[PVE-User] proxmox2 bridge ip alias
THe_ZiPMaN
flavio-pve at zipman.it
Sat Jul 28 23:13:41 CEST 2012
On 07/28/2012 09:38 PM, Stefan wrote:
> Hello all,
> I want a second net on an interface and trying without luck by editing
> /etc/network/ interfaces:
>
> auto vmbr00
> iface vmbr00 inet static
> address 10.100.221.1
> netmask 255.255.255.0
> gateway 10.100.221.254
> bridge_ports eth0:0
> bridge_stp off
> bridge_fd 0
>
> wenn I use vmbr0:0 seems to work.
>
> auto vmbr0:0
> iface vmbr0:0 inet static
> address 10.100.221.1
> netmask 255.255.255.0
> gateway 10.100.221.254
> bridge_ports eth0:0
> bridge_stp off
> bridge_fd 0
>
> I can do ping -I vmbr0:0 to the world.
It seems to me that there are other errors too... i.e. eth0:0 shouldn't
be joined to the bridge.
> But using this I dont have it in
> webinterface and cant use it for vm's. Cause the "colon" is not accepted in
> gui config.
Wait. I think you are just a bit confused... In the web interface you
choose the BRIDGE to which the VMs' nics will be connected. Bridge is a
level 2 concept, not a level 3. You can have a bridge without any IP and
that's fine. You can think to a bridge as a switch that comprise the
physical interface on the host and the virtual interfaces of the VMs.
> Tried alot of things and searching but can not find a solution.
Maybe if you describe your setup and what you would need, it's simpler
to help.
> What is the correct way having multiple net's on a nic, each useable for
> vm's??
If you need multiple subnet on the same physical network you can do as
you were doing, assigning multiple secondary ips to the bridge.
Usually I prefer to use the ip utils to accomplish this task
auto vmbr0
iface vmbr0 inet static
address 10.100.221.1
netmask 255.255.255.0
gateway 10.100.221.254
bridge_ports eth0
bridge_stp off
bridge_fd 0
up ip addr add 10.100.222.1/24 dev vmbr0 || true
up ip addr add 10.100.223.1/24 dev vmbr0 || true
down ip addr del 10.100.222.1/24 dev vmbr0 || true
down ip addr del 10.100.223.1/24 dev vmbr0 || true
Instead if you want more physical network you must create multiple
bridge, but in this case you must setup routing. Indeed I usually prefer
this latter setup.
So in /etc/network/interfaces you will find something like this:
###########################
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.10.1
netmask 255.255.255.0
gateway 192.168.10.254
auto vmbr0
iface vmbr0 inet static
address 10.0.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
auto vmbr1
iface vmbr1 inet static
address 10.0.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
auto vmbr2
iface vmbr2 inet static
address 10.0.20.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
###########################
And of course in /etc/sysctl.conf you will have something like this
###########################
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding=1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
###########################
In this case I strongly recommend to setup a firewall and of course the
best choice are shorewall and shorewall6, for ipv4 and ipv6
respectively. A simple "everything open" setup for ipv4 can be as simple
as creating the following files
###########################
# /etc/shorewall/zones
fw firewall
net ipv4
virt ipv4
###########################
# /etc/shorewall/interfaces
net eth0 -
virt vmbr0 - bridge,optional
virt vmbr1 - bridge,optional
###########################
# /etc/shorewall/policy
fw all ACCEPT
virt net ACCEPT
virt all REJECT
all all REJECT
###########################
# /etc/shorewall/macro.Proxmox
PARAM - - tcp 80,443,8006
###########################
# /etc/shorewall/rules
Ping(ACCEPT) all fw
Proxmox(ACCEPT) net fw
SSH(ACCEPT) net fw
--
Flavio Visentin
A computer is like an air conditioner,
it stops working when you open Windows
More information about the pve-user
mailing list