PVE 3.2 Setting up Mirror (SPAN) Port with OVS

warbux

New Member
Apr 28, 2014
6
0
1
Hi,

I currently use PVE 3.2 it just runs PFSense and does my routing. I really like the setup but I want to add IDS (securityonion) and eventually add my VMWare servers to this network. I think OVS is what I need to mirror all the adapters to the IDS bridge and drop any traffic sent directly to the IDS bridge. It sounds straight forward but I am having trouble. The PVE 3.2 servers have 4 external adapters eth0 - eth3.
vmbr0 is mgmt traffic, vmbr1 is LAN traffic, vmbr100 is WAN traffic and I want vmbr101 to be the SPAN port.

I have attempted to adapt this http://openvswitch.org/cgi-bin/ovsman.cgi?page=utilities/ovs-vsctl.8 to my network and while OVS looks to be setup right prox does not recognize the bridge I created. I assume I have to modify /interfaces but I am not quite sure what I should be looking into. Any advice or guidance would be great. Here is my current config.

/etc/network/interfaces
Code:
iface eth0 inet manual
iface eth1 inet manual
iface eth3 inet manual
iface eth2 inet manual
auto vmbr0
iface vmbr0 inet static
    address  192.168.100.2
    netmask  255.255.255.0
    gateway  192.168.100.1
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0


auto vmbr1
iface vmbr1 inet manual
    bridge_ports eth1
    bridge_stp off
    bridge_fd 0


auto vmbr100
iface vmbr100 inet manual
    bridge_ports eth3
    bridge_stp off
    bridge_fd 0


auto vmbr101
iface vmbr101 inet static
    address  192.168.11.2
    netmask  255.255.255.0
    ovs_type OVSBridge
 
Hello warbux,

- check the result of command

ovs-vsctl show

The result should look like:


4abcdef1-1234-5678-b123-4e1d2c3b4a59
Bridge "vmbr101"
Port "vmbr101"
Interface "vmbr101"
type: internal
ovs_version: "2.0.90"


In that case the OVS configuration is ok

- If the result is only:

4abcdef1-1234-5678-b123-4e1d2c3b4a59
ovs_version: "2.0.90"


restart network services via

/etc/init.d/networking restart

(sometimes it´s necessary once after boot - don´t know why)


- if the version is not "2.0.90" (or ovs-vsctl does not work at all) install proper openvswitch-switch version - make sure that

deb http://download.proxmox.com/debian wheezy pvetest

is added in /etc/apt/sources.list

From this apart I don´t understand your configuration in principle: you defined an OVS bridge but without any physical port!? Do you want to make Port Mirroring as described in OVS cookbook? In that case something must be added by ovs-vsctl command respectively into /etc/network/interfaces . However, you must know if it´s what you want...

Kind regards

Mr.Holmes
 
Last edited:
Okay so first problem was the version was wrong. I updated and now I am not nearly so frustrated because I can create an adapter from the GUI and ovs-vsctl show will show it. The only problem is it requires an /etc/init.d/networking restart before the new ovs bridge shows up. When I do that I lose network access. if I reboot the host the adapter I just created from the GUI no longer shows up with ovs-vsctl show.

I do not want to do the same configuration as the cookbook. What I want is to mirror all of the LAN and WAN traffic (internal and external) vmbr0 (eth0), vmbr1 (eth1), vmbr2 (eth2) and vmbr100 (eth3) to my IDS system. The IDS system is a KVM machine on the same host. vmbr101 is the internal only bridge.

Code:
root@noc:~# brctl show
bridge name     bridge id               STP enabled     interfaces
vmbr0           8000.00259011377c       no              eth0
                                                        tap100i2
vmbr1           8000.00259011377d       no              eth1
                                                        tap100i1
vmbr100         8000.00259011377f       no              eth3
                                                        tap100i0
Code:
iface eth0 inet manual
iface eth1 inet manual
iface eth3 inet manual
iface eth2 inet manualauto vmbr0
iface vmbr0 inet static
    address  192.168.100.2
    netmask  255.255.255.0
    gateway  192.168.100.1
    bridge_ports eth0
    bridge_stp off
    bridge_fd 0


auto vmbr1
iface vmbr1 inet manual
    bridge_ports eth1
    bridge_stp off
    bridge_fd 0


auto vmbr100
iface vmbr100 inet manual
    bridge_ports eth3
    bridge_stp off
    bridge_fd 0


auto vmbr101
iface vmbr101 inet static
    address  192.168.11.1
    netmask  255.255.255.0
    ovs_type OVSBridge

I had to reboot to post this so now the ovs bridge vmbr101 is not showing up again

Code:
root@noc:~# ovs-vsctl show
a5c0941c-03cc-4aac-98db-3f2af504b583
    ovs_version: "2.0.90"


Thanks again!
 
I am not quite sure why my reply never got posted. Thanks for your response. Basically I want prox to act as my router, main switch and IDS. I want everything mirrored to the internal IDS bridge. I know the setup I have currently is not what I need. I just did it so I could get internet running while I researched the proper commands. When I assign an OVS bridge to a VM the VM does not start as soon as I create a OVS bridge with the web gui I have to restart networking for it to show up with ovs-vsctrl show and I lose internet completely and have to reboot the system.




What is the correct way to add the ovs-vsctl commands into /etc/network/interfaces?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!