Shapping traffic and combine public and private IPs

L

luison

Renowned Member
Feb 22, 2010
158
6
83
Spain
elsurexiste.com
Further to a previous post regarding combining public and private IPs that I was not very lucky with, I've managed to have a working setup for OpenVZ containers sharing either public or private IPs as follows:


Code: 
# network interface settings
auto lo vmbr0 vmbr1 vmbr10
iface lo inet loopback

iface eth0 inet manual

iface vmbr0 inet static
        address  46.xxx.xxx.184
        netmask  255.255.255.0
        gateway  46.xxx.xxx.254
        broadcast  46.xxx.xxx.255
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        network 46.xxx.xxx.0

iface vmbr1 inet manual
        bridge_ports dummy0
        bridge_stp off
        bridge_fd 0
        post-up /etc/pve/kvm-networking.sh

iface vmbr10 inet static
        address 10.0.0.1
        netmask 255.255.255.0
        broadcast 10.0.0.255
        network 10.0.0.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE

I can now setup either public or private IPs or even combine them on machines with standart venet network without major hassle. Local IPs seems to reach each other well.
My problem has now appeared when trying to optimize roots on the host machine.

I was hoping a VM with a public IP 46.XXX.XXX.001 and a secondary local 10.0.0.100 could access another local IP VM 10.0.0.200 directly as a local IP. I mean if 10.0.0.200 hosts a MySQL I would like to setup permissions to allow traffic only from any 10.0.0.XXX ip but it keeps reporting as the public venet address.

I understand this should be a simple ip route rules on the host system, but so far I have not managed to get it to work. Any help, reference or alternative setup would be mostly appreciated.
 
luison said:
Further to a previous post regarding combining public and private IPs that I was not very lucky with, I've managed to have a working setup for OpenVZ containers sharing either public or private IPs as follows:


Code: 
# network interface settings
auto lo vmbr0 vmbr1 vmbr10
iface lo inet loopback

iface eth0 inet manual

iface vmbr0 inet static
        address  46.xxx.xxx.184
        netmask  255.255.255.0
        gateway  46.xxx.xxx.254
        broadcast  46.xxx.xxx.255
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0
        network 46.xxx.xxx.0

iface vmbr1 inet manual
        bridge_ports dummy0
        bridge_stp off
        bridge_fd 0
        post-up /etc/pve/kvm-networking.sh

iface vmbr10 inet static
        address 10.0.0.1
        netmask 255.255.255.0
        broadcast 10.0.0.255
        network 10.0.0.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE

I can now setup either public or private IPs or even combine them on machines with standart venet network without major hassle. Local IPs seems to reach each other well.
My problem has now appeared when trying to optimize roots on the host machine.

I was hoping a VM with a public IP 46.XXX.XXX.001 and a secondary local 10.0.0.100 could access another local IP VM 10.0.0.200 directly as a local IP. I mean if 10.0.0.200 hosts a MySQL I would like to setup permissions to allow traffic only from any 10.0.0.XXX ip but it keeps reporting as the public venet address.

I understand this should be a simple ip route rules on the host system, but so far I have not managed to get it to work. Any help, reference or alternative setup would be mostly appreciated.
Click to expand...
Hi,
there must be something wrong with the client - if you have two hosts which have also an networkconnection to vmbr10 (with the right ip-addresses) they use only this for the communication to each other (you can see this with tcpdump). Look with "ip route" if you have a strange routing in the VM.
Does the dns give the right result? Perhaps the name gives the vmbr0-address?

BTW. you can bind the mysql-server to the vmbr10-interface only - so you are sure that the connection came only internaly.

Udo
 
Thanks udo.

Remain completely stack on this.
I am gone to create "local" VM bridged to my vmbr10 (see http://pve.proxmox.com/wiki/Protected_VLAN) which solves the issue between any local VM on that local network.

My problem is I was hoping my "main" machine which receives public traffic to remain on a venet configuration, thus avoiding to have to create additional vmbr devices and MAC address procedures. My "only" problem in this case is that I need traffic from 10.0.0.100 (extra venet IP on VM) to arrive to 10.0.0.XXX (local VM bridged) as that same address and not the "vmbr0" public IP that is routing all the venet traffic.

ip route
10.0.0.100 dev venet0 scope link
94.23.xxx.xxx dev venet0 scope link (public failover IP assigned directly to the VM)
46.105.124.0/24 dev vmbr0 proto kernel scope link src 46.105.124.184 (real server IP)
10.0.0.0/24 dev vmbr10 proto kernel scope link src 10.0.0.1 (my vmbr iface for local routing, also assigned to VMs on the 10.0.0.XXX local private lan)
default via 46.105.xxx.xxx dev vmbr0
Click to expand...

As soon as I iproute in any way the SRC it stops working as I understand the traffic HAS to go through that device. I would need to "change it" afterwards but this goes beyond my knowledge of NAT and iptables and I have not found a single example.

On the other hand I understand that venet and bridged modes can not be combined on the same VM machine which would be another simple solution to my problem.
 
You must log in or register to reply here.
Top Bottom