VM gets all traffic from VLAN if VLAN exists also in SDN

R

romrider

New Member
Mar 3, 2025
4
0
1
When a VM is assigned a bridge interface (VLAN aware) with a VLAN tag on the interface and this VLAN also exists as a VNET (same bridge and same VLAN tag) AND is assigned to a VM AND VMs are spread over different hosts, the VM with the bridge assigned directly get all the traffic of the VLAN of the host it is running on.

Test case:
  • 3 hosts pve cluster (LACP bond0 child of a VLAN aware bridge vmbr0)
  • SDN Zone of type VLAN (bridge vmbr0) with a VNET running on VLAN 1234 called test
  • 3 VMs (test1, test2, test3) with 1 interface assigned
  • ping is running between test2 and test3
  • tcpdump is running on test1

Case 1:
  • All the VMs are running on the same host and are using a mix of vmbr0+VLAN1234 or VNET
  • Result:
    • no problem whatever the configuration on the network interfaces
    • They all only get their own traffic whether they are assigned the VNET or the vmbr0+VLAN1234 directly
Case 2:
  • All the VMs are spread in the cluster and are either ALL using vmbr0+VLAN1234 directly or ALL using VNET
  • Result:
    • no problem the vms are only getting their own traffic

Case 3:
  • All the VMs are spread in the cluster
  • On one host: test1 is using vmbr0+VLAN1234 and test3 is using VNET (if both VMs are using vmbr0+VLAN1234 this doesn't happen)
  • On another host: test2 is using VNET
  • Result:
    • The VM test1 using the bridge+VLAN interface can see the echo request from test2 (other host) to test3 (same host)
    • 1763381999057.png

This seems quite an unexpected behavior and I think might be a bug, how to proceed further?
 
Replicated the setup on 9.0.15 but was not able to reproduce the issue unfortunately.
As hint you may look at the setup on the host when a network interface gets created for a VM that is attached to vmbr0.####:

Bash: 
root@pve1:~# ip addr | grep tap
71: tap103i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr0 state UNKNOWN group default qlen 1000

Notice that it is created with PROMISC (Promiscous mode) which might explain why in your example its not filtering out traffic its not meant to see.
Could try: turning off PROMISC on that interface OR enabling the firewalls if they already aren't.
 
Thanks for your answer. I'm also running 9.0.15.

Firewall with empty rule set doesn't change anything (and adding firewall rules is not a solution as the traffic is still processed, just "dropped").
Also all VM interfaces are created with PROMISC in pve, by default so that's not an option either.

To reproduce the issue you need at least 2 hosts and 3 VMs:
2 VMs on the same host: 1 with bridge+VLAN as interface and the other with the VNET configured on the same VLAN
1 VM on another host with the VNET on the same VLAN assigned to its interface

Ping between the 2 VNET configured VMs, run tcpdump on the bridge+VLAN one.

Sometimes, after a VM migration between host, this issue disappears until the VM is stopped/started or the interface setting is changed in PVE.

For the sake of completeness, this is the configuration

Host network configuration:
1763395015919.png

SDN config:
1763394973770.png1763394989522.png

Bridge+VLAN interface
1763395035151.png

VNET interface
1763395070293.png
 
Last edited:
Now I was able to reproduce it when two VMs are on the same host.
Possibly this has been discussed before here: https://forum.proxmox.com/threads/traffic-leaking-through-linux-bridge.158113/

When unicast flooding is turned off for the offending bridge, the issue goes away with it.
Bash: 
bridge link set dev tap103i0 flood off

Now the curious thing is, that according to the manual on iproute2/bridge:
flood on or flood off
Controls whether a given port will flood unicast traffic for which there is no FDB entry. By default this flag is on.
Click to expand...
Packets should only be flooded if there is no FDB entry, yet as shown by bridge fdb show we do have entries for all associated parties and a unique entry for the ping destination host, which is bc:24:11:5d:bb:95 in my case.
Bash: 
root@pve1:~# bridge fdb show | grep bc:24:11
bc:24:11:71:1f:50 dev bond0 vlan 1400 master vmbr0
bc:24:11:71:1f:50 dev vmbr0.1400 master pvenet1
bc:24:11:b6:24:e6 dev vmbr0.1400 master pvenet1
bc:24:11:b6:24:e6 dev tap103i0 vlan 1400 master vmbr0
bc:24:11:5d:bb:95 dev tap100i0 master pvenet1

No idea why this is happening exactly, but it sure is happening.
Would be very interested to find out what the root cause of this is and if there is a better solution for stopping it other than turning unicast flooding off entirely.
 
Hi!
could you post the output of ip a and the content of your /etc/network/interfaces (+ /etc/network/interfaces.d/*) config files.
 
Hi,
Sure, here you go. That's from the host where 2 of the test VMs are running, one with VNET, one with bridge+VLAN
  • ip a
Code: 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp87s0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    altname enx88aedd653ee9
3: enx6c1ff71ab36e: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc fq_codel master bond0 state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff permaddr 6c:1f:f7:1a:b3:6e
4: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr0 state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
6: vlan1011@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet X.X.X.X/X scope global vlan1011
       valid_lft forever preferred_lft forever
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
7: vlan1010@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet X.X.X.X/X scope global vlan1010
       valid_lft forever preferred_lft forever
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
8: vlan1001@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet X.X.X.X/X scope global vlan1001
       valid_lft forever preferred_lft forever
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
9: vmbr0.1012@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cephPub state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
10: cephPub: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet X.X.X.X/X scope global cephPub
       valid_lft forever preferred_lft forever
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
11: vmbr0.1254@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master dns state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
12: dns: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
13: vmbr0.1021@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master k8sBack state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
14: k8sBack: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
15: vmbr0.1031@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master k8sFront state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
16: k8sFront: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
19: vmbr0.1020@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master k8sPub state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
20: k8sPub: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
21: vmbr0.100@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lan state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
22: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
23: vmbr0.1252@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master monit state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
24: monit: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
25: vmbr0.1255@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master tailscal state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
26: tailscal: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
27: tap129i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr129i0 state UNKNOWN group default qlen 1000
    link/ether f2:03:56:dc:16:a2 brd ff:ff:ff:ff:ff:ff
28: fwbr129i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 9e:46:43:b2:b0:f6 brd ff:ff:ff:ff:ff:ff
29: fwpr129p0@fwln129i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master k8sFront state UP group default qlen 1000
    link/ether fa:3a:14:50:f0:98 brd ff:ff:ff:ff:ff:ff
30: fwln129i0@fwpr129p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr129i0 state UP group default qlen 1000
    link/ether 9e:46:43:b2:b0:f6 brd ff:ff:ff:ff:ff:ff
31: tap129i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr129i1 state UNKNOWN group default qlen 1000
    link/ether 72:d6:e3:b9:58:ea brd ff:ff:ff:ff:ff:ff
32: fwbr129i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ae:85:67:19:92:9c brd ff:ff:ff:ff:ff:ff
33: fwpr129p1@fwln129i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cephPub state UP group default qlen 1000
    link/ether 4e:fe:c6:a8:70:67 brd ff:ff:ff:ff:ff:ff
34: fwln129i1@fwpr129p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr129i1 state UP group default qlen 1000
    link/ether ae:85:67:19:92:9c brd ff:ff:ff:ff:ff:ff
35: tap132i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr132i0 state UNKNOWN group default qlen 1000
    link/ether 4a:f8:d8:11:ea:49 brd ff:ff:ff:ff:ff:ff
36: fwbr132i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether d2:7e:d0:00:48:34 brd ff:ff:ff:ff:ff:ff
37: fwpr132p0@fwln132i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master k8sFront state UP group default qlen 1000
    link/ether ba:05:21:1f:97:08 brd ff:ff:ff:ff:ff:ff
38: fwln132i0@fwpr132p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr132i0 state UP group default qlen 1000
    link/ether d2:7e:d0:00:48:34 brd ff:ff:ff:ff:ff:ff
39: tap132i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr132i1 state UNKNOWN group default qlen 1000
    link/ether 22:59:43:72:c4:20 brd ff:ff:ff:ff:ff:ff
43: veth120i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr120i0 state UP group default qlen 1000
    link/ether fe:8a:45:23:df:50 brd ff:ff:ff:ff:ff:ff link-netnsid 0
44: fwbr120i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f6:71:2c:11:3b:b9 brd ff:ff:ff:ff:ff:ff
45: fwpr120p0@fwln120i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master monit state UP group default qlen 1000
    link/ether a6:bc:e3:9c:0f:ce brd ff:ff:ff:ff:ff:ff
46: fwln120i0@fwpr120p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr120i0 state UP group default qlen 1000
    link/ether f6:71:2c:11:3b:b9 brd ff:ff:ff:ff:ff:ff
48: tap135i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr135i0 state UNKNOWN group default qlen 1000
    link/ether 6e:ce:38:5c:a7:39 brd ff:ff:ff:ff:ff:ff
49: fwbr135i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 6e:6b:f2:fc:80:0e brd ff:ff:ff:ff:ff:ff
50: fwpr135p0@fwln135i0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master k8sFront state UP group default qlen 1000
    link/ether 4e:88:9b:9c:6d:e2 brd ff:ff:ff:ff:ff:ff
51: fwln135i0@fwpr135p0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr135i0 state UP group default qlen 1000
    link/ether 6e:6b:f2:fc:80:0e brd ff:ff:ff:ff:ff:ff
52: tap135i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc fq_codel master fwbr135i1 state UNKNOWN group default qlen 1000
    link/ether fa:d0:ea:e5:7f:00 brd ff:ff:ff:ff:ff:ff
53: fwbr135i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 66:42:7d:0f:df:df brd ff:ff:ff:ff:ff:ff
54: fwpr135p1@fwln135i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cephPub state UP group default qlen 1000
    link/ether fa:e1:bc:dc:39:f5 brd ff:ff:ff:ff:ff:ff
55: fwln135i1@fwpr135p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr135i1 state UP group default qlen 1000
    link/ether 66:42:7d:0f:df:df brd ff:ff:ff:ff:ff:ff
62: fwbr132i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether fa:d8:9c:d5:35:88 brd ff:ff:ff:ff:ff:ff
63: fwpr132p1@fwln132i1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cephPub state UP group default qlen 1000
    link/ether 52:2b:58:97:d3:7a brd ff:ff:ff:ff:ff:ff
64: fwln132i1@fwpr132p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master fwbr132i1 state UP group default qlen 1000
    link/ether fa:d8:9c:d5:35:88 brd ff:ff:ff:ff:ff:ff
65: vmbr0.1234@vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master test state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
66: test: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 88:ae:dd:65:3e:e9 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::8aae:ddff:fe65:3ee9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
68: veth112i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noq

  • /etc/network/interface
Code: 
auto lo
iface lo inet loopback

auto enp87s0
iface enp87s0 inet manual

auto enx6c1ff71ab36e
iface enx6c1ff71ab36e inet manual

auto bond0
iface bond0 inet manual
        bond-slaves enp87s0 enx6c1ff71ab36e
        bond-miimon 100
        bond-mode 802.3ad
        bond-xmit-hash-policy layer3+4
        bond-lacp-rate 1

auto vmbr0
iface vmbr0 inet manual
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vlan1011
iface vlan1011 inet static
        address X.X.X.X/X
        vlan-raw-device vmbr0
#Ceph Backend

auto vlan1010
iface vlan1010 inet static
        address X.X.X.X/X
        vlan-raw-device vmbr0
#Proxmox Clustering

auto vlan1001
iface vlan1001 inet static
        address X.X.X.X/X
        gateway X.X.X.X
        vlan-raw-device vmbr0
#Management

auto cephPub
iface cephPub inet static
        address X.X.X.X/X
        #vlan-raw-device vmbr0
#Ceph Public

source /etc/network/interfaces.d/*

  • /etc/network/interface.d/*
Code: 
#version:71

auto cephPub
iface cephPub
        bridge_ports vmbr0.1012
        bridge_stp off
        bridge_fd 0

auto dns
iface dns
        bridge_ports vmbr0.1254
        bridge_stp off
        bridge_fd 0
        alias DNS

auto k8sBack
iface k8sBack
        bridge_ports vmbr0.1021
        bridge_stp off
        bridge_fd 0

auto k8sFront
iface k8sFront
        bridge_ports vmbr0.1031
        bridge_stp off
        bridge_fd 0
        alias Homelab K8S Front

auto k8sPub
iface k8sPub
        bridge_ports vmbr0.1020
        bridge_stp off
        bridge_fd 0

auto lan
iface lan
        bridge_ports vmbr0.100
        bridge_stp off
        bridge_fd 0
        alias lan

auto monit
iface monit
        bridge_ports vmbr0.1252
        bridge_stp off
        bridge_fd 0
        alias Monitoring

auto tailscal
iface tailscal
        bridge_ports vmbr0.1255
        bridge_stp off
        bridge_fd 0
        alias Tailscale

auto test
iface test
        bridge_ports vmbr0.1234
        bridge_stp off
        bridge_fd 0
 
You must log in or register to reply here.
Top Bottom