[pve-devel] More than 10 interfaces in lxc containers
sleemburg at it-functions.nl
Sun Aug 23 12:58:02 CEST 2020
Good afternoon Dietmar,
The reason is separation of client's resources on the machine(s).
In firewalling, it is not uncommon to use a lot of VLAN's.
For example at one of my clients that I do consultancy for, they have
more than 60 VLAN's defined on their firewall.
For my the setup is like this:
Zone Nr Purpose
WAN 1 Internet connectivity
MGMT 2 Management Network
DMZ 3 DMZ Network (proxyies, etc) accessible from the Internet
SHARED 4 Shared Hosting. Shared resources only Internet accessable
by some sources
SERVICES 5 Services for other networks, like shared database. No
CLIENT1 6 Client1's network
CLIENT2 7 Client2's network
CLIENT3 8 Client3's network
CLIENT4 9 Client4's network
CLIENT5 10 Client5's network
CLIENTX 10++ ClientX's network
Yesterday, I was configuring the CLIENTX's network and ran into the issue.
This node still has 'traditional' vmbr interfaces, but using openvswitch
would not help here.
If it would be possible to provide a 'trunk' openvswitch interface to
the CT, then from within the CT vlan devices could be setup from the
trunk, but in the end that will still create 10+ interfaces in the
This firewall is running on one of my OVH machines as a lxc container
with a fwbuilder (iptables) created firewall.
On my other OVH machine, I have a kvm with pfSense running. That pfSense
firewall has 11 interfaces.
But, I want to move from the KVM to a CT based setup and in the end also
replace the pfSense qm with a debian based ct.
I've read about more people asking for this. And in fact, I patched my
test proxmox system yesterday and it works perfectly.
It only requires 3 adjustments. So before I went to bed yesterday, I
have started cloning the proxmox repo's with:
for i in `curl -s https://git.proxmox.com/|grep .git|sed
's/.*p=\([^;]*\).*/\1/'|grep '.git$' |sort -u`; do git clone
Which provided me with an impressing 41GB of repo data ;-)
If you would accept the patch, then I will be happy to provide one based
upon the git repo's. I will read through te way you want to receive the
patch and send it formatted the way you require.
To be honest, I cannot see why raising it from 10 to 32 would be a
problem. And it would take away blocking my setup from being continued.
Also, as an IT person, I think the number 32 looks much better than the
number 10 ;-)
On 23-08-2020 07:10, Dietmar Maurer wrote:
>>> For me, I have that need too for a firewall container.
>> Why does your firewall need more the 10 interface?
> Sigh. too early in the morning... I wanted to ask:
> Why does your firewall need more than 10 interfaces?
> Normally, a firewall uses one interface per zone, and more
> than 10 zones are quite uncommon?
>>> Would you please consider raising the limit?
>> No, unless someone can explain why that is required ;-)
>> pve-devel mailing list
>> pve-devel at lists.proxmox.com
More information about the pve-devel