Hi.
I need to feed 2 different firewalls, both with traffic from two different vlans. So I have 4 VMs to simulate the traffic.
Both firewalls use the same vlan ids, but they are not the same l2 domains or IP networks. In other words: both firewalls relate to vlan 240 and vlan 250, but vlan 240 on firewall A got nothing to do with vlan 240 on firewall B.
My PVE is a single machine with a separate interface for management, and a dedicated interface for VM traffic. I have a capable switch between my PVE and the firewalls, so QinQ is a likely solution. I would like to avoid having to mess with tagging from the VM side.
I don't see that what I want to do is possible in the PVE UI, so wanted to check if my thinking is valid. Before I begin, my interfaces file has this:
If I create two tagged subinterfaces of eth0 and create two new bridges with one of those two subinterfaces as the bridge-port, I *think* I end up with dual-tagged frames. So, something like this:
*Is* there a way to do this as I intend to do it (as outlined above), or will I have to (the *horror*) relearn linux networking?
Thanks,
Dag B
I need to feed 2 different firewalls, both with traffic from two different vlans. So I have 4 VMs to simulate the traffic.
Both firewalls use the same vlan ids, but they are not the same l2 domains or IP networks. In other words: both firewalls relate to vlan 240 and vlan 250, but vlan 240 on firewall A got nothing to do with vlan 240 on firewall B.
My PVE is a single machine with a separate interface for management, and a dedicated interface for VM traffic. I have a capable switch between my PVE and the firewalls, so QinQ is a likely solution. I would like to avoid having to mess with tagging from the VM side.
I don't see that what I want to do is possible in the PVE UI, so wanted to check if my thinking is valid. Before I begin, my interfaces file has this:
Code:
iface eth0 inet manual
auto vmbr0
iface vmbr0 inet static
bridge-ports eth0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
auto vlan250
iface vlan250 inet manual
vlan-raw-device vmbr0
auto vlan240
iface vlan240 inet manual
vlan-raw-device vmbr0If I create two tagged subinterfaces of eth0 and create two new bridges with one of those two subinterfaces as the bridge-port, I *think* I end up with dual-tagged frames. So, something like this:
Code:
iface eth0 inet manual
auto eth0.4000
auto eth0.4001
auto vmbr0
iface vmbr0 inet static
bridge-ports eth0.4000
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
auto vmbr1
iface vmbr0 inet static
bridge-ports eth0.4001
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
# so far, so good.
# but now what?
# this appears to be acceptable syntax:
auto vlan250
iface vlan250 inet manual
vlan-raw-device vmbr0
auto vlan240
iface vlan240 inet manual
vlan-raw-device vmbr0
#.... but I struggle to come up with a way to set up the next set of vlan240 and vlan250
# this is not valid syntax:
auto vlan250-4001
iface vlan250-4000 inet manual
vlan-raw-device vmbr1
auto vlan240-4001
iface vlan240-4000 inet manual
vlan-raw-device vmbr1*Is* there a way to do this as I intend to do it (as outlined above), or will I have to (the *horror*) relearn linux networking?
Thanks,
Dag B
