]>
Commit | Line | Data |
---|---|---|
0bcd1f7f DM |
1 | Network Configuration |
2 | --------------------- | |
3 | include::attributes.txt[] | |
4 | ||
5 | {pve} uses a bridged networking model. Each host can have up to 4094 | |
6 | bridges. Bridges are like physical network switches implemented in | |
7 | software. All VMs can share a single bridge, as if | |
8 | virtual network cables from each guest were all plugged into the same | |
9 | switch. But you can also create multiple bridges to separate network | |
10 | domains. | |
11 | ||
12 | For connecting VMs to the outside world, bridges are attached to | |
13 | physical network cards. For further flexibility, you can configure | |
14 | VLANs (IEEE 802.1q) and network bonding, also known as "link | |
15 | aggregation". That way it is possible to build complex and flexible | |
16 | virtual networks. | |
17 | ||
8c1189b6 FG |
18 | Debian traditionally uses the `ifup` and `ifdown` commands to |
19 | configure the network. The file `/etc/network/interfaces` contains the | |
20 | whole network setup. Please refer to to manual page (`man interfaces`) | |
0bcd1f7f DM |
21 | for a complete format description. |
22 | ||
23 | NOTE: {pve} does not write changes directly to | |
8c1189b6 FG |
24 | `/etc/network/interfaces`. Instead, we write into a temporary file |
25 | called `/etc/network/interfaces.new`, and commit those changes when | |
0bcd1f7f DM |
26 | you reboot the node. |
27 | ||
28 | It is worth mentioning that you can directly edit the configuration | |
29 | file. All {pve} tools tries hard to keep such direct user | |
30 | modifications. Using the GUI is still preferable, because it | |
31 | protect you from errors. | |
32 | ||
5eba0743 | 33 | |
0bcd1f7f DM |
34 | Naming Conventions |
35 | ~~~~~~~~~~~~~~~~~~ | |
36 | ||
37 | We currently use the following naming conventions for device names: | |
38 | ||
39 | * Ethernet devices: eth[N], where 0 ≤ N (`eth0`, `eth1`, ...) | |
40 | ||
41 | * Bridge names: vmbr[N], where 0 ≤ N ≤ 4094 (`vmbr0` - `vmbr4094`) | |
42 | ||
43 | * Bonds: bond[N], where 0 ≤ N (`bond0`, `bond1`, ...) | |
44 | ||
45 | * VLANs: Simply add the VLAN number to the device name, | |
46 | separated by a period (`eth0.50`, `bond1.30`) | |
47 | ||
48 | This makes it easier to debug networks problems, because the device | |
49 | names implies the device type. | |
50 | ||
51 | Default Configuration using a Bridge | |
52 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
53 | ||
54 | The installation program creates a single bridge named `vmbr0`, which | |
55 | is connected to the first ethernet card `eth0`. The corresponding | |
8c1189b6 | 56 | configuration in `/etc/network/interfaces` looks like this: |
0bcd1f7f DM |
57 | |
58 | ---- | |
59 | auto lo | |
60 | iface lo inet loopback | |
61 | ||
62 | iface eth0 inet manual | |
63 | ||
64 | auto vmbr0 | |
65 | iface vmbr0 inet static | |
66 | address 192.168.10.2 | |
67 | netmask 255.255.255.0 | |
68 | gateway 192.168.10.1 | |
69 | bridge_ports eth0 | |
70 | bridge_stp off | |
71 | bridge_fd 0 | |
72 | ---- | |
73 | ||
74 | Virtual machines behave as if they were directly connected to the | |
75 | physical network. The network, in turn, sees each virtual machine as | |
76 | having its own MAC, even though there is only one network cable | |
77 | connecting all of these VMs to the network. | |
78 | ||
79 | ||
80 | Routed Configuration | |
81 | ~~~~~~~~~~~~~~~~~~~~ | |
82 | ||
83 | Most hosting providers do not support the above setup. For security | |
84 | reasons, they disable networking as soon as they detect multiple MAC | |
85 | addresses on a single interface. | |
86 | ||
87 | TIP: Some providers allows you to register additional MACs on there | |
88 | management interface. This avoids the problem, but is clumsy to | |
89 | configure because you need to register a MAC for each of your VMs. | |
90 | ||
8c1189b6 | 91 | You can avoid the problem by ``routing'' all traffic via a single |
0bcd1f7f DM |
92 | interface. This makes sure that all network packets use the same MAC |
93 | address. | |
94 | ||
8c1189b6 | 95 | A common scenario is that you have a public IP (assume `192.168.10.2` |
0bcd1f7f | 96 | for this example), and an additional IP block for your VMs |
8c1189b6 | 97 | (`10.10.10.1/255.255.255.0`). We recommend the following setup for such |
0bcd1f7f DM |
98 | situations: |
99 | ||
100 | ---- | |
101 | auto lo | |
102 | iface lo inet loopback | |
103 | ||
104 | auto eth0 | |
105 | iface eth0 inet static | |
106 | address 192.168.10.2 | |
107 | netmask 255.255.255.0 | |
108 | gateway 192.168.10.1 | |
109 | post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp | |
110 | ||
111 | ||
112 | auto vmbr0 | |
113 | iface vmbr0 inet static | |
114 | address 10.10.10.1 | |
115 | netmask 255.255.255.0 | |
116 | bridge_ports none | |
117 | bridge_stp off | |
118 | bridge_fd 0 | |
119 | ---- | |
120 | ||
121 | ||
8c1189b6 FG |
122 | Masquerading (NAT) with `iptables` |
123 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
0bcd1f7f DM |
124 | |
125 | In some cases you may want to use private IPs behind your Proxmox | |
126 | host's true IP, and masquerade the traffic using NAT: | |
127 | ||
128 | ---- | |
129 | auto lo | |
130 | iface lo inet loopback | |
131 | ||
132 | auto eth0 | |
133 | #real IP adress | |
134 | iface eth0 inet static | |
135 | address 192.168.10.2 | |
136 | netmask 255.255.255.0 | |
137 | gateway 192.168.10.1 | |
138 | ||
139 | auto vmbr0 | |
140 | #private sub network | |
141 | iface vmbr0 inet static | |
142 | address 10.10.10.1 | |
143 | netmask 255.255.255.0 | |
144 | bridge_ports none | |
145 | bridge_stp off | |
146 | bridge_fd 0 | |
147 | ||
148 | post-up echo 1 > /proc/sys/net/ipv4/ip_forward | |
149 | post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE | |
150 | post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE | |
151 | ---- | |
152 | ||
153 | //// | |
154 | TODO: explain IPv6 support? | |
155 | TODO: explan OVS | |
156 | //// |