maybe to begin with something simple,
can we try to implement a simple bridge plugin + s-nat
bridge: tenantnetwork1
gateway_address 10.0.1.1/24
gateway_macaddress a2:ed:21:06:e7:48
gateway_node
vlan 1 (optional)
snat 1
and try to generate the s-nat rules on gateway_node
iptables -t nat -A POSTROUTING -s '10.0.1.0/24' -o eth0 -j MASQUERADE
(or maybe better : iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j
SNAT --to-source public ip)
and also firewall bridge rules if the vm is on the same node than gateway
#iptables -t raw -A PREROUTING -i fwbr100i0 -j CT --zone 1
and try to implement failover of the gateway
----- Mail original -----
De: "Alexandre Derumier" <aderum...@odiso.com>
À: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Mercredi 24 Janvier 2018 11:03:12
Objet: Re: [pve-devel] proxmox 2018 : add support for "virtual" network and
network plugins ?
> I think it doesn't break the current model, as the firewall is done on the
> fwbr between the vmbr and the tap interface.
>>not a problem then (if it works).
>>>I'll test today.
Just tested, it's working fine.
----- Mail original -----
De: "aderumier" <aderum...@odiso.com>
À: "dietmar" <diet...@proxmox.com>
Cc: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Mercredi 24 Janvier 2018 09:56:56
Objet: Re: [pve-devel] proxmox 2018 : add support for "virtual" network and
network plugins ?
>>I just think there are many ways to provide that interconnect layer,
>>basically
>>any VPN or SDN solution?
yes, generaly SDN solution have their own gateway system, to interconnect
virtual and physical world.
openvswitch ovn :
http://docs.openvswitch.org/en/latest/topics/high-availability/
opencontrail: http://www.opencontrail.org/category/Gateway/
vmware nsx edge:
https://pubs.vmware.com/NSX-6/index.jsp?topic=%2Fcom.vmware.nsx.admin.doc%2FGUID-3F96DECE-33FB-43EE-88D7-124A730830A4.html
In this case, you need an sdn controller somewhere, and manage it with api.
If we want to use linux stack,we need to implement this by ourself with
vxlan/iptables nat/dhcp (and proxmox cluster is the sdn "controller" )
(With plugins, I think it can be done, as it's almost the same for all kinds of
sdn : manage gateway, manage nat, s-nat, dhcp,....)
Personnaly, I'm more to focus on linux stack first to have something working
without external controller.
> I think it doesn't break the current model, as the firewall is done on the
> fwbr between the vmbr and the tap interface.
>>not a problem then (if it works).
I'll test today.
----- Mail original -----
De: "dietmar" <diet...@proxmox.com>
À: "aderumier" <aderum...@odiso.com>
Cc: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Mercredi 24 Janvier 2018 09:21:54
Objet: Re: [pve-devel] proxmox 2018 : add support for "virtual" network and
network plugins ?
> >>Besides, I would start with something simpler than that. Maybe a virtual
> >>network with NAT...
>
> If you want something simpler (so without vxlan-evpnbgp, or anycast gateway),
> the only way is to manage central "network node" which handle
> nat,s-nat,dhcp,..,
> like classic openstack model. (and need to manage failover)
>
I just think there are many ways to provide that interconnect layer, basically
any VPN or SDN solution?
> >>We need to make sure that we can provide firewall service for those
> >>'virtual' networks.
>
> I think it doesn't break the current model, as the firewall is done on the
> fwbr between the vmbr and the tap interface.
not a problem then (if it works).
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
