SDN VLAN broke main network [solved]

J

jrobert

New Member
Aug 10, 2024
2
0
1
In setting up a VNet for my SDN settings, I accidentally set the VLAN tag to 1 instead of 10. I then lost my network connection on node 1 (I was able to delete the vnet using node 2 before either 2 or 3 had issues). I've been able to reboot node 1 and get to the command line, but I still have no network, and I can't seem to edit /etc/pve/sdn/vnets.cfg to remove the offending vnet. I get a Permission denied message if I try to change permissions, change ownership, or edit the file.

Any ideas has to how to get this node back without reinstalling?
 
Because your server 1 is not in quorum with the rest of the cluster, /etc/pve is in read-only mode.
We could override that and fix it that way, but probably easier would be to nano-edit the /etc/network/interfaces.d/sdn file that the "active" config is saved to (to fix the typo) and the either reboot or ifreload -a to get the cluster up and running again, get the quorum back, then re-apply the new/changed settings (for example by changing a comment in the SDN)
 
Thanks, I'm back up and running now. Good to know where the active config is. Love proxmox and Linux, but it's sometimes a bit daunting to figure out where things are when your starting out.
Thanks again for the help.
 
I have the same problem (I created a SDN Vlan Vnet with tag one on vmbr0), but I only have one node. Am I out of luck? Do i need to format the pc and install proxmox again?
 
alcon678 said:
I have the same problem (I created a SDN Vlan Vnet with tag one on vmbr0), but I only have one node. Am I out of luck? Do i need to format the pc and install proxmox again?
Click to expand...
If you can log in on the Console of the PC/Server, you should be able to edit / clear the /etc/network/interfaces.d/sdn and /etc/pve/sdn/vnets.cfg files and then either reload the network or reboot the system, without re-installing fully.

The issue for jrobert was that they couldn't edit the /etc/pve because they were part of a cluster, if you're stand-alone that restriction will not happen.
 
  • Like
Reactions: alcon678
sw-omit said:
If you can log in on the Console of the PC/Server, you should be able to edit / clear the /etc/network/interfaces.d/sdn and /etc/pve/sdn/vnets.cfg files and then either reload the network or reboot the system, without re-installing fully.

The issue for jrobert was that they couldn't edit the /etc/pve because they were part of a cluster, if you're stand-alone that restriction will not happen.
Click to expand...
Thank you so much, I could clear both files and now I can access the web interface.
Should I just left vmbr0 alone for LAN purposes and create a new linux bridge to put the vms in a vlan?
My idea is to host some selfhosted services like calibre-web and share it without needing VPNs using a DDNS and I would like to keep those VMs isolated from my LAN, but I cannot do that at hardware level, I do not have a managed switch and my router (AX92u) does not allow the creation of vlans.
And also one machine for CI/CD environment + podman containers + caddy/other reverse proxy

Thank you again
 
alcon678 said:
Thank you so much, I could clear both files and now I can access the web interface.
Should I just left vmbr0 alone for LAN purposes and create a new linux bridge to put the vms in a vlan?
My idea is to host some selfhosted services like calibre-web and share it without needing VPNs using a DDNS and I would like to keep those VMs isolated from my LAN, but I cannot do that at hardware level, I do not have a managed switch and my router (AX92u) does not allow the creation of vlans.
And also one machine for CI/CD environment + podman containers + caddy/other reverse proxy

Thank you again
Click to expand...
If your (first) router can't do VLAN's, there is no way to seperate the VM's from your LAN and still give the VM's internet.
If you don't want to/can't replace the hardware and you do want seperation, what I would suggest to do is install either an opnsense or pfsense router-VM (personally prefer opnsense, others like pfsense, and there are other types as well, investigate on your own for that).
That router-VM you put on your (not-vlan'd) vmbr0 with it's "wan" side, and on the lan you indeed make a new bridge with the different VLAN's that you all also link to this router. Then all you would need to do "extra" is create firewall-rules that all that VLAN-traffic can not reach anything in the LAN (except maybe ICMP/Ping to the router)

That way outside of your server it is all without VLAN's and within it is seperated with vlan's (or just multiple vmbr's, doesn't even technically need vlan's as they are "physically" seperated.
Also as a sidenote, those new vmbr's don't need their own IP, since the VM's don't need to access Proxmox, right?
 
You must log in or register to reply here.
Top Bottom