SDN VLAN SNAT now working

[tamis]

I'm trying to setup a isolated VLAN network with SNAT so containers and vm's can reach out to the internet.

Using SDN I:

1. Set up a VLAN zone connected to vmbr0
2. Created a vnet connected to the zone with tag 100
3. Created a subnet connected to the vnet with subnet 10.10.10.0/24 and enabled SNAT

However containers attached to the vnet cannot connect to the internet. DHCP on the subnet (when I enable it) also does not work.

I'm wondering if this is a bug or these options are not yet implemented? Or am I missing some configuration?

Checking the generated sdn config on the node I see:

root@pve:~# cd /etc/pve/sdn/
root@pve:/etc/pve/sdn# ls
fabrics  pve-ipam-state.json  subnets.cfg  vnets.cfg  zones.cfg
root@pve:/etc/pve/sdn# cat pve-ipam-state.json
{"zones":{"Isolated":{"subnets":{"10.10.10.0/24":{"ips":{"10.10.10.1":{"gateway":1}}}}},"test":{"subnets":{}}}}root@pve:/etc/pve/sdn# cat subnets.cfg
subnet: Isolated-10.10.10.0-24
        vnet vlan1
        dhcp-range start-address=10.10.10.2,end-address=10.10.10.255
        gateway 10.10.10.1
        snat 1

root@pve:/etc/pve/sdn# cat vnets.cfg
vnet: vlan1
        zone Isolated
        alias Isloated network
        tag 100

root@pve:/etc/pve/sdn# cat zones.cfg
vlan: Isolated
        bridge vmbr0
        ipam pve

root@pve:/etc/pve/sdn# ls fabrics/
root@pve:/etc/pve/sdn#

I'm going to assume this then needs to be translated into a network configuration for the node:

root@pve:/etc/pve/sdn# cd /etc/network/
root@pve:/etc/network# ls
if-down.d  if-post-down.d  if-pre-up.d  if-up.d  ifupdown2  interfaces  interfaces.d  run
root@pve:/etc/network# cat interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.7/24
        gateway 192.168.1.1
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

iface wlp2s0 inet manual

source /etc/network/interfaces.d/*
root@pve:/etc/network# cd interfaces.d/
root@pve:/etc/network/interfaces.d# ls
sdn
root@pve:/etc/network/interfaces.d# cat sdn
#version:3

auto vlan1
iface vlan1
        bridge_ports vmbr0.100
        bridge_stp off
        bridge_fd 0
        alias Isloated network
root@pve:/etc/network/interfaces.d#

I'm no expert on linux networking but I believe the /etc/network/network.d/sdn configuration is insufficient?

 

[spirit]

It's currently not supported, as you need to have the vnet to be gateway the vm. (so, you have same ip on each host in the same vlan, it'll not work).

Currently, it's only working with layer3 zones. (simple && evpn zones)

 

[tamis]

@spirit Will it be supported in the future?? And why are these options available and not disabled? That would make things a lot more clear.