Traffic leaking through Linux Bridge
- Thread starter plastilin
- Start date
Do you have any firewall routing in between different VLANs?
As with the others could you send me the output of the following commands - if you prefer to via DM / mail.
edit: from what I could tell from the other occurrences: as soon as mac learning is disabled on the bridge and an external gateway / firewall is used, the bridge doesn't know and learn about the MAC address of the external gateway. This means that packets get flooded to all ports on the bridge (default behavior).
There are a few ways to remedy this:
You can manually add the mac address of the gateway / firewall to the fdb of the bridge
You can disable unicast flooding for all ports of the bridge, except the bridge port
You can re-enable MAC learning (but then any guest can 'create' entries in the FDB by sending respective Ethernet frames)
As with the others could you send me the output of the following commands - if you prefer to via DM / mail.
Code:
bridge fdb show
cat /etc/network/interfaces
qm config <vmid>
ip -details l show <vmbrX>
ip -details l show master <vmbrX>
tcpdump -i <vmbrX> -w output.pcapedit: from what I could tell from the other occurrences: as soon as mac learning is disabled on the bridge and an external gateway / firewall is used, the bridge doesn't know and learn about the MAC address of the external gateway. This means that packets get flooded to all ports on the bridge (default behavior).
There are a few ways to remedy this:
You can manually add the mac address of the gateway / firewall to the fdb of the bridge
You can disable unicast flooding for all ports of the bridge, except the bridge port
You can re-enable MAC learning (but then any guest can 'create' entries in the FDB by sending respective Ethernet frames)
Last edited:
I just want to say I am new to ProxMox and have recently switched from VMware in a home lab. I am seeing similar behavior in that I am seeing unicast traffic being flooded across my network (even outside of the VM environment).
I have all new hardware for ProxMox and have already moved all of my hosts from either Synology VM Manager or ESXi. The Synology VMM was a middle step to determine whether it was sufficient for my needs.
In any case, I have a pretty simple setup. 3 nodes in a cluster, each has 3 network ports - one is not used currently, two are set in LACP bond with no ip address assigned. I added bond0 to the vmbr0 interface (only bridge I have as my vm network is flat) and I assign the IP to vmbr0.
I use a Synology via NFS for vm storage using the vmbr0 interface.
With this setup, I can actually see the NFS traffic between the host and the NFS server when running tcpdump on a guest. I cannot think of a single reason this should be occuring. I know it is not the optimal setup, but it really is a pretty simple setup.
I assume I likely need to do more learning on linux bridging and whatnot, but there really does seem to be an issue somewhere with the default configuration and would not expect to see this happen without doing something wrong lol.
I have all new hardware for ProxMox and have already moved all of my hosts from either Synology VM Manager or ESXi. The Synology VMM was a middle step to determine whether it was sufficient for my needs.
In any case, I have a pretty simple setup. 3 nodes in a cluster, each has 3 network ports - one is not used currently, two are set in LACP bond with no ip address assigned. I added bond0 to the vmbr0 interface (only bridge I have as my vm network is flat) and I assign the IP to vmbr0.
I use a Synology via NFS for vm storage using the vmbr0 interface.
With this setup, I can actually see the NFS traffic between the host and the NFS server when running tcpdump on a guest. I cannot think of a single reason this should be occuring. I know it is not the optimal setup, but it really is a pretty simple setup.
I assume I likely need to do more learning on linux bridging and whatnot, but there really does seem to be an issue somewhere with the default configuration and would not expect to see this happen without doing something wrong lol.
Would you be able to provide me the aforementioned output either here or via DM if you don't want to post it publicly?
I would DM you but I am not sure I have the rights to do that. I have all of the information together except the tcpdump, but I did do a quick tcpdump in the guest showing unicast traffic it should not see in my info to send. Let me know how I can send that and I will get it over.
Last edited:
Hi,
We deal with quite sensitive data, it would take us a long time to comb through it all eliminating any personal data.
Could we rather do a screensharing session, where you can have a look together with us, this issue, without sending any data to you?
Perhaps you can say do that, let us see that etc. through a screensharing session. Please let us know.
Just wanted to post a follow up. I think my particular issue was self-inflicted in some way, but I really don't have a good explanation for it at this time.
I had been using NFS between the PVE hosts and my Synology for image storage. I have no idea why, but a guest on one of the pve hosts could see this NFS traffic between all three hosts (not just the host the guest was on). This traffic was also being flooded to other hosts plugged into the same physical switch.
Since, I have moved from 4 separate IPs on my NFS server (which was supported well with VMware with multipath NFS) to a single LACP bond (layer 2+3). I configured the NFS export in the datacenter configuration and removed the shared folders. With all of these changes, the traffic is no longer visible. I've no idea why this all happened, but I will keep monitoring.
I want to give @shanreich a shout out for the willingness to help a hobbyist through a rough spot in the transition from VMware to ProxMox. Thank you.
I had been using NFS between the PVE hosts and my Synology for image storage. I have no idea why, but a guest on one of the pve hosts could see this NFS traffic between all three hosts (not just the host the guest was on). This traffic was also being flooded to other hosts plugged into the same physical switch.
Since, I have moved from 4 separate IPs on my NFS server (which was supported well with VMware with multipath NFS) to a single LACP bond (layer 2+3). I configured the NFS export in the datacenter configuration and removed the shared folders. With all of these changes, the traffic is no longer visible. I've no idea why this all happened, but I will keep monitoring.
I want to give @shanreich a shout out for the willingness to help a hobbyist through a rough spot in the transition from VMware to ProxMox. Thank you.