venet0:0 accessible from outside Proxmox?

C

curlingcanteen

New Member
Feb 28, 2013
27
1
1
The documentation here: https://openvz.org/Common_Networking_HOWTOs#Venet
states:
After [adding a venet] the host should be able to ping the VE.
Click to expand...
Why would the host be able to ping the venet? I thought the idea of a venet was to provide connectivity between CTs but not between external networks?

Second (related) question:
Is there any way a venet IP could conflict with an IP outside of the Proxmox infrastructure[1]? It's been suggested that I shouldn't use 10.10.10.xxx addresses since they are routable on our LAN. My response was that venet NICs are essentially firewalled from the LAN. Who's correct?

[1] I understand that if ip-forwarding and masquerading are enabled then we'd essentially have a NAT, but the IPs would still be isolated from the LAN, right?
 
Hello curlingcanteen

curlingcanteen said:
The documentation here: https://openvz.org/Common_Networking_HOWTOs#Venet
states:

Why would the host be able to ping the venet? I thought the idea of a venet was to provide connectivity between CTs but not between external networks?
Click to expand...

vente0 is a virtual NIC which is accessible from both host nd all containers on it.

If it can be used only for internal (= host to Container and back) or for external (where host is physically conected to) connection too depends on the assigned addresses.

Examples:

Let´s assume the host has a physical connection to internet on eth0 with address 90.91.92.93/24, a physical connection to a local LAN on eth1 with address 10.10.10.93/24 and dummy NIC without any physical connection and address 10.1.1.93

- if a container has assigned to it´s venet0:0 90.91.92.99:

connections to the host and the internet but not to other members of the local LAN are possible out from the container

- if a container has assigned to it´s venet0:0 10.10.10.99:

connections to local LAN and the host but not to the internet are possible out from the container

- if a container has assigned to it´s venet0:0 10.1.1.99:

connections to the host but not to the internet or other members in the local LAN are possible out from the container



curlingcanteen said:
Second (related) question:
Is there any way a venet IP could conflict with an IP outside of the Proxmox infrastructure[1]? It's been suggested that I shouldn't use 10.10.10.xxx addresses since they are routable on our LAN. My response was that venet NICs are essentially firewalled from the LAN. Who's correct?

[1] I understand that if ip-forwarding and masquerading are enabled then we'd essentially have a NAT, but the IPs would still be isolated from the LAN, right?
Click to expand...

Yes, should be unique regard all host´s LAN connection. venet0 is not related to NAT at all.

Generally speaking: using venet0 has some limitations. If the network setup is more complex I recommend to not use venet0 but veth for containers.

Kind regards

Mr.Holmes
 
Mr.Holmes said:
Hello curlingcanteen

vente0 is a virtual NIC which is accessible from both host nd all containers on it.

If it can be used only for internal (= host to Container and back) or for external (where host is physically conected to) connection too depends on the assigned addresses.
Click to expand...
This is written very confusingly. The word only implies one method (in this case, internal). I think the word you're looking for is either?

Mr.Holmes said:
Examples:

Let´s assume the host has a physical connection to internet on eth0 with address 90.91.92.93/24, a physical connection to a local LAN on eth1 with address 10.10.10.93/24 and dummy NIC without any physical connection and address 10.1.1.93
...
- if a container has assigned to it´s venet0:0 10.1.1.99:
connections to the host but not to the internet or other members in the local LAN are possible out from the container
Click to expand...
I think I understand the first two cases. The third strikes me as odd since when creating a venet there exists no method to define a netmask. How does the address get assigned?

Mr.Holmes said:
...venet0 is not related to NAT at all.
Click to expand...
I understand there is no inherent relation to NAT, but as explained in the linked example, it is common to implement a NAT path to an external network.

Mr.Holmes said:
Generally speaking: using venet0 has some limitations. If the network setup is more complex I recommend to not use venet0 but veth for containers.

Kind regards

Mr.Holmes
Click to expand...
Thank you very much for the explanation!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back