Setting up vLAN and virtual switch

krikey

Well-Known Member
Aug 15, 2018
113
21
58
UK
I've googled for a few hours now on this but so far the answer eludes me. I'd like to set up a coupler of LXC containers (not VMs) which are situated on their own LAN ie 192.168.1.0. They can see each other and they can both access the outside world through one NATted WAN IP address.

I'd then want the ability to do the same again for another separate mini network.

Essentially I want to mirror a dual server network behind a NAT router. Can this be done in PVE?
 
I've googled for a few hours now on this but so far the answer eludes me. I'd like to set up a coupler of LXC containers (not VMs) which are situated on their own LAN ie 192.168.1.0. They can see each other and they can both access the outside world through one NATted WAN IP address.

I'd then want the ability to do the same again for another separate mini network.

Essentially I want to mirror a dual server network behind a NAT router. Can this be done in PVE?

Sure, just create another bridge (e.g. vmbr1) and assign the container's network(s) to it.

If it's not quite clear post the related /etc/pve/lxc/*.conf files as well as your /etc/network/interface file and I can give you an example.
 
If I create another bridge, would the VMs/CTs on different bridges be able to see each other if on the same subnet?
 
If I create another bridge, would the VMs/CTs on different bridges be able to see each other if on the same subnet?
Different bridges are different subnets - IMHO the statement above is contradictory. Looks that there is a misunderstanding somewhere. In order to clarify it I recommend to make a short diagram showing what you want to achieve - seen each VM/CT as normal server and seen bridges as ordinary switches.
 
My understanding is that a bridge is like a physical switch so if I had two switches (one for each LAN) but both going to the same physical NIC, however each LAN side of the bridge might have the same subnet. I think that the attached diagram should explain this. My concern was that the devices on the VMBR0 bridge would be able to see/interfere with the devices on the VMBR1 bridge.
 

Attachments

  • example networking for proxmox.jpg
    example networking for proxmox.jpg
    134.2 KB · Views: 186
My understanding is that a bridge is like a physical switch so if I had two switches (one for each LAN) but both going to the same physical NIC, however each LAN side of the bridge might have the same subnet. I think that the attached diagram should explain this. My concern was that the devices on the VMBR0 bridge would be able to see/interfere with the devices on the VMBR1 bridge.

AFAIU you want to have two different subnets but both having the same ip range - yes, possible and they will not see each other, but: if from both subnets communication with host is requested (and it is when it should work as a NAT router) also an address in the host is necessary and it is contradictory to have two different "physical" (in the current case it's "virtualized physical") subnets assigned on both addresses from the same logical subnet.


The diagram shows another misunderstanding: eno1 cannot be member of two bridges, as well as an interface card cannot be connected to two switches.


Suggestion:
- assign to vmbr0 192.168.1.1 in 192.168.1.0/24
- assign to vmbr1 192.168.2.1 in 192.168.2.0/24
- don't connect eno1 to any bridge at all
- define NAT as follows:
Code:
iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
 
Thanks for your help. So if I use NAT (which I'd like to do on each VMBR) does that still mean that I cannot use the same subnet ie. 192.168.1.0/24 on both VMBRs?

What Im trying to achieve is essentially two distinct subnets with VMs/CTs in them NATted through to the internet via the physical NIC but each subnet may have the same IPs. So kind of like how the internet works at home, ie my own PCs will have 192.168.1.0/24 addresses, they are NATted through to my WAN IP address. Fred bloggs just down the road also has his PCs on 192.168.1.0/24 and hes also NATted through to his WAN IP address.

I can see I'm missing something fundamental here and just need a little help in understanding what I'm missing so really appreciate the feedback.
 
So if I use NAT (which I'd like to do on each VMBR) does that still mean that I cannot use the same subnet ie. 192.168.1.0/24 on both VMBRs?

It does. Why is it so important to use the same subnet (addresses)? I you like to have always 192.168.1.x you can e.g. make more subnets in it as 192.168.1.0/26, 192.168.1.64/26, 192.168.1.128/26 and 192.168.1.192/26
 
In all fairness, it doesnt **NEED** to be the same, but I wanted to understand if the VMBR was truly separate/ignorant of other VMBRs. I must admit that I'm coming from ESXi where we are using virtual pfSense FWs in front of their local networks, which carry VMs, and some local networks have the same IP ranges and co-exist happily.

The fact that Proxmox provided the ability to configure NAT and also a firewall is really appealing.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!