vnet - "isolate ports" does not work cluster-wide

D

DarthVaddr

Member
Apr 19, 2022
5
0
6
Good morning,
I want to have a cluster-wide vnet, which uses port isolation so no VM in it is able to communicate with another VM in the same vnet.
However this only works between 2 or more VMs running on the same host and vnet.
VMs in this vnet running on different hosts can perfectly communicate with eachother.

Can anybody point me in the right direction on how to achieve this:

- to have a vnet whose members are isolated from eachother, no matter on which hosts they run.

Thanks
Vaddi
 
The only way to currently achieve this is by utilizing the nftables firewall + VNet-level firewall. With it you should be able to block communication cluster-wide by creating respective rules.
 
  • Like
Reactions: DarthVaddr
Thanks for your reply but I cannot figure out how to do this.
Actually what I did is create a vlan zone and a vnet named v41 (matching the vlan id of the vlan on the network).
Could you please give me a brief description of the steps?

1747041159187.png

Thanks, Vaddi
 
  • Got to SDN > VNet Firewall > select 'V41'
  • Enable the firewall in the option
  • Create a rule that drops forward traffic with source/destination +sdn/V41-all
If you are using a gateway, you would need to create a rule that explicitly allows traffic from / to that gateway as well before the DROP rule.
 
Last edited:
Thank you - I followed your advice and lost the connectivity to the cluster management (in another vlan actually).

This vnet firewall setting seems to affect more than vnet traffic.
BTW: the management interface sits as 0.248 subinterface on the uplink to the network (802.1q Trunk).
 
Do you have any other firewall rules that might've gotten accidentally enabled? What does your network configuration look like exactly? Was the firewall enabled before that? Because the default setting when enabling the firewall is to drop incoming traffic.

The VNet firewall should only affect traffic inside that VNet, so either it's a bug or something else caused that issue in your case.
 
  • Like
Reactions: DarthVaddr
No other firewall rules. Never configured any before. My network config on each of the 3 cluster nodes is as follows:

auto lo
iface lo inet loopback

iface enp2s0f0 inet manual

iface enp2s0f1 inet manual

auto bond0
iface bond0 inet manual
bond-slaves enp2s0f0 enp2s0f1
bond-miimon 100
bond-mode 802.3ad
bond-xmit-hash-policy layer2+3


auto vmbr0.248 # Mgmt-Interface im VLAN 248 (Linux Subinterface)
iface vmbr0.248 inet static
address X.X.X.X/24
gateway X.X.X.1

auto vmbr0 # VLAN-Bridge für die VM-Adapter. -> VLAN Tag im dazu vorgesehenen Feld im Netzwerkadapter der VM eingeben!
iface vmbr0 inet manual
bridge-ports bond0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

Thanks, Vaddi
 
You must log in or register to reply here.
Top Bottom