[ovirt-users] Firewall GARP not reachable to VM
Hi all Does anyone know how i can allow my Firewall VM cluster act as the default gateway to VMs within the same network? I've configured the GARP functionality on the OPNSENSE firewalls (PFSENSE fork). VMs within the same network can ping the firewall IP addresses successfully but not the GARP IP. The ovirt network has been configured with the MAC Address Anti-spoofing to false. One firewall has been configured with virtio network drivers and the with e1000 both exhibiting the same behavior. Currently all VMs have been configured with a default gateway the primary firewall. Network workarounds using BGP and attributes can work, but are way to complicate to streamline for all VMs when a simple VRRP can do the job. Any ideas what i am missing? ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/JL25NRQOTDQKKEKMLFGXFSEFNMG6SEBE/
[ovirt-users] Re: Cannot forward traffic through VXLAN
> On Thu, Dec 12, 2019 at 4:27 PM > > > Not external logical networks, with vNIC profiles, have no network filter > during the VM is started (or the vNIC is hotplugged), > allows any MAC address. This works without any hook required. > In most simple flow for a lab would be to remove the network filter from > ovirtmgmt, attach ovirtmgmt to a VM and boot the VM. > Well this is where theory contradicts practice... Based on what you say layer 2 frames would traverse the VM Network bridge and reach VyOS vnic, which they do not. Layer 2 frames are dropped after leaving the VM and before reaching the VyOS vnic. In theory if the VM bridge did not know where they should be forwarded it should broadcast them to all attached ports, which again it is not been done. So i am not sure if it is a bug, or a feature... > > > As I wrote above, layer 2 tunneling from one VM to another should work. > Are you force to extend the network on layer 2? If not, > two VMs connected by a tunnel or a VPN might be more straight and would > even limit layer 2 broadcasts. I agree Layer 3 would be the best way forward but we need layer 2 extension since the firewalls require it for high availability as well and we need pcsd VIPs attached to monitored services to have high availability. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/WFV4A4YIDL7TFH2DQ3HYMO6UK5DLIIQT/
[ovirt-users] Re: Cannot forward traffic through VXLAN
> On Thu, Dec 12, 2019 at 11:29 AM > > I see. > This will create an external OVN network. > As far as I know, OVN networks do not allow mac spoofing, even if port > security is disabled. > I have installed the vdsm hook for allow both promiscuous and mac-spoofing and have the same experience. So it is safe to assume that this cannot be supported in ovirt? > > Are you able to use physical networks (oVirt logical network with VM > networking, optional VLAN tag, but not external) > to connect the oVirt VMs? > I can connect to VMs through the internet and IPSEC, but i wanted to extend them. Do you know of any other way where i can extend on VM network from ovirt to another hypervisor? Any idea will help. Appreciate the till now assistance. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/PPOE54V2SXWZUNS5WFPH4E6RQHQHKUDP/
[ovirt-users] Re: Cannot forward traffic through VXLAN
> On Wed, Dec 11, 2019 at 5:31 PM > Is VyOS installed on the host, or in a VM? > VyOS is installed on the ovirt node > > > Does this mean that the VyOS VM on oVirt should forward layer 2 traffic to > the VyOS VM on proxmox? > Is there a way to share a VLAN? (This would avoid additional tunneling.) > Can you please share some details? > VLAN approach is not feasible unfortunatelly. VyOS VM on oVirt should forward Layer 2 traffic over ovirtmgmt network. So from oVirt's perspective there is no tunneling. > > > If VyOS is a VM on oVirt, network filtering should be disabled on the vNIC > profile which sends and > receives the unencapsulated traffic, before the oVirt VM is booted. > I have disabled all filters on the VM Network by selecting Network Port Security: Disabled > > > Don't understand. I have created a VM Network with no filters on ovirt named auth_net with the following parameters: 1. VM Network, check 2. MTU, custom 2000 3. Create on external provider, check 3a. External provider: ovirt-provider-ovn 3b. Network Port Security: Disabled This is done as to allow me to attach VMs to this network. I have attached 3 VMs on this VM Network. A firewall with IP e.g. 10.0.0.1 The VyOS VM An LDAP VM with IP e.g. 10.0.0.5 The VyOS VM is attached to the auth_net with no IP address and with L2TPv3 via ovirtmgmt as to get the VM network Layer 2 traffic and forward it to the proxmox network through the VyOS routers. Even though i have not created any network filters traffic is dropped before reaching VyOS VM from the LDAP Auth server. TCPDUMP on the LDAP VM shows traffic leaving the LDAP VM. TCPDUMP on the VyOS VM does not show traffic reaching the vnic. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/BOEK5LTE6CMYTUKUXDJ7ZM6HAI4YOCFR/
[ovirt-users] Re: Cannot forward traffic through VXLAN
We currently have 2 bare metals. One holds the ovirt and the other proxmox. As to enable high availability and config sync on the proxmox hosted VMs we have deployed VyOS on both hyper-visors. We then use L2TPv3 as to extend VM networks from proxmox to ovirt and vice versa. When that was finalized and all VMs were activated in ovirt we would delete proxmox and deploy ovirt and re-do the same think as to re-enable VM high availability. The issue is that VM Networks drop traffic towards the VyOS VM even through we have enable mac-spoofing and promiscuous on the VM custom properties. The VM Networks must drop frames for destination MAC addresses not directly hosted on it and i don't know how to disable/bypass that. ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/T6FKORHF3NCVWQFICPFSOR3OB3GOSDSY/
[ovirt-users] Cannot forward traffic through VXLAN
Hi all I have a VM network created with some hosts and I have included a vyos router acting as a Layer 2 extension to another hypervisor through VXLAN. I can see traffic reaching VMs from the other hypervisor to the ovirt hosted VMs. I can see traffic leaving the VMs hosted on the ovirt hypervisor. However, i do not see return traffic reaching the vyos VXLAN hosted on ovirt. I believe the VM network drops return traffic based on the destination MAC address. However, i have created the VM Network with security disabled. Can you please assist on how to troubleshoot? ___ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/site/privacy-policy/ oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/Z3AVFZRF3CJTKIASTFGNE6KRTGOKZEIE/