VM as router

[DeepB]

Hello everybody,

First let me say that what I intend is not for a real production environment.

I want to virtualize a gateway with only one NIC.

So I have the cable modem with integrated router and wifi-ap.

I thought something like that: Modem/router/wifi-ap: 10.0.1.10 with Subnet mask 255.255.0.0, then the virtualized server with 10.0.1.2 AND 10.0.0.1. The server would also have a DHCP server, and only offer 10.0.0.x adresses. My goal would be that everything from that network would flow over the gateway.

Is that possible and feasible?

best regards
Daniel

 

[ravib123]

From a technical standpoint I could see it working, though of course not feasible in a production environment.


The configuration would be something like this:

Cable Modem (gateway) -> Switch -> ProxmoxVE

Then install a VM with something, lets say pfsense, with a few virtual nics, then it provides DHCP and is the gateway in the served DHCP settings.

Other devices would connect to the switch and get served from the pfsense VM.

From a real standpoint this is terrible in practice because, aside from performance, you could have issues with advanced routing, vlans, etc not working properly.

Also I should mention, even in a testbed environment with a few users this will likely result in very poor performance, mostly because I assume from your question that hardware is going to be on a tight budget and without proper routing a 255.255.0.0 subnet makes for very poor performance since you have to arp 65K devices all the time.

 

[DeepB]

The scenario is that I want to test a home-automation linux distribution (linuxMCE), and this system wants to have two NICs and be the gateway (different reasons, clients booting over lan, asterisk...) and before I buy the additional hardware I want to test it. So it is a home-environment, wit a max of 10 users.

Do you have any other idea to accomplish this?

best regards
Daniel

 

[ravib123]

yes, if you
don't use 255.255.0.0 and instead use 255.255.255.0 for your mask it should be much better, and for such a small test it would be no problem since you would need no special routing.

if you must have more than 250 devices on the network then I'd wager you'll hit some odd problems. but again from a technical standpoint this should work as a test.

 

[tarax]

Hi,

From a real standpoint this is terrible in practice because, aside from performance, you could have issues with advanced routing, vlans, etc not working properly.

Could you please give us example(s) of advanced routing and vlans troubles one could face ?

Also I should mention, even in a testbed environment with a few users this will likely result in very poor performance, mostly because I assume from your question that hardware is going to be on a tight budget and without proper routing a 255.255.0.0 subnet makes for very poor performance since you have to arp 65K devices all the time.

Does this depends directly on the subnet mask (like initialization made from the start for 65k devices), or on the real effective number of devices on the network ?

Thank you in advance for your answers
Bests

 

[ravib123]

Hi,



Could you please give us example(s) of advanced routing and vlans troubles one could face ?



Does this depends directly on the subnet mask (like initialization made from the start for 65k devices), or on the real effective number of devices on the network ?

Thank you in advance for your answers
Bests

I don't have any specific examples of vlan and advanced routing issues you might have, but I suspect you will see issues with advanced routing that may create some abnormal behavior like drops in connectivity randomly due to subnet mask lookups due to the switch (most cheap switches have a very small arp cache). Vlan issues may arise from hardware level limitations (review pfsense hardware requirements for vlans).

These could be resolved with enterprise equipment, but if you had that you wouldn't be asking about this configuration I suspect.

From your questions it sounds like you will attempt to use this in live environment and not the lab, and I would discourage you from doing that because this configuration will make it difficult to track down network level issues.

Subnet mask defines how many devices the network will arp, on every arp cache miss it will need to lookup 65K devices, number of connected devices is irrelevant. You should do a quick review of networking basics, netmask, and arp cache before you continue because your questions are too expansive to answer on a forum post.

Again this can be solved with enterprise equipment and a managed, fully routed network or using a different number of devices. For instance /24 netmask would be adequate for most homes as this provides 254 devices, in such a case there is no need for vlans, or any advanced routing and all these issues disappear, at which point the VM router becomes more reliable and much easier to diagnose should issues arise.

If you must have alternate IP ranges and the internal devices (automation) don't need internet access you might try a bootp server.

 

[FastLaneJB]

I've got my Proxmox being a router (pfSense) to my home network without issues. I'd agree this isn't something you'd use in a business but I have no issues. I have tried 2.1 with VirtIO drivers and the 2.0 with the e1000 drivers without a problem however I am currently using PCI Passthrough as my server has 4 NIC's.

So the configuration currently is 2 NIC's passed directly to the pfSense for LAN and WAN. The other 2 NIC's are bonded and used for other VM's on the host. I have a switch that supports this.

The advantage I see to this configuration is while the router is running on the host its got direct access to the NICs so can control them as if it was physical. Also its actually then quite isolated from the other VM's as well. Performance is great even when other VM's are working the system hard.

In my case I wanted to be able to push 200Mbit's of OpenVPN traffic which you cannot do without a reasonable CPU but didn't want extra heat / electricity costs of running a powerful second box for a router. This way all my VM's and router sit on one server (ML110 G7 with a Quad Core Xeon).

As NICs are cheap, if your hardware supports VT-d I recommend this for a home / lab environment.

 

[ravib123]

I've got my Proxmox being a router (pfSense) to my home network without issues. I'd agree this isn't something you'd use in a business but I have no issues. I have tried 2.1 with VirtIO drivers and the 2.0 with the e1000 drivers without a problem however I am currently using PCI Passthrough as my server has 4 NIC's.

So the configuration currently is 2 NIC's passed directly to the pfSense for LAN and WAN. The other 2 NIC's are bonded and used for other VM's on the host. I have a switch that supports this.

The advantage I see to this configuration is while the router is running on the host its got direct access to the NICs so can control them as if it was physical. Also its actually then quite isolated from the other VM's as well. Performance is great even when other VM's are working the system hard.

In my case I wanted to be able to push 200Mbit's of OpenVPN traffic which you cannot do without a reasonable CPU but didn't want extra heat / electricity costs of running a powerful second box for a router. This way all my VM's and router sit on one server (ML110 G7 with a Quad Core Xeon).

As NICs are cheap, if your hardware supports VT-d I recommend this for a home / lab environment.

FastLaneJB:
In this description you're having no issues. It's a great little home setup, but again it's not 255.255.0.0, no advanced network configs or vlans (one assumes)

In his original description and question he specified this netmask, if you're looking at a /24 netmask it's not even the same planet of networking complexity to achieve a reliable network. If he wanted to use a /24 netmask like you do at home (or at least like almost all home users would because who needs more than 254 devices at home?) he wouldn't need a managed switch or any complex networking setups, and it would be more or less plug and play.

LET ME ALSO REMIND YOU: He wants to use 1 physical NIC for all this traffic, I never would but it is one of his requirements. (If it helps I use the intel 10GBase-T nics and I love them, got me a stack in the lab to go with the 10GBase-T switch, but even if I have 20 of them it doesn't change him having a single nic)

If I was doing any home automation I would use 2 subnets, with a BOOTP for the automation devices/management server on their own subnet if that was supported. It seems like a very clean way to handle the process, but alas I don't do home automation much, too expensive for most folks around here and I mostly work with business to business ... Short of that I would use a managed switch with 2 vlans and iphelpers, then route the vlan so they can reach each other on the switch. Thus avoiding the need for the 255.255.0.0 while still supporting now up to 508 total addresses.

My assumption is that this can be done with the virtual machine method with little or no difficulty, however again the hardware requirements for the switch suddenly become an issue because a solid fully managed switch isn't cheap (poe one assumes for automation devices), and now you need at least 6 48 port switches to pass the address barrier of /24, or a bunch of wifi access points if you don't care about reliability.

That being said if someone has the money to invest in enough home automation that 254 devices isn't enough I think it's a stretch to believe that they cant afford proper hardware to run the network.

DeepB: If you could post a quick diagram of your layout I'd be happy to post a response, please include switch model (managed or web) and I'd be happy to give you a few more detailed examples to point you in the right direction along with how much can be done in the switch vs in pfsense (it will be faster in the switch in this case).

 

[FastLaneJB]

FastLaneJB:
In this description you're having no issues. It's a great little home setup, but again it's not 255.255.0.0, no advanced network configs or vlans (one assumes)

In his original description and question he specified this netmask, if you're looking at a /24 netmask it's not even the same planet of networking complexity to achieve a reliable network. If he wanted to use a /24 netmask like you do at home (or at least like almost all home users would because who needs more than 254 devices at home?) he wouldn't need a managed switch or any complex networking setups, and it would be more or less plug and play.

LET ME ALSO REMIND YOU: He wants to use 1 physical NIC for all this traffic, I never would but it is one of his requirements. (If it helps I use the intel 10GBase-T nics and I love them, got me a stack in the lab to go with the 10GBase-T switch, but even if I have 20 of them it doesn't change him having a single nic)

Your right I have no advanced network setup really with this other than the LAG for the bonded NIC's which is used for the VM's and not the router. I do however standby that I see no reason my router couldn't support all the features of pfSense and the physical NIC's when they are passed directly to that VM. My switch that does LAG obviously can do a VLAN but I have no need for it at home.

I did see he wanted to use a single NIC but clearly he really needs to invest and buy a few more as I suggested with them being cheap. He's not mentioned VLAN's but wants his single NIC with home router and probably unmanaged switch to be running 2 different subsets to allow the VM to run as a router. Its just not really a feasible setup without VLAN's on a single NIC and I suspect he doesn't have a managed switched.

Rather than buy a proper managed switch he should just buy 2 more NIC's as this is a small investment and he can then try what he wants on the Proxmox box. If that all works as he likes then he's free to buy anything else he needs outside of the Proxmox host for his home automation.