[SOLVED] Proxmox simple SDN choose outbound interface

[ovcrash]

Hi,

We have proxmox 8.x with multiple NIC, that have different IP assign on the same subnet.
We have created a simple SDN network with SNAT and DHCP so that we can host VM and they have a IP and can access external ressource.

Is there a way to configure on which NIC interface the outbound traffic from that SDN network exit ? how can this be done?

 

[shanreich]

No, currently it uses the interface that is used by the default route.

That being said, do not configure the same subnet on different interfaces - that is asking for trouble. Use different subnets for different NICs or, if you want to use multiple NICs for serving the same network, bond the NICs together. You can then configure multiple IP addresses on the same interface (the bond).

 

[ovcrash]

So there is no way to have the traffic come out of a chosen interface or it's something that will be added in future version?

Before i used iptables in my network/interfaces file and if i remember correctly it was working, but that was in v 7.x but at that time i was not using SDN to make the NAT network.

 

[shanreich]

So there is no way to have the traffic some out a chosen interface or it's something that will be added in future version?

We're considering adding more extensive S/DNAT support to the UI in a future version, you can find the respective tracking issue in our bugzilla [1]. There you should be able to select the outgoing interface.

Please note that it is still not recommended to have multiple interfaces in the same subnet (at least not without extensive additional configuration of the network stack), this can lead to undesired behavior. By fixing that and having the default route go via the interface you want, you can have the desired outgoing IP.

[1] https://bugzilla.proxmox.com/show_bug.cgi?id=5239

 

[ovcrash]

Finally got this working without SDN, even if i think SDN should be my final choice but for now it's not the way i made it work.

I used, iptables and custom routes on one of my interfaces and it works like i want.

Thanks for the help and support.

 

[julsssark]

Having SDN functionality opens up some really cool uses. I've been playing with simple and VLAN SDN setups. What is the default route for my network setup (see below)? With a simple SDN setup my test VM sees DNS but does not have network access. I assume that traffic on the simple network would go out on vmbr0.50 because it has the IP address, but the simple traffic would be untagged and that would not work. With a VLAN SDN, I lose access to the GUI (though I only tried once and I didn't have FRRouting installed). I assume that vmbr0.50 would be the bridge.

auto vmbr0
iface vmbr0 inet manual
    bridge-ports enp0s31f6
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr0.50
iface vmbr0.50 inet static
    address 10.7.5.6/24
    gateway 10.7.5.1

 

[shanreich]

What is the default route for my network setup (see below)?

In this case it would be 10.7.5.1 via vmbr0.50 - so it ultimately it would go out via enp0s31f6 with VLAN Tag 50. You can always check via the ip route command.

The simple traffic would be untagged, but since you have no network / gateway configured for that interface no outbound traffic would ever be routed via that interface.

 

[julsssark]

Thank you @shanreich for your response. I was hoping a simple SDN would work like my VMs do (i.e., if I don't tag a VM, it shows up on the native network). If I use a VLAN SDN, will I only be able to have outbound traffic on VLAN 50? What I am trying to do is put the SDN traffic on the untagged network or VLAN 30. Any suggestions?

 

[shanreich]

With using SDN VLAN zones, you don't need to set any VLAN Tag at the VM level. You set them in the respective VNet. So in your case you would create a Zone on vmbr0 and a VNet that is tagged with 30 and then assign that to the VMs without any additional tagging at the NIC level.

I would refrain from mixing tagged / untagged VLAN traffic on the same network and just use another VLAN for outbound traffic. You can strip the tag on egress by using an egress port (nomenclature may vary) on your switch.

 

[julsssark]

Thank you @shanreich but I still can't get a SDN VLAN to work with outbound traffic. I am able to create the VLAN zone, the VNET and the subnet, and assign a VM to the subnet. If I set the VNET to VLAN 50, I lose access to the web GUI. If I set the VNET to VLAN 1 or VLAN 30, the VM does not have access to DNS or the Internet. I've tried a mix of various tags and DNS addresses (Prox host DNS, the corresponding DNS for the VLAN tag, and external DNS address). I am picking vmbr0 for the bridge and checking SNAT. I am not using a firewall on the VM. What am I missing? I am fine to put the outbound traffic on VLAN 50 (my Proxmox host's default route).