Question on SDN Features

[orcado]

Hi Community,

I'm currently working on a test project to have 5 VMs within a pool. The main aim of this is to have these 5 VMs to be within a VLAN in the PVE cluster and using the node's internet access without a router.

I've done some research where I'll need to create a SDN Simple Zone, then create a Vnet for it. I saw that there is a VLAN Aware setting, but I dont see a place that i can setup the VLAN ID.

My question is this - Should I be creating a VLAN Zone instead of Simple Zone, then set the VLAN ID in VNets, after that add in Subnet with SNAT enabled?

Any advise appreciated.

Thank you
Orca

 

[shanreich]

VLAN zone is layer2 only, so you'd need an external router for things like NAT. If you simply require them to be on their own, separate layer2 domain a Simple Zone is sufficient - without any VLAN tags. If you have multiple simple zones with NAT enabled, you'd need to prevent the host from routing between the different simple zones, which can be achieved via the firewall.

 

[orcado]

Hi @shanreich , thank you for the tip and direction. Can you share with me a little more clues about the config in the firewall to prevent traffic to be routed between the simple zones? Coz I can't quite figure how to configure it. Appreciate it!

 

[shanreich]

With the simple zone you are using the PVE host as a router for your simple zone. So you'd need to create rules on the forward chain that prevent the PVE host from routing between the simple zones. Please note that this is currently only possible with the nftables firewall which is in tech preview.

Alternatively you can use security groups and the VM-level firewall with the iptables firewall to achieve the same effect, although a bit more complicated to setup.