[pve-docs.git] / pve-network.adoc

[[sysadmin_network_configuration]]
Network Configuration
---------------------
ifdef::wiki[]
:pve-toplevel:
endif::wiki[]

{pve} uses a bridged networking model. Each host can have up to 4094
bridges. Bridges are like physical network switches implemented in
software. All VMs can share a single bridge, as if
virtual network cables from each guest were all plugged into the same
switch. But you can also create multiple bridges to separate network
domains.

For connecting VMs to the outside world, bridges are attached to
physical network cards. For further flexibility, you can configure
VLANs (IEEE 802.1q) and network bonding, also known as "link
aggregation". That way it is possible to build complex and flexible
virtual networks.

Debian traditionally uses the `ifup` and `ifdown` commands to
configure the network. The file `/etc/network/interfaces` contains the
whole network setup. Please refer to the manual page (`man interfaces`)
for a complete format description.

NOTE: {pve} does not write changes directly to
`/etc/network/interfaces`. Instead, we write into a temporary file
called `/etc/network/interfaces.new`, and commit those changes when
you reboot the node.

It is worth mentioning that you can directly edit the configuration
file. All {pve} tools tries hard to keep such direct user
modifications. Using the GUI is still preferable, because it
protect you from errors.


Naming Conventions
~~~~~~~~~~~~~~~~~~

We currently use the following naming conventions for device names:

* New Ethernet devices: en*, systemd network interface names.

* Legacy Ethernet devices: eth[N], where 0 ≤ N (`eth0`, `eth1`, ...)
They are available when Proxmox VE has been updated by an earlier version.

* Bridge names: vmbr[N], where 0 ≤ N ≤ 4094 (`vmbr0` - `vmbr4094`)

* Bonds: bond[N], where 0 ≤ N (`bond0`, `bond1`, ...)

* VLANs: Simply add the VLAN number to the device name,
  separated by a period (`eno1.50`, `bond1.30`)

This makes it easier to debug networks problems, because the device
names implies the device type.


Systemd Network Interface Names
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Systemd uses the two character prefix 'en' for Ethernet network
devices. The next characters depends on the device driver and the fact
which schema matches first.

* o<index>[n<phys_port_name>|d<dev_port>] — devices on board

* s<slot>[f<function>][n<phys_port_name>|d<dev_port>] — device by hotplug id

* [P<domain>]p<bus>s<slot>[f<function>][n<phys_port_name>|d<dev_port>] — devices by bus id

* x<MAC> — device by MAC address

The most common patterns are:

* eno1 — is the first on board NIC

* enp3s0f1 — is the NIC on pcibus 3 slot 0 and use the NIC function 1.

For more information see https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/[Predictable Network Interface Names].


Default Configuration using a Bridge
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The installation program creates a single bridge named `vmbr0`, which
is connected to the first Ethernet card. The corresponding
configuration in `/etc/network/interfaces` might look like this:

----
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.10.2
        netmask 255.255.255.0
        gateway 192.168.10.1
        bridge_ports eno1
        bridge_stp off
        bridge_fd 0
----

Virtual machines behave as if they were directly connected to the
physical network. The network, in turn, sees each virtual machine as
having its own MAC, even though there is only one network cable
connecting all of these VMs to the network.


Routed Configuration
~~~~~~~~~~~~~~~~~~~~

Most hosting providers do not support the above setup. For security
reasons, they disable networking as soon as they detect multiple MAC
addresses on a single interface.

TIP: Some providers allows you to register additional MACs on there
management interface. This avoids the problem, but is clumsy to
configure because you need to register a MAC for each of your VMs.

You can avoid the problem by ``routing'' all traffic via a single
interface. This makes sure that all network packets use the same MAC
address.

A common scenario is that you have a public IP (assume `192.168.10.2`
for this example), and an additional IP block for your VMs
(`10.10.10.1/255.255.255.0`). We recommend the following setup for such
situations:

----
auto lo
iface lo inet loopback

auto eno1
iface eno1 inet static
        address  192.168.10.2
        netmask  255.255.255.0
        gateway  192.168.10.1
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp


auto vmbr0
iface vmbr0 inet static
        address  10.10.10.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
----


Masquerading (NAT) with `iptables`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In some cases you may want to use private IPs behind your Proxmox
host's true IP, and masquerade the traffic using NAT:

----
auto lo
iface lo inet loopback

auto eno0
#real IP address
iface eno1 inet static
        address  192.168.10.2
        netmask  255.255.255.0
        gateway  192.168.10.1

auto vmbr0
#private sub network
iface vmbr0 inet static
        address  10.10.10.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
----


Linux Bond
~~~~~~~~~~

Bonding (also called NIC teaming or Link Aggregation) is a technique
for binding multiple NIC's to a single network device.  It is possible
to achieve different goals, like make the network fault-tolerant,
increase the performance or both together.

High-speed hardware like Fibre Channel and the associated switching
hardware can be quite expensive. By doing link aggregation, two NICs
can appear as one logical interface, resulting in double speed. This
is a native Linux kernel feature that is supported by most
switches. If your nodes have multiple Ethernet ports, you can
distribute your points of failure by running network cables to
different switches and the bonded connection will failover to one
cable or the other in case of network trouble.

Aggregated links can improve live-migration delays and improve the
speed of replication of data between Proxmox VE Cluster nodes.

There are 7 modes for bonding:

* *Round-robin (balance-rr):* Transmit network packets in sequential
order from the first available network interface (NIC) slave through
the last. This mode provides load balancing and fault tolerance.

* *Active-backup (active-backup):* Only one NIC slave in the bond is
active. A different slave becomes active if, and only if, the active
slave fails. The single logical bonded interface's MAC address is
externally visible on only one NIC (port) to avoid distortion in the
network switch. This mode provides fault tolerance.

* *XOR (balance-xor):* Transmit network packets based on [(source MAC
address XOR'd with destination MAC address) modulo NIC slave
count]. This selects the same NIC slave for each destination MAC
address. This mode provides load balancing and fault tolerance.

* *Broadcast (broadcast):* Transmit network packets on all slave
network interfaces. This mode provides fault tolerance.

* *IEEE 802.3ad Dynamic link aggregation (802.3ad)(LACP):* Creates
aggregation groups that share the same speed and duplex
settings. Utilizes all slave network interfaces in the active
aggregator group according to the 802.3ad specification.

* *Adaptive transmit load balancing (balance-tlb):* Linux bonding
driver mode that does not require any special network-switch
support. The outgoing network packet traffic is distributed according
to the current load (computed relative to the speed) on each network
interface slave. Incoming traffic is received by one currently
designated slave network interface. If this receiving slave fails,
another slave takes over the MAC address of the failed receiving
slave.

* *Adaptive load balancing (balance-alb):* Includes balance-tlb plus receive
load balancing (rlb) for IPV4 traffic, and does not require any
special network switch support. The receive load balancing is achieved
by ARP negotiation. The bonding driver intercepts the ARP Replies sent
by the local system on their way out and overwrites the source
hardware address with the unique hardware address of one of the NIC
slaves in the single logical bonded interface such that different
network-peers use different MAC addresses for their network packet
traffic.

If your switch support the LACP (IEEE 802.3ad) protocol then we recommend using
the corresponding bonding mode (802.3ad). Otherwise you should generally use the 
active-backup mode. +
// http://lists.linux-ha.org/pipermail/linux-ha/2013-January/046295.html
If you intend to run your cluster network on the bonding interfaces, then you
have to use active-passive mode on the bonding interfaces, other modes are
unsupported.

The following bond configuration can be used as distributed/shared
storage network. The benefit would be that you get more speed and the
network will be fault-tolerant.

.Example: Use bond with fixed IP address
----
auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

auto bond0
iface bond0 inet static
      slaves eno1 eno2
      address  192.168.1.2
      netmask  255.255.255.0
      bond_miimon 100
      bond_mode 802.3ad
      bond_xmit_hash_policy layer2+3

auto vmbr0
iface vmbr0 inet static
        address  10.10.10.2
        netmask  255.255.255.0
        gateway  10.10.10.1
        bridge_ports eno1
        bridge_stp off
        bridge_fd 0

----


Another possibility it to use the bond directly as bridge port.
This can be used to make the guest network fault-tolerant.

.Example: Use a bond as bridge port
----
auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

auto bond0
iface bond0 inet manual
      slaves eno1 eno2
      bond_miimon 100
      bond_mode 802.3ad
      bond_xmit_hash_policy layer2+3

auto vmbr0
iface vmbr0 inet static
        address  10.10.10.2
        netmask  255.255.255.0
        gateway  10.10.10.1
        bridge_ports bond0
        bridge_stp off
        bridge_fd 0

----

////
TODO: explain IPv6 support?
TODO: explain OVS
////
Commit	Line	Data
80c0adcb	1	[[sysadmin_network_configuration]]
0bcd1f7f DM	2	Network Configuration
0bcd1f7f DM	3	---------------------
5f09af76 DM	4	ifdef::wiki[]
	5	:pve-toplevel:
	6	endif::wiki[]
	7
0bcd1f7f DM	8	{pve} uses a bridged networking model. Each host can have up to 4094
	9	bridges. Bridges are like physical network switches implemented in
	10	software. All VMs can share a single bridge, as if
	11	virtual network cables from each guest were all plugged into the same
	12	switch. But you can also create multiple bridges to separate network
	13	domains.
	14
	15	For connecting VMs to the outside world, bridges are attached to
	16	physical network cards. For further flexibility, you can configure
	17	VLANs (IEEE 802.1q) and network bonding, also known as "link
	18	aggregation". That way it is possible to build complex and flexible
	19	virtual networks.
	20
8c1189b6 FG	21	Debian traditionally uses the `ifup` and `ifdown` commands to
8c1189b6 FG	22	configure the network. The file `/etc/network/interfaces` contains the
44f38275	23	whole network setup. Please refer to the manual page (`man interfaces`)
0bcd1f7f DM	24	for a complete format description.
	25
	26	NOTE: {pve} does not write changes directly to
8c1189b6 FG	27	`/etc/network/interfaces`. Instead, we write into a temporary file
8c1189b6 FG	28	called `/etc/network/interfaces.new`, and commit those changes when
0bcd1f7f DM	29	you reboot the node.
	30
	31	It is worth mentioning that you can directly edit the configuration
	32	file. All {pve} tools tries hard to keep such direct user
	33	modifications. Using the GUI is still preferable, because it
	34	protect you from errors.
	35
5eba0743	36
0bcd1f7f DM	37	Naming Conventions
	38	~~~~~~~~~~~~~~~~~~
	39
	40	We currently use the following naming conventions for device names:
	41
7a0d4784 WL	42	* New Ethernet devices: en*, systemd network interface names.
7a0d4784 WL	43
cc3cb912	44	* Legacy Ethernet devices: eth[N], where 0 ≤ N (`eth0`, `eth1`, ...)
7a0d4784	45	They are available when Proxmox VE has been updated by an earlier version.
0bcd1f7f DM	46
	47	* Bridge names: vmbr[N], where 0 ≤ N ≤ 4094 (`vmbr0` - `vmbr4094`)
	48
	49	* Bonds: bond[N], where 0 ≤ N (`bond0`, `bond1`, ...)
	50
	51	* VLANs: Simply add the VLAN number to the device name,
7a0d4784	52	separated by a period (`eno1.50`, `bond1.30`)
0bcd1f7f DM	53
	54	This makes it easier to debug networks problems, because the device
	55	names implies the device type.
	56
cc3cb912	57
7a0d4784 WL	58	Systemd Network Interface Names
	59	^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
	60
8116dea5 DM	61	Systemd uses the two character prefix 'en' for Ethernet network
8116dea5 DM	62	devices. The next characters depends on the device driver and the fact
cc3cb912	63	which schema matches first.
7a0d4784 WL	64
	65	* o<index>[n<phys_port_name>\|d<dev_port>] — devices on board
	66
	67	* s<slot>[f<function>][n<phys_port_name>\|d<dev_port>] — device by hotplug id
	68
	69	* [P<domain>]p<bus>s<slot>[f<function>][n<phys_port_name>\|d<dev_port>] — devices by bus id
	70
	71	* x<MAC> — device by MAC address
	72
cc3cb912	73	The most common patterns are:
7a0d4784 WL	74
	75	* eno1 — is the first on board NIC
	76
	77	* enp3s0f1 — is the NIC on pcibus 3 slot 0 and use the NIC function 1.
	78
cc3cb912 DM	79	For more information see https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/[Predictable Network Interface Names].
cc3cb912 DM	80
7a0d4784	81
0bcd1f7f DM	82	Default Configuration using a Bridge
	83	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	84
	85	The installation program creates a single bridge named `vmbr0`, which
04e8476d EK	86	is connected to the first Ethernet card. The corresponding
04e8476d EK	87	configuration in `/etc/network/interfaces` might look like this:
0bcd1f7f DM	88
	89	----
	90	auto lo
	91	iface lo inet loopback
	92
7a0d4784	93	iface eno1 inet manual
0bcd1f7f DM	94
	95	auto vmbr0
	96	iface vmbr0 inet static
	97	address 192.168.10.2
	98	netmask 255.255.255.0
	99	gateway 192.168.10.1
7a0d4784	100	bridge_ports eno1
0bcd1f7f DM	101	bridge_stp off
	102	bridge_fd 0
	103	----
	104
	105	Virtual machines behave as if they were directly connected to the
	106	physical network. The network, in turn, sees each virtual machine as
	107	having its own MAC, even though there is only one network cable
	108	connecting all of these VMs to the network.
	109
	110
	111	Routed Configuration
	112	~~~~~~~~~~~~~~~~~~~~
	113
	114	Most hosting providers do not support the above setup. For security
	115	reasons, they disable networking as soon as they detect multiple MAC
	116	addresses on a single interface.
	117
	118	TIP: Some providers allows you to register additional MACs on there
	119	management interface. This avoids the problem, but is clumsy to
	120	configure because you need to register a MAC for each of your VMs.
	121
8c1189b6	122	You can avoid the problem by ``routing'' all traffic via a single
0bcd1f7f DM	123	interface. This makes sure that all network packets use the same MAC
	124	address.
	125
8c1189b6	126	A common scenario is that you have a public IP (assume `192.168.10.2`
0bcd1f7f	127	for this example), and an additional IP block for your VMs
8c1189b6	128	(`10.10.10.1/255.255.255.0`). We recommend the following setup for such
0bcd1f7f DM	129	situations:
	130
	131	----
	132	auto lo
	133	iface lo inet loopback
	134
7a0d4784 WL	135	auto eno1
7a0d4784 WL	136	iface eno1 inet static
0bcd1f7f DM	137	address 192.168.10.2
	138	netmask 255.255.255.0
	139	gateway 192.168.10.1
1ed90852	140	post-up echo 1 > /proc/sys/net/ipv4/ip_forward
7a0d4784	141	post-up echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp
0bcd1f7f DM	142
	143
	144	auto vmbr0
	145	iface vmbr0 inet static
	146	address 10.10.10.1
	147	netmask 255.255.255.0
	148	bridge_ports none
	149	bridge_stp off
	150	bridge_fd 0
	151	----
	152
	153
8c1189b6 FG	154	Masquerading (NAT) with `iptables`
8c1189b6 FG	155	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0bcd1f7f DM	156
	157	In some cases you may want to use private IPs behind your Proxmox
	158	host's true IP, and masquerade the traffic using NAT:
	159
	160	----
	161	auto lo
	162	iface lo inet loopback
	163
7a0d4784	164	auto eno0
470d4313	165	#real IP address
7a0d4784	166	iface eno1 inet static
0bcd1f7f DM	167	address 192.168.10.2
	168	netmask 255.255.255.0
	169	gateway 192.168.10.1
	170
	171	auto vmbr0
	172	#private sub network
	173	iface vmbr0 inet static
	174	address 10.10.10.1
	175	netmask 255.255.255.0
	176	bridge_ports none
	177	bridge_stp off
	178	bridge_fd 0
	179
	180	post-up echo 1 > /proc/sys/net/ipv4/ip_forward
7a0d4784 WL	181	post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
7a0d4784 WL	182	post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
0bcd1f7f DM	183	----
0bcd1f7f DM	184
b4c06a93 WL	185
	186	Linux Bond
	187	~~~~~~~~~~
	188
3eafe338 WL	189	Bonding (also called NIC teaming or Link Aggregation) is a technique
	190	for binding multiple NIC's to a single network device. It is possible
	191	to achieve different goals, like make the network fault-tolerant,
	192	increase the performance or both together.
	193
	194	High-speed hardware like Fibre Channel and the associated switching
	195	hardware can be quite expensive. By doing link aggregation, two NICs
	196	can appear as one logical interface, resulting in double speed. This
	197	is a native Linux kernel feature that is supported by most
	198	switches. If your nodes have multiple Ethernet ports, you can
	199	distribute your points of failure by running network cables to
	200	different switches and the bonded connection will failover to one
	201	cable or the other in case of network trouble.
	202
	203	Aggregated links can improve live-migration delays and improve the
	204	speed of replication of data between Proxmox VE Cluster nodes.
b4c06a93 WL	205
	206	There are 7 modes for bonding:
	207
	208	* Round-robin (balance-rr): Transmit network packets in sequential
	209	order from the first available network interface (NIC) slave through
	210	the last. This mode provides load balancing and fault tolerance.
	211
	212	* Active-backup (active-backup): Only one NIC slave in the bond is
	213	active. A different slave becomes active if, and only if, the active
	214	slave fails. The single logical bonded interface's MAC address is
	215	externally visible on only one NIC (port) to avoid distortion in the
	216	network switch. This mode provides fault tolerance.
	217
	218	* XOR (balance-xor): Transmit network packets based on [(source MAC
	219	address XOR'd with destination MAC address) modulo NIC slave
	220	count]. This selects the same NIC slave for each destination MAC
	221	address. This mode provides load balancing and fault tolerance.
	222
	223	* Broadcast (broadcast): Transmit network packets on all slave
	224	network interfaces. This mode provides fault tolerance.
	225
	226	* IEEE 802.3ad Dynamic link aggregation (802.3ad)(LACP): Creates
	227	aggregation groups that share the same speed and duplex
	228	settings. Utilizes all slave network interfaces in the active
	229	aggregator group according to the 802.3ad specification.
	230
	231	* Adaptive transmit load balancing (balance-tlb): Linux bonding
	232	driver mode that does not require any special network-switch
	233	support. The outgoing network packet traffic is distributed according
	234	to the current load (computed relative to the speed) on each network
	235	interface slave. Incoming traffic is received by one currently
	236	designated slave network interface. If this receiving slave fails,
	237	another slave takes over the MAC address of the failed receiving
	238	slave.
	239
e60ce90c	240	* Adaptive load balancing (balance-alb): Includes balance-tlb plus receive
b4c06a93 WL	241	load balancing (rlb) for IPV4 traffic, and does not require any
	242	special network switch support. The receive load balancing is achieved
	243	by ARP negotiation. The bonding driver intercepts the ARP Replies sent
	244	by the local system on their way out and overwrites the source
	245	hardware address with the unique hardware address of one of the NIC
	246	slaves in the single logical bonded interface such that different
	247	network-peers use different MAC addresses for their network packet
	248	traffic.
	249
649098a6 EK	250	If your switch support the LACP (IEEE 802.3ad) protocol then we recommend using
	251	the corresponding bonding mode (802.3ad). Otherwise you should generally use the
	252	active-backup mode. +
	253	// http://lists.linux-ha.org/pipermail/linux-ha/2013-January/046295.html
	254	If you intend to run your cluster network on the bonding interfaces, then you
	255	have to use active-passive mode on the bonding interfaces, other modes are
	256	unsupported.
b4c06a93	257
cd1de2c2 WL	258	The following bond configuration can be used as distributed/shared
	259	storage network. The benefit would be that you get more speed and the
	260	network will be fault-tolerant.
	261
b4c06a93 WL	262	.Example: Use bond with fixed IP address
	263	----
	264	auto lo
	265	iface lo inet loopback
	266
7a0d4784	267	iface eno1 inet manual
b4c06a93	268
7a0d4784	269	iface eno2 inet manual
b4c06a93 WL	270
	271	auto bond0
	272	iface bond0 inet static
7a0d4784	273	slaves eno1 eno2
b4c06a93 WL	274	address 192.168.1.2
	275	netmask 255.255.255.0
	276	bond_miimon 100
	277	bond_mode 802.3ad
	278	bond_xmit_hash_policy layer2+3
	279
	280	auto vmbr0
	281	iface vmbr0 inet static
	282	address 10.10.10.2
	283	netmask 255.255.255.0
7ea42266	284	gateway 10.10.10.1
7a0d4784	285	bridge_ports eno1
b4c06a93 WL	286	bridge_stp off
	287	bridge_fd 0
	288
	289	----
	290
cd1de2c2 WL	291
	292	Another possibility it to use the bond directly as bridge port.
	293	This can be used to make the guest network fault-tolerant.
	294
	295	.Example: Use a bond as bridge port
b4c06a93 WL	296	----
	297	auto lo
	298	iface lo inet loopback
	299
7a0d4784	300	iface eno1 inet manual
b4c06a93	301
7a0d4784	302	iface eno2 inet manual
b4c06a93 WL	303
b4c06a93 WL	304	auto bond0
470d4313	305	iface bond0 inet manual
7a0d4784	306	slaves eno1 eno2
b4c06a93 WL	307	bond_miimon 100
	308	bond_mode 802.3ad
	309	bond_xmit_hash_policy layer2+3
	310
	311	auto vmbr0
	312	iface vmbr0 inet static
	313	address 10.10.10.2
	314	netmask 255.255.255.0
7ea42266	315	gateway 10.10.10.1
b4c06a93 WL	316	bridge_ports bond0
	317	bridge_stp off
	318	bridge_fd 0
	319
	320	----
	321
0bcd1f7f DM	322	////
0bcd1f7f DM	323	TODO: explain IPv6 support?
470d4313	324	TODO: explain OVS
0bcd1f7f	325	////