and from a VM on which I defined a secondary interface):
But when I try to ping another host on that same VLAN (a pfSense firewall I am configuring on 10.11.12.13), neither the hosts nor the VMs see it:
However, if I ping the firewall from inside the switch, it works OK:
The pfSense has a firewall rule to explicitly accept ICMP echo request/reply from the whole 10.11.12.0/22 network and the core switch has an explicit rule to accept all ICMP traffic.
For reference, here's this node
What am I doing wrong?
Thanx for any help available
However, when I try to ping an external device (i.e. one not in PVE) from either a VM or the host node itself, I can't. Strangely enough, I can ping the core switch IP on that very VLAN.
Real life example: I use VLAN 100 (on which I have configured subnet 172.27.100.0/24) as the management interface for the proxmox nodes (and also, this is where I have most of the VMs only interface).
I intend to use a new VLAN 3 (on which I have configured subnet 10.11.12.0/22) as the management VLAN (where I will eventually migrate the PVE nodes).
On this VLAN 3, the core switch (to which indirectly connect all the PVE nodes) has a virtual IP (10.11.12.1) which I can ping from any node (and from a VM on which I defined a secondary interface):
Code:
root@nodo001:~# ping 10.11.12.1
PING 10.11.12.1 (10.11.12.1) 56(84) bytes of data.
64 bytes from 10.11.12.1: icmp_seq=1 ttl=255 time=0.721 ms
64 bytes from 10.11.12.1: icmp_seq=2 ttl=255 time=0.620 ms
64 bytes from 10.11.12.1: icmp_seq=3 ttl=255 time=0.722 ms
64 bytes from 10.11.12.1: icmp_seq=4 ttl=255 time=0.695 ms
64 bytes from 10.11.12.1: icmp_seq=5 ttl=255 time=0.718 ms
^C
--- 10.11.12.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4090ms
rtt min/avg/max/mdev = 0.620/0.695/0.722/0.038 msBut when I try to ping another host on that same VLAN (a pfSense firewall I am configuring on 10.11.12.13), neither the hosts nor the VMs see it:
Code:
root@nodo001:~# ping 10.11.12.13
PING 10.11.12.13 (10.11.12.13) 56(84) bytes of data.
^C
--- 10.11.12.13 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8191msHowever, if I ping the firewall from inside the switch, it works OK:
Code:
<sw-core>ping 10.11.12.13
PING 10.11.12.13 (10.11.12.13): 56 data bytes, press CTRL_C to break
56 bytes from 10.11.12.13: icmp_seq=0 ttl=64 time=1.114 ms
56 bytes from 10.11.12.13: icmp_seq=1 ttl=64 time=0.709 ms
56 bytes from 10.11.12.13: icmp_seq=2 ttl=64 time=0.633 ms
56 bytes from 10.11.12.13: icmp_seq=3 ttl=64 time=0.594 ms
56 bytes from 10.11.12.13: icmp_seq=4 ttl=64 time=0.787 ms
--- 10.11.12.13 ping statistics ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.594/0.767/1.114/0.186 msThe pfSense has a firewall rule to explicitly accept ICMP echo request/reply from the whole 10.11.12.0/22 network and the core switch has an explicit rule to accept all ICMP traffic.
For reference, here's this node
/etc/network/interfaces:
Code:
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!
auto lo
iface lo inet loopback
auto eno1
iface eno1 inet manual
auto eno2
iface eno2 inet manual
iface eno3 inet manual
iface eno4 inet manual
auto bond10
iface bond10 inet manual
bond-slaves eno1 eno2
bond-miimon 100
bond-mode 802.3ad
bond-xmit-hash-policy layer2+3
bond-downdelay 200
bond-updelay 200
bond-lacp-rate 1
#LAG
auto vmbr100
iface vmbr100 inet manual
bridge-ports bond10
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 3 7 12-13 16-19 110-113 210-212 311-313 4000 5 20 31 42 99-101 254 3126-3129
bridge-pvid 4000
#Trunk
auto vmbr100.100
iface vmbr100.100 inet static
address 172.27.100.150/24
gateway 172.27.100.1
#Mgmt pxmx en red 100
auto vmbr100.3
iface vmbr100.3 inet static
address 10.11.15.1/22
#Management Proxmox
auto vmbr100.7
iface vmbr100.7 inet manual
#DATAWhat am I doing wrong?
Thanx for any help available