[pve-devel] proxmox 2018 : add support for "virtual" network and network plugins ?

Alexandre DERUMIER aderumier at odiso.com
Thu Jan 25 13:35:03 CET 2018


also, we need to define a public network to known where nat is done


bridge: tenantnetwork1
        bridge vmbr1
        vlan x (optionnal)
        gateway_address 10.0.1.1/24
        gateway_macaddress a2:ed:21:06:e7:48
        gateway_node: node1(primary),node2(backup),node3(backup)
        public_network : vmbr0
        snat 1


if user need gateway failover, I don't known if it's better to manage it with proxmox crm (maybe too slow?)
or with vrrp daemon (we need to manage ip failover, and send garp)


----- Mail original -----
De: "Alexandre Derumier" <aderumier at odiso.com>
À: "dietmar" <dietmar at proxmox.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Jeudi 25 Janvier 2018 12:37:45
Objet: Re: [pve-devel] proxmox 2018 : add support for "virtual" network and network plugins ?

maybe to begin with something simple, 

can we try to implement a simple bridge plugin + s-nat 


bridge: tenantnetwork1 
gateway_address 10.0.1.1/24 
gateway_macaddress a2:ed:21:06:e7:48 
gateway_node 
vlan 1 (optional) 
snat 1 



and try to generate the s-nat rules on gateway_node 

iptables -t nat -A POSTROUTING -s '10.0.1.0/24' -o eth0 -j MASQUERADE 

(or maybe better : iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j SNAT --to-source public ip) 

and also firewall bridge rules if the vm is on the same node than gateway 

#iptables -t raw -A PREROUTING -i fwbr100i0 -j CT --zone 1 



and try to implement failover of the gateway 



----- Mail original ----- 
De: "Alexandre Derumier" <aderumier at odiso.com> 
À: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Mercredi 24 Janvier 2018 11:03:12 
Objet: Re: [pve-devel] proxmox 2018 : add support for "virtual" network and network plugins ? 

> I think it doesn't break the current model, as the firewall is done on the 
> fwbr between the vmbr and the tap interface. 

>>not a problem then (if it works). 

>>>I'll test today. 

Just tested, it's working fine. 

----- Mail original ----- 
De: "aderumier" <aderumier at odiso.com> 
À: "dietmar" <dietmar at proxmox.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Mercredi 24 Janvier 2018 09:56:56 
Objet: Re: [pve-devel] proxmox 2018 : add support for "virtual" network and network plugins ? 

>>I just think there are many ways to provide that interconnect layer, basically 
>>any VPN or SDN solution? 

yes, generaly SDN solution have their own gateway system, to interconnect virtual and physical world. 

openvswitch ovn : http://docs.openvswitch.org/en/latest/topics/high-availability/ 
opencontrail: http://www.opencontrail.org/category/Gateway/ 
vmware nsx edge: https://pubs.vmware.com/NSX-6/index.jsp?topic=%2Fcom.vmware.nsx.admin.doc%2FGUID-3F96DECE-33FB-43EE-88D7-124A730830A4.html 

In this case, you need an sdn controller somewhere, and manage it with api. 


If we want to use linux stack,we need to implement this by ourself with vxlan/iptables nat/dhcp (and proxmox cluster is the sdn "controller" ) 

(With plugins, I think it can be done, as it's almost the same for all kinds of sdn : manage gateway, manage nat, s-nat, dhcp,....) 


Personnaly, I'm more to focus on linux stack first to have something working without external controller. 





> I think it doesn't break the current model, as the firewall is done on the 
> fwbr between the vmbr and the tap interface. 

>>not a problem then (if it works). 

I'll test today. 

----- Mail original ----- 
De: "dietmar" <dietmar at proxmox.com> 
À: "aderumier" <aderumier at odiso.com> 
Cc: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Mercredi 24 Janvier 2018 09:21:54 
Objet: Re: [pve-devel] proxmox 2018 : add support for "virtual" network and network plugins ? 

> >>Besides, I would start with something simpler than that. Maybe a virtual 
> >>network with NAT... 
> 
> If you want something simpler (so without vxlan-evpnbgp, or anycast gateway), 
> the only way is to manage central "network node" which handle 
> nat,s-nat,dhcp,.., 
> like classic openstack model. (and need to manage failover) 
> 

I just think there are many ways to provide that interconnect layer, basically 
any VPN or SDN solution? 

> >>We need to make sure that we can provide firewall service for those 
> >>'virtual' networks. 
> 
> I think it doesn't break the current model, as the firewall is done on the 
> fwbr between the vmbr and the tap interface. 

not a problem then (if it works). 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 




More information about the pve-devel mailing list