Hi,
We use our KVM cluster for both DMZ servers and local servers. Local servers uses tagged vlans on the bridge. Our topology is like the attached image.
In every proxmox host VMs uses vmbr1 bridge. DMZ VMs does not configured with any vlans. So their traffic go through dmz switch -> firewall. Lan server VMs configured with vlans on vmbr1 so their traffic go through dmz switch -> Lan backbone. On dmz switch all local vlans are tagged on the switch ports which are connected to proxmox hosts vmbr1 physical interface (eth0) and port that connected to backbone switch.
It was working without any issues until I upgraded to 3.2. After the upgrade, Ipv4 traffic runs without issue but Ipv6 traffic screwed up.
This is the output of one of DMZ KVM guest. As you can see it thinks that all lan ipv6 blocks as neigbours. So when I try to connect to our web server via ipv6 address from a lan PC (xxx:10a::/64) the traffic goes through our firewall (xxx:252::1 ) as expected but the kvm guest doesn't send the reply via its default gateway as it thinks xxx:10a::/64 is his neighbour. So the the ipv6 traffic from lan to dmz and dmz to lan screwed up.
I don't understand why linux bridge vmbr1 forward tagged local vlan traffic to guest vms that has no vlan config?
Any advice?
We use our KVM cluster for both DMZ servers and local servers. Local servers uses tagged vlans on the bridge. Our topology is like the attached image.
In every proxmox host VMs uses vmbr1 bridge. DMZ VMs does not configured with any vlans. So their traffic go through dmz switch -> firewall. Lan server VMs configured with vlans on vmbr1 so their traffic go through dmz switch -> Lan backbone. On dmz switch all local vlans are tagged on the switch ports which are connected to proxmox hosts vmbr1 physical interface (eth0) and port that connected to backbone switch.
It was working without any issues until I upgraded to 3.2. After the upgrade, Ipv4 traffic runs without issue but Ipv6 traffic screwed up.
Code:
root@webserver-new:~# route -6Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
xxx:101::/64 :: UAe 256 0 0 eth0
xxx:10a::/64 :: UAe 256 0 47 eth0
xxx:10b::/64 :: UAe 256 0 63 eth0
xxx:10c::/64 :: UAe 256 0 132 eth0
xxx:10d::/64 :: UAe 256 0 58 eth0
xxx:10e::/64 :: UAe 256 0 47 eth0
xxx:10f::/64 :: UAe 256 0 59 eth0
xxx:110::/64 :: UAe 256 0 48 eth0
xxx:111::/64 :: UAe 256 0 83 eth0
xxx:112::/64 :: UAe 256 0 48 eth0
xxx:113::/64 :: UAe 256 0 69 eth0
xxx:114::/64 :: UAe 256 0 840 eth0
xxx:115::/64 :: UAe 256 0 69 eth0
xxx:11a::/64 :: UAe 256 0 0 eth0
xxx:121::/64 :: UAe 256 0 46 eth0
xxx:252::/64 :: U 256 0 1 eth0
fe80::/64 :: U 256 0 0 eth0
::/0 xxx:252::1 UG 1 0 1659 eth0I don't understand why linux bridge vmbr1 forward tagged local vlan traffic to guest vms that has no vlan config?
Any advice?