Proxmox Cluster (Tucana Cloud) - Create a new VLAN - Part VI

Let's document the steps to create a new VLAN into the tucana cloud.

1) Interfaces & VLAN

We first will log into our primary pfSense firewall and will navigate to Interfaces > VLANs > Add :

The tucana cloud uses tags ending in 5 for the third octect to avoid subnets overlapping with my home ones that end with 0 in the class C addresses

We now need to assign the newly created VLAN to an interface as below :

Click in the Available network ports and select the newly created VLAN.

Let's define an IP Address and enable our interface.

You might have noticed that the IP ends in .2 and we are using .2 because the tucana cloud has a High Availability Cluster of firewalls that requires 3 IP addresses from the range to operate. The Virtual IP and also gateway will use .1 and the secondary firewall .3.

Repeat the steps above in the secondary firewall.

Remember to change the IP Address to .3 on the secondary firewall.

We can now apply all the changes to both firewalls if you did not already.

2) Virtual IP

All the changes from now on will be done on the primary firewall, since we have a HA Cluster  the changes will sync between the firewalls.

Create the CARP IP in the primary firewall as the picture below :

Primary Firewall

3) Outbound NAT

We need to NAT the outbound traffic to our WAN CARP IP.

4) DNS and NTP forwarding

The tucana cloud firewalls capture all DNS and NTP traffic redirecting it to the firewall. This is implemented to avoid internal hosts querying external DNS or NTP servers.

5) DHCP Server

Let's setup our the DHCP server on our subnet.

6) DNS

We need to allow the DNS resolver in our new subnet.

Navigate to Services > DNS Resolver and change the option Network Interfaces as the picture :

Services / DNS Resolver / General Settings

7) Firewall Rules

And finally we need to create firewall rules to the newly created subnet.

Navigate to Firewall > Rules and add rules to match the below:

Proxmox Changes

We now need to change our virtual networking enviroment in our proxmox servers to allow the traffic to flow between the firewalls and the hosts.

The changes consists of :

1) Add the VLAN to the FW1 & FW2 trunk interface.

  • For persistent changes we also need to update the firewalls network configuration files to allow that the startup network scripts set up the network on reboot.

2) Add the VLAN to physical trunk.

  • For persistent changes we also need to update the physical trunk network configuration files to allow that the startup network scripts set up the network on reboot.

3) Add the VMs interfaces to the bridge and adjust the VLAN tag.

  • Create the VMs network configuration files to allow the network scripts to adjust the tags when the VMs are turned on/off. Proxmox destroys the VMs interfaces and recreates when the VM is turned on or off respectively.

We can visualise the above in the diagram below :

The changes listed above will allow traffic to flow between the Hypervisors. The hosts on the same VLAN will see each other even tough not being in the same Hypervisor.

Let's start changing the HV1 :

1) Add VLAN to FW1 Trunk

root@hv1:~# bridge vlan add vid 45 dev tap101i0 master

For persistent changes we need to add the VLAN to the firewall network config file:

              {"vid":"2", "pvid":"0"},
              {"vid":"15", "pvid":"0"},
              {"vid":"25", "pvid":"0"},
              {"vid":"35", "pvid":"0"},
              {"vid":"45", "pvid":"0"}

2) Add VLAN to the Physical Trunk

root@hv1:~/network/config# bridge vlan add vid 45 dev team2 master

Let's change the team2 config file for persistent changes:

        "team0": {
        "team2": {
                        { "vid":"2","pvid":"0" },
                        { "vid":"15","pvid":"0" },
                        { "vid":"25","pvid":"0" },
                        { "vid":"35","pvid":"0" },
                        { "vid":"45","pvid":"0" }

The steps above should now be repeated in the HV2.

And after the changes the bridge in both Hypervisors should have the following configuration for team2 and tap101i0:

root@hv1:~/network/config# bridge vlan show
port    vlan ids
enp135s0f0       15 PVID Egress Untagged

vmbr0   None
veth1    2 PVID Egress Untagged

team2    2

tap101i0         2

tap102i0         35 PVID Egress Untagged

tap100i0         25 PVID Egress Untagged
bridge vlan show

At this point the VLAN has been deployed and we are able to ping across the firewalls.

Let's briefly test reachability between the firewalls and finalise our deployment setting our guests.

[2.5.2-RELEASE][admin@hv2-fw2.localdomain]/root: ifconfig em2.45
em2.45: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet netmask 0xffffff00 broadcast
        inet netmask 0xffffff00 broadcast vhid 45
        groups: vlan
        carp: BACKUP vhid 45 advbase 2 advskew 100
        vlan: 45 vlanpcp: 0 parent interface: em2
[2.5.2-RELEASE][admin@hv2-fw2.localdomain]/root: ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=1.576 ms
64 bytes from icmp_seq=1 ttl=64 time=1.013 ms
64 bytes from icmp_seq=2 ttl=64 time=0.913 ms
--- ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.913/1.167/1.576/0.292 ms
Ping from FW2 to FW1

3) Add VM to the Bridge

This step is still not completed in the host. I have found that the scripts to add the interfaces and VLANs to the bridge need to be rewritten to deal with VMs that has more then one interface. Therefore, I will leave this session to be documented when the scripts are changed.

With all the steps described above we have added a new VLAN across our firewalls and two nodes. These steps can and will be automated in the future. I hope that this article helped you and see you in the next adventure.

Share Tweet Send
You've successfully subscribed to Infoitech - [B]logging
Great! Next, complete checkout for full access to Infoitech - [B]logging
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.