Glad you like it! This is just the start, there's also the whole Proxmox SDN solution too :)

Glad you like it!

Much appreciated!

😂😂😂

IOMMU for networking or in general? It's a bit of a different topic

Well, maybe a general overview of PCIe devices where IOMMU would be useful. Like maybe (I'm guessing here) IOMMU can be necessary with GPUs used for transcoding or compute; might be useful with some HBA scenarios; and wondering if it could be useful with NICs at all, like when using pfSense OS in a VM.

In general it's needed for PCIe passthrough, be that a GPU, NIC, or HBA. There are other types of passthrough though (bridged NIC, block device, USB) which don't require IOMMU. I'm working on a video on this topic, not pfSense but passthrough methods in general

You can use Linux VLANs off the interface, and set those as the bridge ports on each bridge. Then the bridges are not vlan-aware and only carry traffic for the VLAN of their bridge port.

I have been thinking about this as well. Did you find an answer?

I was planning on one with OPNsense and Mikrotik RouterOS

OpenSense and VxLAN

Traffic from a new source will initially flood the network until the switch 'learns' the MAC addreses on each port. This should happen really quickly before the node even has an IP address due to the DHCP / RA process. But it's still part of the same layer 2 broadcast domain, shares the same DHCP server and RAs, layer 3 subnets, ... So creating multiple vmbr's isn't really to 'hide' traffic between VMs, but to create a unique layer 3 subnet for a special purpose. You might do this to simulate a physical topology where two VMs are directly connected instead of via the main netework, or if you have a virtual router and want the downstream network(s) to be isolated from each other and the upstream network(s).

BSD has worse drivers in general than Linux, so you might have a better time with a Linux-based solution than BSD-based if you aren't using very common PCIe NICs.

It could potentially be. I haven't seen it fence a node that was running properly, but I'm also not pushing the network super hard in testing

Glad you liked it!

@@apalrdsadventures I finally got around to tinkering with my pfsense, unifi, and proxmox vlans. You never know if you're passing vlans and/or will lose your connections when playing around with vlans but luckily this time all went well. I assigned the vlan to the vmbridge versus assigning them to the guest network interface so everything I connect to that bridge will be on that vlan. My lab server guests are getting IP addresses from my pfsense and I'm able to SSH. Sweet! Thanks again!

Bridges act as network switches, so nothing is forcing traffic to go through the VM.

@@apalrdsadventures so what would i need to do to get the IDS to sniff all the traffic on that network? or what issue may stop this? thanks!

If you want to sniff traffic, you need to force all of your network traffic through the VM (and bridge in the VM) or use a port mirror, which is a bit of a more complicated setup

@@apalrdsadventures oh ok thank you! So the idea is just create a bridge add all vms and then port mirror it?

Linux bridges don't support port mirroring, iptables can mirror at layer 3, and it's possible to force layer 2 bridge traffic through the iptables rule set which might allow it, but basically no it's not an easy task at all

You shouldn't need to use NIC teaming for this, you can create multiple bridges internally for your public and private networks. Or, you can use a single bridge with tagged VLANs for public and private networks.

@@apalrdsadventures Im not quite sure what you mean. When i create a Windows VM in Proxmox I need it to have 2 network interfaces (one with public IP and one with local using VLAN). How do i do that in Proxmox? With Windows HyperV I do that configuration through NIC Teaming (because the server has only one physical network adapter) and then configuring 2 vSwitches in HyperV settings.

Proxmox will natively handle VLANs in the vm bridges. You just put the vlan tag in when you create an interface on the vm. You don’t need to assign the vlans to the Proxmox host at all, it will forward across the vmbr switch. You can add multiple net interfaces to the vm off the same vmbr bridge with different vlan ids

@@apalrdsadventures Im not sure how that would work for me. My host (Proxmox) needs also to be part of the local network (vlan 4005). In order to do that i configure network like...: (enp41s0 is my network card with public ip) > ip link add link enp41s0.4005 type vlan id 4005 Then on this new interface I configure: mtu, ip addresses, routes and when i set this interface UP, Proxmox has access to my local network via vlan 4005. So far so good. Now, I create one bridge (vmbr0) using enp41s0 (public ip) as bridge port, in order for my VM to have Public IP (using seperate static MAC). And with this bridge my VM has internet access using public IP. If I use the same bridge (vmbr0) to create additional network adapter (VLAN tag: 4005) for my VM, wont do the trick. My VM has an extra network adapter, which i configure with local ip configuration, but there is no network access.. If I create an extra bridge (vmbr1) using enp41s0.4005 as bridge port, Proxmox still has connectivity with the rest of the local network. But if I create an extra network adapter for my VM using vmbr1, the result is the same.. No local network connectivity.. What am I missing? There must be a way to do that! If i can do it on a Windows Host, I can do it on Linux, Im sure of it.. Please help me dude, im desperate 😢

I found my f.... mistake... when i create the VM network interface using vmbr0 (VLAN4005) the "VLAN tag:" option must be left empty (no VLAN)..!! When i did that my VM could communicate the rest local network (VLAN 4005)!! Anyway, thank you very much! Keep up you excellent work! Subscribed! Cheers

Yes! And I also appreciate the side notes that you give, just to make sure everybody understands what the terminology is.

Glad it worked for you!

Glad you enjoyed it! I definitely like keeping things locally hosted, even if it's just for 'fun'. Hope you enjoy some of the upcoming projects I have!

Agreed, his videos are great! He's doing the community a great service!

Glad it helped!

Glad you enjoyed it!

Glad you liked it! Working on tutorials for some of the more complex parts of the networking GUI (SDN and Firewall)

Managed switches are a ton of fun!

add enx1.2 and enx2 as bridge ports on a non-vlan-aware bridge.

All of this is at layer 2, not layer 3, so no IP routing / load balancing, just MAC.

Yes and no. A single TCP session will have only 1Gbps. Multiple sessions in aggregate can add up to 2Gbps. A single file transfer will therefore get only 1Gbps.

Glad it helped!

Setting an IP address on the bridge is essentially plugging in the Proxmox server itself to the bridge, in one step.

You should only have one gateway on a system (unless its a router itself)

You do not need a physical switch for VLANs to work. You do need a switch that supports VLANs if you want your vlans to leave the Proxmox box.

In general you will need the network's router to handle this. If your existing network is 192.168.1.0/24, you would need to add a static route in the router for the 192.168.10.0/24 subnet via the proxmox host (and configure routing there manually on Linux), or add an additional VLAN on the existing router for 192.168.10.0/24 and use the vlan-aware bridge in Proxmox to forward that to the VMs.

Proxmox is not involved in IPs other than its own. That's up to the VM.

Happy to help!

lol thanks! USB NICs aren't ideal, but at least it shows the difference from real 2+G to aggregated 2+G

Glad it was helpful!

I haven't, generally I don't need to use NAT on Proxmox with the Proxmox system bridged to my LAN.

You can assign multiple ports to a bridge (vmbr) and it will act like a switch.

@@apalrdsadventures Thanks for getting back to me! I can't believe it's that simple, I should have just tried that, it works great.

That's a good question, and I suspect SR-IOV will get you the least jitter as the software bridge will be more dependent on CPU load.

@@apalrdsadventures Thanks. I was thinking that might be the case, since it would use the asic on the nic. I just started using a Connectx-4 card and it can break out multiple devices for use in SR-IOV. I just need to figure out how to best utilize that functionality across multiple VMs/Containers.

I just did SDN basics, so it will be next in the SDN list (unicast vxlan and evpn vxlan)

@@apalrdsadventures Fantastic!! Hope soon because SDN is very very great technology in Proxmox. Thanks!!

oh yeah I did

So no need to add vlan devices all the way up. eno1 supports vlan tagging, you can break them out as eno1.2 but don't have to. vmbr bridges (with 'vlan-aware' checked) also support vlan tagging, and this is inherited by child interfaces, so if eno1 is a child of vmbr1 then vlans on eno1 will get passed up to vmbr1 to get processed without creating a bunch of eno1.xx interfaces. Again at vmbr1 we could do vmbr1.2 but again we don't have to. When we create a new network interface on a VM/CT in Proxmox, there's a box to type in the vlan id, and it will essentially make that VM network adapter an access port tagged to that specific vlan id (the id you typed). So the place to configure this is in the VM's hardware, not the host networking. The only exception is if the Proxmox system itself (not the VMs, CTs, the base Linux system) needs to be on a vlan, in that case you'd use a vmbr1.xxx with the IPs set, but you'd never use that for VMs, just the Proxmox base system.

@@apalrdsadventures That's great thank you for your help. I'll give that a go. I've also read I can make a Proxmox workstation in the Proxmox docs by just installing, say, mate or whatever. Perhaps another video for you to do? Perhaps you saw my other comment. I'm getting a lot from your videos. Thank you.

You have access to the full Debian repos on Proxmox. Debian has a few metapackages specifically for installing a full desktop environment on a previously terminal system, they are all named task--desktop. The possibilities are: task-gnome-desktop task-xfce-desktop task-kde-desktop task-lxde-desktop task-cinnamon-desktop task-mate-desktop task-lxqt-desktop `apt install task-xfce-desktop` will install xfce, its basic apps, login manager, and the whole x11 stack. Same for any other desktop. Now you should be careful about messing with things like networking from the desktop, but for a development system it's fine.

Not exactly. It changes how untagged traffic on the bridge behaves (and also breaks vlan-awareness on the bridge) If the slave port is eno1.100, then the untagged traffic on vmbr0 becomes vlan 100 on the wire. Tagging a vlan on the bridge would then nest the tags on the wire (although I don't believe this config would be vlan-enabled at all on the bridge). The other way around creates a tagged interface on vlan 100 off of the vmbr *for the proxmox system*, but VMs using vmbr0 directly aren't vlan tagged, but they could be tagged if you set the vlan id on the net interface.

@@apalrdsadventures I see, thank you for your reply! If I understand it correctly, eno1.100 is like a "linux thing" while vmbr0.100 is a "proxmox-thing"?

It changes where in the layering the VLAN tags are added/removed, which changes if vmbr0 can use vlan tags at all. Taking eno1 and bridging to vmbr0 means that the bridge itself is now vlan-aware (can handle any vlan), and vmbr0.100 creates an interface for the system to use vlan 100, but VMs can still use any vlan as the bridge is not confined to only vlan 100. Taking eno1 and making a vlan-tagged interface eno1.100 and bridging *that* to vmbr0 means vmbr0 is now a member of vlan 100 via its parent interface, even if you select no vlan / default vlan on the bridge.

@@apalrdsadventures Ah ok, now I understand.That makes a lot of sense, thank you!

You'd need a switch which can split out VLAN tags

@@apalrdsadventures I actually managed to do it without VLANs. Proxmox NIC is connected to my physical DMZ port on my router, I created a Linux Bridge (vmbr1) in proxmox that is connected to the physical interface (enp101s0) which becomes the 'WAN' interface for pfSense. I then created another Linux Bridge in proxmox (vmbr2) which is not connected to any physical interface. So, I add vmbr1 and vmbr2 as the two interfaces for the pfsense VM. I then assign them accordingly in pfSense. This seems to work fine without the need for setting up vlans in my home network.

That works if you don't want to share the LAN interface outside of the Proxmox system, but the external router is also doing NAT in this case.