Internet access for Proxmox VXLAN
from jobbies@lemmy.zip to selfhosted@lemmy.world on 30 Jun 22:48
https://lemmy.zip/post/67116631

What is the best way to provide internet access to guests on a Proxmox VXLAN? Is it:

  1. One node (host) in the cluster is the default gateway, all traffic is routed through it. Sounds clean and simple but there’s multiple layers of jank to get it working, if it works at all
  2. Have a guest (lxc or VM) on the VXLAN act as a gateway. Give it two NICs - one on the vnet and another on the hosts bridge (physical lan), route traffic through the second.

My default approach is the first but despite hours of tinkering and forwarding tricks it never works. I’m leaning more to the second but having a dedicated gateway guest seems like a waste of resources - logically the host should be doing it.

And yes, SNAT is enabled 😅

#selfhosted

threaded - newest

jbloggs777@discuss.tchncs.de on 30 Jun 23:40 next collapse

I would also do #1, and I’d probably make it work (loooong time Linux user and persistent debugger).

#2 is probably simpler, both conceptually and technically. NAT and FW config is self-contained, and there are plenty of docs and how-tos.

Note: I’m not a proxmox user, so there could be some proxmox specific spanners… But I doubt it.

Shadow@lemmy.ca on 01 Jul 00:10 next collapse

#2 with opnsense

jobbies@lemmy.zip on 01 Jul 00:28 collapse

Do you use that setup? What made you choose it?

jimmy90@lemmy.world on 02 Jul 01:34 collapse

i route all incoming traffic through a tp-link vlan switch to openwrt router in an lxc container to vlan dmz in which all public service traffic is

all the public services and openwrt are running in proxmox lxc containers. all public traffic is trapped in the vlan dmz

pgo_lemmy@feddit.it on 01 Jul 00:36 next collapse

Proxmox is a virtualization solution: let it do its job and run a vm with opnsense.

It is simple both from a virtualization and a networking perspective; your hypervisor is ‘hypervisoring’ and the firewall is firewalling, easier to maintain and debug, no custom thinkering required.

If you are at home go with #1, more fun and lots of discoveries; if you have to pay the bills, go with #2, tested, solid, easier to handoff to your colleagues.

jobbies@lemmy.zip on 01 Jul 01:04 collapse

If you are at home go with #1

I’m at home but networking/firewalling does my tits in - #2 for me I think 😅

pgo_lemmy@feddit.it on 01 Jul 01:25 collapse

(me too i did #2 at home…)

thenextguy@lemmy.world on 01 Jul 06:45 collapse

I’m always uncomfortable doing #2 anywhere but at home.

pgo_lemmy@feddit.it on 01 Jul 23:22 collapse

For me it depends on the hw on site; if it is properly setup and in an adequate environment i have no issue anywhere.

Mondez@lemdro.id on 01 Jul 12:08 next collapse

Of the options I would say 2 but you forgot option 3, have a hardware router handle it and trunk the ports to the proxmox hosts.

possiblylinux127@lemmy.zip on 01 Jul 21:12 collapse

Do you need VXlan? Unless you are doing something really funky, regular vlans should work fine. VXlan is only really useful in very large environments where you want to have layer 2 traffic flow over layer 3 networks. I would strongly recommend that you just stick to regular vlans since they are simple to work with and all you need is a router somewhere on your network to terminate the connection.