1 [[sysadmin_network_configuration]]
8 Network configuration can be done either via the GUI, or by manually
9 editing the file `/etc/network/interfaces`, which contains the
10 whole network configuration. The `interfaces(5)` manual page contains the
11 complete format description. All {pve} tools try hard to keep direct
12 user modifications, but using the GUI is still preferable, because it
13 protects you from errors.
18 {pve} does not write changes directly to `/etc/network/interfaces`. Instead, we
19 write into a temporary file called `/etc/network/interfaces.new`, this way you
20 can do many related changes at once. This also allows to ensure your changes
21 are correct before applying, as a wrong network configuration may render a node
27 With the default installed `ifupdown` network managing package you need to
28 reboot to commit any pending network changes. Most of the time, the basic {pve}
29 network setup is stable and does not change often, so rebooting should not be
32 Reload Network with ifupdown2
33 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
35 With the optional `ifupdown2` network managing package you also can reload the
36 network configuration live, without requiring a reboot.
38 Since {pve} 6.1 you can apply pending network changes over the web-interface,
39 using the 'Apply Configuration' button in the 'Network' panel of a node.
41 To install 'ifupdown2' ensure you have the latest {pve} updates installed, then
43 WARNING: installing 'ifupdown2' will remove 'ifupdown', but as the removal
44 scripts of 'ifupdown' before version '0.8.35+pve1' have a issue where network
45 is fully stopped on removal footnote:[Introduced with Debian Buster:
46 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945877] you *must* ensure
47 that you have a up to date 'ifupdown' package version.
49 For the installation itself you can then simply do:
53 With that you're all set. You can also switch back to the 'ifupdown' variant at
54 any time, if you run into issues.
59 We currently use the following naming conventions for device names:
61 * Ethernet devices: en*, systemd network interface names. This naming scheme is
62 used for new {pve} installations since version 5.0.
64 * Ethernet devices: eth[N], where 0 ≤ N (`eth0`, `eth1`, ...) This naming
65 scheme is used for {pve} hosts which were installed before the 5.0
66 release. When upgrading to 5.0, the names are kept as-is.
68 * Bridge names: vmbr[N], where 0 ≤ N ≤ 4094 (`vmbr0` - `vmbr4094`)
70 * Bonds: bond[N], where 0 ≤ N (`bond0`, `bond1`, ...)
72 * VLANs: Simply add the VLAN number to the device name,
73 separated by a period (`eno1.50`, `bond1.30`)
75 This makes it easier to debug networks problems, because the device
76 name implies the device type.
78 Systemd Network Interface Names
79 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
81 Systemd uses the two character prefix 'en' for Ethernet network
82 devices. The next characters depends on the device driver and the fact
83 which schema matches first.
85 * o<index>[n<phys_port_name>|d<dev_port>] — devices on board
87 * s<slot>[f<function>][n<phys_port_name>|d<dev_port>] — device by hotplug id
89 * [P<domain>]p<bus>s<slot>[f<function>][n<phys_port_name>|d<dev_port>] — devices by bus id
91 * x<MAC> — device by MAC address
93 The most common patterns are:
95 * eno1 — is the first on board NIC
97 * enp3s0f1 — is the NIC on pcibus 3 slot 0 and use the NIC function 1.
99 For more information see https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/[Predictable Network Interface Names].
101 Choosing a network configuration
102 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
104 Depending on your current network organization and your resources you can
105 choose either a bridged, routed, or masquerading networking setup.
107 {pve} server in a private LAN, using an external gateway to reach the internet
108 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
110 The *Bridged* model makes the most sense in this case, and this is also
111 the default mode on new {pve} installations.
112 Each of your Guest system will have a virtual interface attached to the
113 {pve} bridge. This is similar in effect to having the Guest network card
114 directly connected to a new switch on your LAN, the {pve} host playing the role
117 {pve} server at hosting provider, with public IP ranges for Guests
118 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
120 For this setup, you can use either a *Bridged* or *Routed* model, depending on
121 what your provider allows.
123 {pve} server at hosting provider, with a single public IP address
124 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
126 In that case the only way to get outgoing network accesses for your guest
127 systems is to use *Masquerading*. For incoming network access to your guests,
128 you will need to configure *Port Forwarding*.
130 For further flexibility, you can configure
131 VLANs (IEEE 802.1q) and network bonding, also known as "link
132 aggregation". That way it is possible to build complex and flexible
135 Default Configuration using a Bridge
136 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
138 [thumbnail="default-network-setup-bridge.svg"]
139 Bridges are like physical network switches implemented in software.
140 All virtual guests can share a single bridge, or you can create multiple
141 bridges to separate network domains. Each host can have up to 4094 bridges.
143 The installation program creates a single bridge named `vmbr0`, which
144 is connected to the first Ethernet card. The corresponding
145 configuration in `/etc/network/interfaces` might look like this:
149 iface lo inet loopback
151 iface eno1 inet manual
154 iface vmbr0 inet static
155 address 192.168.10.2/24
162 Virtual machines behave as if they were directly connected to the
163 physical network. The network, in turn, sees each virtual machine as
164 having its own MAC, even though there is only one network cable
165 connecting all of these VMs to the network.
170 Most hosting providers do not support the above setup. For security
171 reasons, they disable networking as soon as they detect multiple MAC
172 addresses on a single interface.
174 TIP: Some providers allow you to register additional MACs through their
175 management interface. This avoids the problem, but can be clumsy to
176 configure because you need to register a MAC for each of your VMs.
178 You can avoid the problem by ``routing'' all traffic via a single
179 interface. This makes sure that all network packets use the same MAC
182 [thumbnail="default-network-setup-routed.svg"]
183 A common scenario is that you have a public IP (assume `198.51.100.5`
184 for this example), and an additional IP block for your VMs
185 (`203.0.113.16/28`). We recommend the following setup for such
190 iface lo inet loopback
193 iface eno0 inet static
194 address 198.51.100.5/29
196 post-up echo 1 > /proc/sys/net/ipv4/ip_forward
197 post-up echo 1 > /proc/sys/net/ipv4/conf/eno0/proxy_arp
201 iface vmbr0 inet static
202 address 203.0.113.17/28
209 Masquerading (NAT) with `iptables`
210 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
212 Masquerading allows guests having only a private IP address to access the
213 network by using the host IP address for outgoing traffic. Each outgoing
214 packet is rewritten by `iptables` to appear as originating from the host,
215 and responses are rewritten accordingly to be routed to the original sender.
219 iface lo inet loopback
223 iface eno1 inet static
224 address 198.51.100.5/24
229 iface vmbr0 inet static
230 address 10.10.10.1/24
235 post-up echo 1 > /proc/sys/net/ipv4/ip_forward
236 post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
237 post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
240 NOTE: In some masquerade setups with firewall enabled, conntrack zones might be
241 needed for outgoing connections. Otherwise the firewall could block outgoing
242 connections since they will prefer the `POSTROUTING` of the VM bridge (and not
245 Adding these lines in the `/etc/network/interfaces` can fix this problem:
248 post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
249 post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
252 For more information about this, refer to the following links:
254 https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg[Netfilter Packet Flow]
256 https://lwn.net/Articles/370152/[Patch on netdev-list introducing conntrack zones]
258 https://blog.lobraun.de/2019/05/19/prox/[Blog post with a good explanation by using TRACE in the raw table]
265 Bonding (also called NIC teaming or Link Aggregation) is a technique
266 for binding multiple NIC's to a single network device. It is possible
267 to achieve different goals, like make the network fault-tolerant,
268 increase the performance or both together.
270 High-speed hardware like Fibre Channel and the associated switching
271 hardware can be quite expensive. By doing link aggregation, two NICs
272 can appear as one logical interface, resulting in double speed. This
273 is a native Linux kernel feature that is supported by most
274 switches. If your nodes have multiple Ethernet ports, you can
275 distribute your points of failure by running network cables to
276 different switches and the bonded connection will failover to one
277 cable or the other in case of network trouble.
279 Aggregated links can improve live-migration delays and improve the
280 speed of replication of data between Proxmox VE Cluster nodes.
282 There are 7 modes for bonding:
284 * *Round-robin (balance-rr):* Transmit network packets in sequential
285 order from the first available network interface (NIC) slave through
286 the last. This mode provides load balancing and fault tolerance.
288 * *Active-backup (active-backup):* Only one NIC slave in the bond is
289 active. A different slave becomes active if, and only if, the active
290 slave fails. The single logical bonded interface's MAC address is
291 externally visible on only one NIC (port) to avoid distortion in the
292 network switch. This mode provides fault tolerance.
294 * *XOR (balance-xor):* Transmit network packets based on [(source MAC
295 address XOR'd with destination MAC address) modulo NIC slave
296 count]. This selects the same NIC slave for each destination MAC
297 address. This mode provides load balancing and fault tolerance.
299 * *Broadcast (broadcast):* Transmit network packets on all slave
300 network interfaces. This mode provides fault tolerance.
302 * *IEEE 802.3ad Dynamic link aggregation (802.3ad)(LACP):* Creates
303 aggregation groups that share the same speed and duplex
304 settings. Utilizes all slave network interfaces in the active
305 aggregator group according to the 802.3ad specification.
307 * *Adaptive transmit load balancing (balance-tlb):* Linux bonding
308 driver mode that does not require any special network-switch
309 support. The outgoing network packet traffic is distributed according
310 to the current load (computed relative to the speed) on each network
311 interface slave. Incoming traffic is received by one currently
312 designated slave network interface. If this receiving slave fails,
313 another slave takes over the MAC address of the failed receiving
316 * *Adaptive load balancing (balance-alb):* Includes balance-tlb plus receive
317 load balancing (rlb) for IPV4 traffic, and does not require any
318 special network switch support. The receive load balancing is achieved
319 by ARP negotiation. The bonding driver intercepts the ARP Replies sent
320 by the local system on their way out and overwrites the source
321 hardware address with the unique hardware address of one of the NIC
322 slaves in the single logical bonded interface such that different
323 network-peers use different MAC addresses for their network packet
326 If your switch support the LACP (IEEE 802.3ad) protocol then we recommend using
327 the corresponding bonding mode (802.3ad). Otherwise you should generally use the
328 active-backup mode. +
329 // http://lists.linux-ha.org/pipermail/linux-ha/2013-January/046295.html
330 If you intend to run your cluster network on the bonding interfaces, then you
331 have to use active-passive mode on the bonding interfaces, other modes are
334 The following bond configuration can be used as distributed/shared
335 storage network. The benefit would be that you get more speed and the
336 network will be fault-tolerant.
338 .Example: Use bond with fixed IP address
341 iface lo inet loopback
343 iface eno1 inet manual
345 iface eno2 inet manual
347 iface eno3 inet manual
350 iface bond0 inet static
351 bond-slaves eno1 eno2
352 address 192.168.1.2/24
355 bond-xmit-hash-policy layer2+3
358 iface vmbr0 inet static
359 address 10.10.10.2/24
368 [thumbnail="default-network-setup-bond.svg"]
369 Another possibility it to use the bond directly as bridge port.
370 This can be used to make the guest network fault-tolerant.
372 .Example: Use a bond as bridge port
375 iface lo inet loopback
377 iface eno1 inet manual
379 iface eno2 inet manual
382 iface bond0 inet manual
383 bond-slaves eno1 eno2
386 bond-xmit-hash-policy layer2+3
389 iface vmbr0 inet static
390 address 10.10.10.2/24
402 A virtual LAN (VLAN) is a broadcast domain that is partitioned and
403 isolated in the network at layer two. So it is possible to have
404 multiple networks (4096) in a physical network, each independent of
407 Each VLAN network is identified by a number often called 'tag'.
408 Network packages are then 'tagged' to identify which virtual network
412 VLAN for Guest Networks
413 ^^^^^^^^^^^^^^^^^^^^^^^
415 {pve} supports this setup out of the box. You can specify the VLAN tag
416 when you create a VM. The VLAN tag is part of the guest network
417 configuration. The networking layer supports different modes to
418 implement VLANs, depending on the bridge configuration:
420 * *VLAN awareness on the Linux bridge:*
421 In this case, each guest's virtual network card is assigned to a VLAN tag,
422 which is transparently supported by the Linux bridge.
423 Trunk mode is also possible, but that makes configuration
424 in the guest necessary.
426 * *"traditional" VLAN on the Linux bridge:*
427 In contrast to the VLAN awareness method, this method is not transparent
428 and creates a VLAN device with associated bridge for each VLAN.
429 That is, creating a guest on VLAN 5 for example, would create two
430 interfaces eno1.5 and vmbr0v5, which would remain until a reboot occurs.
432 * *Open vSwitch VLAN:*
433 This mode uses the OVS VLAN feature.
435 * *Guest configured VLAN:*
436 VLANs are assigned inside the guest. In this case, the setup is
437 completely done inside the guest and can not be influenced from the
438 outside. The benefit is that you can use more than one VLAN on a
445 To allow host communication with an isolated network. It is possible
446 to apply VLAN tags to any network device (NIC, Bond, Bridge). In
447 general, you should configure the VLAN on the interface with the least
448 abstraction layers between itself and the physical NIC.
450 For example, in a default configuration where you want to place
451 the host management address on a separate VLAN.
454 .Example: Use VLAN 5 for the {pve} management IP with traditional Linux bridge
457 iface lo inet loopback
459 iface eno1 inet manual
461 iface eno1.5 inet manual
464 iface vmbr0v5 inet static
465 address 10.10.10.2/24
472 iface vmbr0 inet manual
479 .Example: Use VLAN 5 for the {pve} management IP with VLAN aware Linux bridge
482 iface lo inet loopback
484 iface eno1 inet manual
488 iface vmbr0.5 inet static
489 address 10.10.10.2/24
493 iface vmbr0 inet manual
497 bridge-vlan-aware yes
501 The next example is the same setup but a bond is used to
502 make this network fail-safe.
504 .Example: Use VLAN 5 with bond0 for the {pve} management IP with traditional Linux bridge
507 iface lo inet loopback
509 iface eno1 inet manual
511 iface eno2 inet manual
514 iface bond0 inet manual
515 bond-slaves eno1 eno2
518 bond-xmit-hash-policy layer2+3
520 iface bond0.5 inet manual
523 iface vmbr0v5 inet static
524 address 10.10.10.2/24
531 iface vmbr0 inet manual
538 Disabling IPv6 on the Node
539 ~~~~~~~~~~~~~~~~~~~~~~~~~~
541 {pve} works correctly in all environments, irrespective of whether IPv6 is
542 deployed or not. We recommend leaving all settings at the provided defaults.
544 Should you still need to disable support for IPv6 on your node, do so by
545 creating an appropriate `sysctl.conf (5)` snippet file and setting the proper
546 https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt[sysctls],
547 for example adding `/etc/sysctl.d/disable-ipv6.conf` with content:
550 net.ipv6.conf.all.disable_ipv6 = 1
551 net.ipv6.conf.default.disable_ipv6 = 1
554 This method is preferred to disabling the loading of the IPv6 module on the
555 https://www.kernel.org/doc/Documentation/networking/ipv6.rst[kernel commandline].
558 TODO: explain IPv6 support?