Very strange issue: Is it Proxmox, VLANs or hardware problem?

syd

Renowned Member
Feb 8, 2011
24
0
66
Hello all!

I'm confused, because I don't know in which way should I go to look for solutions. Let me describe my problem as simple as I can. It's about network issues. This is schema:
Code:
        _____________________________________________________________
       |                                                             |
       |   _______________________          ______________________   |
       |  |eth0(11)       eth1(33)|        |eth0(33)      eth1(22)|  |
       |  |1.1.1.65/30  1.1.1.2/30| ------ |1.1.1.1/30  1.0.0.2/30|  |
       |  |________Router2________|        |________Router1_______|  |
       |                                                             |
       |                                                             |
       |______eth0_______________ProxmoxVE________________eth1_______|
               |                                           |
               |                                           |
               |                                           |
               |                                           |
            ___|___________________________________________|____
           |   e1   |   e2   |   e3   |   e4  |   e5   |   e6   |
           | id:11  | id:11  |        |       | id:22  | id:22  |
           | tagged |untagged|        |       |untagged| tagged |
           |        |        |                |        |        |
           |________|___|____|_____Switch_____|___|____|________|
                        |                         |
                        |                         |
                        |                         |
                       LAN                       WAN
                  ______|______                   |
                 |     eth0    |               INTERNET
                 | 1.1.1.66/30 |              1.0.0.1/30
                 |____Host1____|                  |

Description:
In upper picture we have two routers, which are working on one PVE and they are separated by added NICs which belong to different VLANs. The routers sees their NICs as normal ethernet (eth0, eth1). They don't sees/makes VLANs. Traffic from LAN is going through Router2 and then Router1, which have a connection to the Internet. All addresses here are public (I have a 1.1.1.0/24 public IPs). Router1 have trace to the 1.1.1.64/30 via 1.1.1.2 on eth0. Generally routing is fine - checked hundreds times. Routers are working on CentOS. When I'm on Host1 I have a Internet connection, sites are working well, no problems at first look.

The problem:
Ping to Host1 from Router1 and from the world doesn't back. It will start to be more curious when I tell You that ping request are actually get into Host1! I have no idea why host just doesn't give an answers to it. It has been checked on different computers and routers. It's not a firewall on Host1 problem, because pings from Routers2 or from network of Host1 get answers. Let me show You some screenshots (213.216.77.125 is like Host1 here; 213.216.77.1 is like Router1; 213.216.77.121 is like Router2):
ping.pngping2.png

I didn't find differences between ICMP request packets from the first Router2 and from other hosts behind Router2 :/
Until now I was working with NAT on Router2 and it was fine. Now, I have to give a real public IPs at some hosts in my LAN.

And now...
When I do a VM on this ProxmoxVE and when I set it up exactly like Host1 then pings works fine! So, the problem is on PVE or on VLANs or on hardware.

Hardware:
I'm using a Cisco SLM224G switch. There is no so much options to screw up, also the newest firmware is there.
Hardware for PVE is Dell PowerEdge R410 on 2xXeon 5500 series.

ProxmoxVE & VLANs:
It's the newest version 1.9, but on 1.7 was the same problem. Both routers are running as KVMs on CentOS (checked on 5 an 6). All VLANs are made by Proxmox and given as NICs to KVMs. I'm using VIRTIO, but tried also Realtek and e1000 emulation (no changes at all). Network configure:

/etc/network/interfaces

Code:
# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
        address  172.16.1.10
        netmask  255.255.255.0
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet manual
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

auto vmbr11
iface vmbr11 inet static
        address  172.21.1.10
        netmask  255.255.0.0
        gateway  172.21.1.1
        bridge_ports eth0.11
        bridge_stp off
        bridge_fd 0

auto vmbr22
iface vmbr22 inet manual
        bridge_ports eth1.22
        bridge_stp off
        bridge_fd 0

auto vmbr33
iface vmbr33 inet manual
        bridge_ports eth0.33
        bridge_stp off
        bridge_fd 0

ip link show
Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
5: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
6: vmbr11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
7: eth0.11@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
8: vmbr22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
9: eth1.22@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
10: vmbr33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
11: eth0.33@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
12: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
13: tap102i11d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 82:8b:f6:d8:47:71 brd ff:ff:ff:ff:ff:ff
14: tap102i33d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 42:2d:38:ff:4d:b5 brd ff:ff:ff:ff:ff:ff
15: tap101i22d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 3a:e6:a0:0a:91:39 brd ff:ff:ff:ff:ff:ff
16: tap101i33d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 7e:44:ab:24:6d:ba brd ff:ff:ff:ff:ff:ff
21: tap106i11d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 96:ff:5f:f1:0a:43 brd ff:ff:ff:ff:ff:ff
22: tap106i33d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 22:2c:a8:43:cb:41 brd ff:ff:ff:ff:ff:ff
25: tap105i11d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 2e:fe:29:49:34:e6 brd ff:ff:ff:ff:ff:ff



I give up! It's killing me from weeks. I can't get a properly working internet connection on Host1 because of this. I think that the problem is somewhere on OSI Layer 2, but results are in Layer 3 somehow. Or maybe something is going wrong on Layer 3 only, it's hard to say for me. It starts between VM and Host1, so we have PVE or switch, but more people would say that issue is somewhere in PVE, maybe in method of packets conversions and outgoing.
All in all, now I even don't know where should I dig - is it a issue with PVE, VLANs, switch, hardware or something more? Please, somebody help me! I will be appreciate for any ideas.


Best Regards,
syd
 
Last edited:
Hi syd,
you have mixed tagged and untagged networks on one interface (eth0) - this don't work (even/mostly?). If you switch to tagged only it should work:
Code:
auto vmbr0
iface vmbr0 inet static
        address  172.16.1.10
        netmask  255.255.255.0
        bridge_ports eth0.1
        bridge_stp off
        bridge_fd 0

auto vmbr1
iface vmbr1 inet manual
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

auto vmbr11
iface vmbr11 inet static
        address  172.21.1.10
        netmask  255.255.0.0
        gateway  172.21.1.1
        bridge_ports eth0.11
        bridge_stp off
        bridge_fd 0

auto vmbr22
iface vmbr22 inet manual
        bridge_ports eth1.22
        bridge_stp off
        bridge_fd 0

auto vmbr33
iface vmbr33 inet manual
        bridge_ports eth0.33
        bridge_stp off
        bridge_fd 0
In this case, your switch must provide the default-network tagged (VID 1).

Udo
 
Thanks for answer!

So, if I'm understanding well I need to turn off any not tagged packets on PVE ethernets? I left PVE's eth0 without any tag and with private IP just in case, but clean (no VLAN) community should be separated from my LAN anyway, because LAN is connected only to e2 port which do untagging process from ID 11 to clean packets and this port are communicating only with ID 11 VLAN (in this option only one ID can be bounded with port). I do not use VLANs in my LAN, except PVE and switch. Router1&2 "don't see" VLANs. The same is with any other staff on my LAN. ID to administrating on the switch is set to ID 11, because I'm connected from LAN to port e2, but not tagged ID is marked as "1" - I think is always like that in switches.

So I will turn off not tagged traffic on PVE ethernets like on Your proposition and we'll see. I have to do this at night anyway.

Thanks!
Best Regards,
syd


PS: PVE is connected to the Router2 (NAT) via eth0.11, but there are also some issues which I described here. Maybe it will tell something more about problem from this thread.
 
Thanks for answer!

So, if I'm understanding well I need to turn off any not tagged packets on PVE ethernets? I left PVE's eth0 without any tag and with private IP just in case, but clean (no VLAN) community should be separated from my LAN anyway, because LAN is connected only to e2 port which do untagging process from ID 11 to clean packets and this port are communicating only with ID 11 VLAN (in this option only one ID can be bounded with port). I do not use VLANs in my LAN, except PVE and switch. Router1&2 "don't see" VLANs. The same is with any other staff on my LAN. ID to administrating on the switch is set to ID 11, because I'm connected from LAN to port e2, but not tagged ID is marked as "1" - I think is always like that in switches.

So I will turn off not tagged traffic on PVE ethernets like on Your proposition and we'll see. I have to do this at night anyway.

Thanks!
Best Regards,
syd


PS: PVE is connected to the Router2 (NAT) via eth0.11, but there are also some issues which I described here. Maybe it will tell something more about problem from this thread.
Hi syd,
another possibility is to use eth0 untagged for vmbr0 and all tagged traffic on eth1 (eth1.11, eth1.22...).
 
Well, I did like You said, but nothing changed at all :(

All tagged traffic is on one ethernet of PVE. Another is turned off. Also the same port on the switch is turned off. I don't see any changes on network and the problem still occur :(

Now my config looks like that now:
Code:
# network interface settings
auto lo
iface lo inet loopback

iface eth0 inet manual

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
        address  172.16.1.10
        netmask  255.255.255.0
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

iface vmbr1 inet manual
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

auto vmbr11
iface vmbr11 inet static
        address  172.21.1.10
        netmask  255.255.0.0
        gateway  172.21.1.1
        bridge_ports eth1.11
        bridge_stp off
        bridge_fd 0

auto vmbr22
iface vmbr22 inet manual
        bridge_ports eth1.22
        bridge_stp off
        bridge_fd 0

auto vmbr33
iface vmbr33 inet manual
        bridge_ports eth1.33
        bridge_stp off
        bridge_fd 0


Any ideas?

Thanks!
Best Regards,
syd
 
Hi!

If I only could see something wrong with it. You can see that ping request de facto are hit the Host1, but stay not answered by him.

There is some result of tcpdump from my PVE:

Code:
vitek:~# tcpdump -vvv -i eth1 host 213.216.77.122 | grep ICMP
15:31:36.941008  IP (tos 0x0, ttl 116, id 44, offset 0, flags [none], proto ICMP (1),  length 60) 95.160.190.68 > 213.216.77.122: ICMP echo request, id 512,  seq 20227, length 40
15:32:58.551156 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto  ICMP (1), length 84) 213.216.77.1 > 213.216.77.122: ICMP echo  request, id 7979, seq 145, length 64
15:32:58.797175 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto  ICMP (1), length 84) 213.216.77.121 > 213.216.77.122: ICMP echo  request, id 30504, seq 149, length 64
15:32:58.803726 IP (tos 0x0, ttl 64, id 8452, offset 0, flags [none],  proto ICMP (1), length 84) 213.216.77.122 > 213.216.77.121: ICMP echo  reply, id 30504, seq 149, length 64

At this picture we have four examples (lines) of transmitted ICMP packets. Three requests and only one answer. Host1 answering only for his first router (Router2, 213.216.77.121), not for Router2 (213.216.77.1) and the world (95.160.190.68). I don't see difference between first two lines and the third line :| For me it's weird. I don't know where and how can I do better diagnose.

Thanks for answers!
Best Regards,
syd
 
Hi!

If I only could see something wrong with it. You can see that ping request de facto are hit the Host1, but stay not answered by him.

There is some result of tcpdump from my PVE:

Code:
vitek:~# tcpdump -vvv -i eth1 host 213.216.77.122 | grep ICMP
15:31:36.941008  IP (tos 0x0, ttl 116, id 44, offset 0, flags [none], proto ICMP (1),  length 60) 95.160.190.68 > 213.216.77.122: ICMP echo request, id 512,  seq 20227, length 40
15:32:58.551156 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto  ICMP (1), length 84) 213.216.77.1 > 213.216.77.122: ICMP echo  request, id 7979, seq 145, length 64
15:32:58.797175 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto  ICMP (1), length 84) 213.216.77.121 > 213.216.77.122: ICMP echo  request, id 30504, seq 149, length 64
15:32:58.803726 IP (tos 0x0, ttl 64, id 8452, offset 0, flags [none],  proto ICMP (1), length 84) 213.216.77.122 > 213.216.77.121: ICMP echo  reply, id 30504, seq 149, length 64

At this picture we have four examples (lines) of transmitted ICMP packets. Three requests and only one answer. Host1 answering only for his first router (Router2, 213.216.77.121), not for Router2 (213.216.77.1) and the world (95.160.190.68). I don't see difference between first two lines and the third line :| For me it's weird. I don't know where and how can I do better diagnose.

Thanks for answers!
Best Regards,
syd
Hi syd,
there must something wrong with your vlan-tagging. The tcpdump output is without tags and eth1 is your tagged device (isn't it?).

An tagged output lokks like this:
Code:
tcpdump -vvv -i eth0 | grep ICMP
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:16:36.536418 vlan 23, p 0, IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 172.20.4.200 > 172.20.3.61: ICMP echo request, id 5961, seq 15, length 64
17:16:36.536441 vlan 23, p 0, IP (tos 0x0, ttl 64, id 19503, offset 0, flags [none], proto ICMP (1), length 84) 172.20.3.61 > 172.20.4.200: ICMP echo reply, id 5961, seq 15, length 64
17:16:36.755009 vlan 23, p 0, IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 172.20.3.21 > 172.20.3.87: ICMP echo request, id 22999, seq 5, length 64
17:16:36.755144 vlan 23, p 0, IP (tos 0x0, ttl 128, id 18113, offset 0, flags [DF], proto ICMP (1), length 84) 172.20.3.87 > 172.20.3.21: ICMP echo reply, id 22999, seq 5, length 64
17:16:37.536386 vlan 23, p 0, IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 172.20.4.200 > 172.20.3.61: ICMP echo request, id 5961, seq 16, length 64
the same on the vlan-device:
Code:
 tcpdump -vvv -i eth0.23 | grep ICMP
tcpdump: WARNING: eth0.23: no IPv4 address assigned
tcpdump: listening on eth0.23, link-type EN10MB (Ethernet), capture size 96 bytes
17:21:24.318986 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 172.20.4.200 > 172.20.3.61: ICMP echo request, id 5982, seq 1, length 64
17:21:24.319024 IP (tos 0x0, ttl 64, id 19510, offset 0, flags [none], proto ICMP (1), length 84) 172.20.3.61 > 172.20.4.200: ICMP echo reply, id 5982, seq 1, length 64
17:21:25.318801 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 172.20.4.200 > 172.20.3.61: ICMP echo request, id 5982, seq 2, length 64
17:21:25.318829 IP (tos 0x0, ttl 64, id 19511, offset 0, flags [none], proto ICMP (1), length 84) 172.20.3.61 > 172.20.4.200: ICMP echo reply, id 5982, seq 2, length 64
17:21:26.318754 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 172.20.4.200 > 172.20.3.61: ICMP echo request, id 5982, seq 3, length 64
you see the different?

Part of my interfaces:
Code:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address  0.0.0.0
        netmask  0.0.0.0

auto eth0.20
iface eth0.20 inet static
        address  0.0.0.0
        netmask  0.0.0.0

auto eth0.23
iface eth0.23 inet static
        address  0.0.0.0
        netmask  0.0.0.0

auto eth0.30
iface eth0.30 inet static
        address  0.0.0.0
        netmask  0.0.0.0

auto eth1
iface eth1 inet static
        address 0.0.0.0
        netmask 0.0.0.0

auto vmbr0
iface vmbr0 inet static
        address  172.20.2.11
        netmask  255.255.255.0
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0


auto vmbr23
iface vmbr23 inet static
        address  172.20.3.61
        netmask  255.255.255.0
        gateway  172.20.3.xxx
        bridge_ports eth0.23
        bridge_stp off
        bridge_fd 0

auto vmbr20
iface vmbr20 inet manual
        bridge_ports eth0.20
        bridge_stp off
        bridge_fd 0

auto vmbr30
iface vmbr30 inet manual
        bridge_ports eth0.30
        bridge_stp off
        bridge_fd 0
Udo
 
...
Code:
...

iface eth1 inet manual
...
iface vmbr1 inet manual
        bridge_ports eth1
        bridge_stp off
        bridge_fd 0

auto vmbr11
iface vmbr11 inet static
        address  172.21.1.10
        netmask  255.255.0.0
        gateway  172.21.1.1
        bridge_ports eth1.11
        bridge_stp off
        bridge_fd 0

auto vmbr22
iface vmbr22 inet manual
        bridge_ports eth1.22
        bridge_stp off
        bridge_fd 0

auto vmbr33
iface vmbr33 inet manual
        bridge_ports eth1.33
        bridge_stp off
        bridge_fd 0
...
BTW. you mixed tagged/untagged-vlans with vmbr1!
Does it work without vmbr1?

Udo
 
BTW. you mixed tagged/untagged-vlans with vmbr1!
Does it work without vmbr1?

I have vmbr1 turned off (is not marked to autostart):
Code:
vitek:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
4: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:81 brd ff:ff:ff:ff:ff:ff
5: vmbr11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
6: eth1.11@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
7: vmbr22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
8: eth1.22@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
9: vmbr33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
10: eth1.33@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether 00:26:b9:3f:47:82 brd ff:ff:ff:ff:ff:ff
11: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
12: tap102i11d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 46:51:a2:36:d9:9c brd ff:ff:ff:ff:ff:ff
13: tap102i33d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether f6:fd:41:38:1f:58 brd ff:ff:ff:ff:ff:ff
14: tap101i22d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 8e:26:57:95:17:7b brd ff:ff:ff:ff:ff:ff
15: tap101i33d0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500
    link/ether 12:b7:5c:95:cb:06 brd ff:ff:ff:ff:ff:ff

But I think that if VLAN is working well that there is no matter if on one interface is traffic tagged and not tagged - they should don't see each other anyway, that's idea of VLANs. Am I wrong?


there must something wrong with your vlan-tagging. The tcpdump output is without tags and eth1 is your tagged device (isn't it?)

Yes, all VLANs are on eth1.
The question is why when I try tcpdump on PVE I don't see the same results as You do? I mean this part: "vlan 23, p 0, IP". Did you run tcpdump directly on PVE machine or somewhere beetwen?

Another thing. I did capture from my eth1.11 and there is traffic, which should be there:
Code:
vitek:~# tcpdump -vvv -i eth1.11 host 213.216.77.122
20:23:43.313078 IP (tos 0x0, ttl 45, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 173.236.172.48 > 213.216.77.122: ICMP echo request, id 41293, seq 216, length 64
20:23:44.312862 IP (tos 0x0, ttl 45, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 173.236.172.48 > 213.216.77.122: ICMP echo request, id 41293, seq 217, length 64
20:23:45.313033 IP (tos 0x0, ttl 45, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 173.236.172.48 > 213.216.77.122: ICMP echo request, id 41293, seq 218, length 64
20:23:46.305286 IP (tos 0x0, ttl 64, id 44129, offset 0, flags [none], proto ESP (50), length 104) 213.216.77.122 > 62.233.232.98: ESP(spi=0x6c9bffd8,seq=0x1ea), length 84
20:23:46.305341 IP (tos 0x0, ttl 64, id 44130, offset 0, flags [none], proto UDP (17), length 120) 213.216.77.122.isakmp > 62.233.232.98.isakmp: isakmp 1.0 msgid  cookie ->: phase 2/others ? inf[E]: [encrypted hash]

Also, when I turned off VLAN ID 11 on the switch on PVE's port I lost connection to Router2 (vmbr11).


I hope that the VLAN problem is a key to my pings problem O_o
I'm appreciate for answers
Best Regards,
syd
 
Hi.

Is it necessary to have bonding when we starting do VLANs?

I'm asking because of this: http://pve.proxmox.com/wiki/Vlans

I did my configuration by HTTP GUI last year - just by adding new bridge and type eth0.11 to ports, that's it.
You, Udo, don't have a bonding and seems to be OK.
 
Hi.

Is it necessary to have bonding when we starting do VLANs?

I'm asking because of this: http://pve.proxmox.com/wiki/Vlans

I did my configuration by HTTP GUI last year - just by adding new bridge and type eth0.11 to ports, that's it.
You, Udo, don't have a bonding and seems to be OK.
Hi,
yes i don't use bonding... depends on the swicht-side, but gives imho sometimes trouble.
I also edit the interface-file directly.

Udo
 
Last edited:
OK, I think the problem is solved!

As it likes to be, it was nuance. And, what it makes me happy, it wasn't Proxmox fault.

I discovered that problem with not answering for ping requests wasn't occurred on Linux based platforms. My computer on which I was testing configuration was just laptop with Windows 7. Before tests I turned on possibility of pinging this computer, but now I see that there - not like in XP - is option to not giving reply to pings from external networks, which mean the last one would be a gateway. Another thing, that made me not suspecting Windows firewall configuration, was fact that not-working-Host1 on my client side was a hardware router (first my thing was that there is some UNIX based OS on it) and administrator of that hardware is computer engineer, who made a suggestion about that issue. So if it's not working on hardware router and on Windows computer, we have issue somewhere in LAN. Nothing like that ;)

OK, that's it! I am very appreciated for the answers for this thread, Udo! Also I'm thankful for anyone who read this thread and use his experience to think about it.

Best Regards,
syd
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!