readme: fix typos
[pve-docs.git] / pve-network.adoc
CommitLineData
0bcd1f7f
DM
1Network Configuration
2---------------------
3include::attributes.txt[]
4
5{pve} uses a bridged networking model. Each host can have up to 4094
6bridges. Bridges are like physical network switches implemented in
7software. All VMs can share a single bridge, as if
8virtual network cables from each guest were all plugged into the same
9switch. But you can also create multiple bridges to separate network
10domains.
11
12For connecting VMs to the outside world, bridges are attached to
13physical network cards. For further flexibility, you can configure
14VLANs (IEEE 802.1q) and network bonding, also known as "link
15aggregation". That way it is possible to build complex and flexible
16virtual networks.
17
18Debian traditionally uses the 'ifup' and 'ifdown' commands to
19configure the network. The file '/etc/network/interfaces' contains the
20whole network setup. Please refer to to manual page ('man interfaces')
21for a complete format description.
22
23NOTE: {pve} does not write changes directly to
24'/etc/network/interfaces'. Instead, we write into a temporary file
25called '/etc/network/interfaces.new', and commit those changes when
26you reboot the node.
27
28It is worth mentioning that you can directly edit the configuration
29file. All {pve} tools tries hard to keep such direct user
30modifications. Using the GUI is still preferable, because it
31protect you from errors.
32
33Naming Conventions
34~~~~~~~~~~~~~~~~~~
35
36We currently use the following naming conventions for device names:
37
38* Ethernet devices: eth[N], where 0 ≤ N (`eth0`, `eth1`, ...)
39
40* Bridge names: vmbr[N], where 0 ≤ N ≤ 4094 (`vmbr0` - `vmbr4094`)
41
42* Bonds: bond[N], where 0 ≤ N (`bond0`, `bond1`, ...)
43
44* VLANs: Simply add the VLAN number to the device name,
45 separated by a period (`eth0.50`, `bond1.30`)
46
47This makes it easier to debug networks problems, because the device
48names implies the device type.
49
50Default Configuration using a Bridge
51~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
52
53The installation program creates a single bridge named `vmbr0`, which
54is connected to the first ethernet card `eth0`. The corresponding
55configuration in '/etc/network/interfaces' looks like this:
56
57----
58auto lo
59iface lo inet loopback
60
61iface eth0 inet manual
62
63auto vmbr0
64iface vmbr0 inet static
65 address 192.168.10.2
66 netmask 255.255.255.0
67 gateway 192.168.10.1
68 bridge_ports eth0
69 bridge_stp off
70 bridge_fd 0
71----
72
73Virtual machines behave as if they were directly connected to the
74physical network. The network, in turn, sees each virtual machine as
75having its own MAC, even though there is only one network cable
76connecting all of these VMs to the network.
77
78
79Routed Configuration
80~~~~~~~~~~~~~~~~~~~~
81
82Most hosting providers do not support the above setup. For security
83reasons, they disable networking as soon as they detect multiple MAC
84addresses on a single interface.
85
86TIP: Some providers allows you to register additional MACs on there
87management interface. This avoids the problem, but is clumsy to
88configure because you need to register a MAC for each of your VMs.
89
90You can avoid the problem by "routing" all traffic via a single
91interface. This makes sure that all network packets use the same MAC
92address.
93
94A common scenario is that you have a public IP (assume 192.168.10.2
95for this example), and an additional IP block for your VMs
96(10.10.10.1/255.255.255.0). We recommend the following setup for such
97situations:
98
99----
100auto lo
101iface lo inet loopback
102
103auto eth0
104iface eth0 inet static
105 address 192.168.10.2
106 netmask 255.255.255.0
107 gateway 192.168.10.1
108 post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
109
110
111auto vmbr0
112iface vmbr0 inet static
113 address 10.10.10.1
114 netmask 255.255.255.0
115 bridge_ports none
116 bridge_stp off
117 bridge_fd 0
118----
119
120
121Masquerading (NAT) with iptables
122~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
123
124In some cases you may want to use private IPs behind your Proxmox
125host's true IP, and masquerade the traffic using NAT:
126
127----
128auto lo
129iface lo inet loopback
130
131auto eth0
132#real IP adress
133iface eth0 inet static
134 address 192.168.10.2
135 netmask 255.255.255.0
136 gateway 192.168.10.1
137
138auto vmbr0
139#private sub network
140iface vmbr0 inet static
141 address 10.10.10.1
142 netmask 255.255.255.0
143 bridge_ports none
144 bridge_stp off
145 bridge_fd 0
146
147 post-up echo 1 > /proc/sys/net/ipv4/ip_forward
148 post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
149 post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
150----
151
152////
153TODO: explain IPv6 support?
154TODO: explan OVS
155////