在 Proxmox 上使用 VLAN 时,DHCP 响应未到达 VM

tag-icon tag-icon dhcp vlan proxmox
在 Proxmox 上使用 VLAN 时,DHCP 响应未到达 VM

我最近在我的服务器上安装了 proxmox,现在我正在尝试使网络正常运行。

我遇到的问题是,对于某个 VLAN,来自 DHCP 服务器的 DHCP 响应似乎没有到达我的 VM。它似乎到达了 proxmox,但 VM 中没有任何内容。

我想要实现的目标如下:

从我的 ISP 那里,我有一个 /29 子网。我有一个运行 RouterOS 7 的 Mikrotik 路由器。我配置了一个 VLAN (id=200),我想在其中添加从该子网获取 IP 的设备和虚拟机。除此之外,我还有一个标准的 192.168.some.thing 子网,我的家庭网络中的所有其他硬件都使用它。

因此,我想在 proxmox 中添加一个具有两个虚拟接口的 VM,一个从 192.168 子网获取 IP,另一个从我的 ISP 的 /29 子网获取 IP。

我的网络拓扑如下:

ISP <-> Mikrotik 路由器 <-> 运行 Proxmox 的服务器 <-> 交换机 <-> PC

我的服务器有两个物理接口,我将它们桥接在一起 (vmbr0)。我这样做是因为我的交换机不受管理,而且我读到它会从数据包中剥离 VLAN 标签。因此,交换机在更下游运行,后面还有几块硬件。我不认为这会对我的设置产生太大影响,但这样你就能了解整个情况。

那么,我在 proxmox 中做了什么来实现这一点:

我为虚拟机添加了一个额外的接口,并将 VLAN 标记设置为 200 我使网桥 (vmbr0) 具有 VLAN 感知能力 但是,接口似乎没有获得 IP。奇怪的是,我的路由器提供了 DHCP 租约。更奇怪的是:它似乎最终进入了 proxmox,但它停在那里(它没有到达虚拟机)。

为了分析问题,我运行了 tcpdump 来收集 DHCP 流量:

tcpdump -i vmbr0v200 -pvn port 67 and port 68

首先,我在 proxmox 上运行了这个。结果如下:

10:31:59.579453 IP (tos 0x0, ttl 16, id 0, offset 0, flags [none], proto UDP (17), length 328)
    45.xxx.xxx.233.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300, xid 0x6c990843, Flags [none]
          Your-IP 45.xxx.xxx.234
          Server-IP 45.xxx.xxx.233
          Client-Ethernet-Address 9a:01:73:ba:ab:15
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Offer
            Subnet-Mask (1), length 4: 255.255.255.248
            Default-Gateway (3), length 4: 45.xxx.xxx.233
            Domain-Name-Server (6), length 8: 8.8.8.8,8.8.4.4
            Lease-Time (51), length 4: 600
            Server-ID (54), length 4: 45.xxx.xxx.233

所以,这一切似乎都很好!给出了正确的 IP 地址,接口 MAC 地址是正确的(9a:01:73:ba:ab:15 是我放置 VLAN 标记的虚拟接口的 MAC 地址)。但是,虚拟机端什么都没有。

当我在虚拟机端运行同样的事情时:

tcpdump -i ens19 -pvn port 67 and port 68

我收到的请求如下:

14:34:54.988228 IP (tos 0xc0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 322)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 9a:01:73:ba:ab:15, length 294, xid 0xc62d7779, secs 1342, Flags [none]
          Client-Ethernet-Address 9a:01:73:ba:ab:15
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Discover
            Client-ID (61), length 19: hardware-type 255, 9e:37:69:8c:00:02:00:00:ab:11:f2:16:3b:8b:f0:03:d6:c8
            Parameter-Request (55), length 11:
              Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
              Domain-Name (15), MTU (26), Static-Route (33), NTP (42)
              Unknown (119), Unknown (120), Classless-Static-Route (121)
            MSZ (57), length 2: 576
            Hostname (12), length 10: "kubernetes"

有谁知道这个设置可能出现什么问题?

一些额外的发现:我知道我的路由器会隐式地用 VLAN 1 标记无 VLAN 的数据包。因此,在 192.168 子网所在的虚拟接口上,我将 VLAN 标记设置为 1。这有效,我确实从路由器获得了 IP。我在虚拟机中运行了 tcpdump,输出如下:


tcpdump: listening on ens18, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:42:37.582434 IP (tos 0xc0, ttl 64, id 11934, offset 0, flags [DF], proto UDP (17), length 322)
    192.168.88.157.68 > 192.168.88.1.67: BOOTP/DHCP, Request from c6:13:ea:18:09:cc, length 294, xid 0x120faea6, secs 1805, Flags [none]
          Client-IP 192.168.88.157
          Client-Ethernet-Address c6:13:ea:18:09:cc
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: Request
            Client-ID (61), length 19: hardware-type 255, ca:53:09:5a:00:02:00:00:ab:11:f2:16:3b:8b:f0:03:d6:c8
            Parameter-Request (55), length 11:
              Subnet-Mask (1), Default-Gateway (3), Domain-Name-Server (6), Hostname (12)
              Domain-Name (15), MTU (26), Static-Route (33), NTP (42)
              Unknown (119), Unknown (120), Classless-Static-Route (121)
            MSZ (57), length 2: 576
            Hostname (12), length 10: "kubernetes"
14:42:37.593791 IP (tos 0x0, ttl 16, id 0, offset 0, flags [none], proto UDP (17), length 328)
    192.168.88.1.67 > 192.168.88.157.68: BOOTP/DHCP, Reply, length 300, xid 0x120faea6, Flags [none]
          Client-IP 192.168.88.157
          Your-IP 192.168.88.157
          Server-IP 192.168.88.1
          Client-Ethernet-Address c6:13:ea:18:09:cc
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message (53), length 1: ACK
            Subnet-Mask (1), length 4: 255.255.255.0
            Default-Gateway (3), length 4: 192.168.88.1
            Domain-Name-Server (6), length 8: 192.168.88.1,8.8.8.8
            Lease-Time (51), length 4: 600
            Server-ID (54), length 4: 192.168.88.1

编辑:

因此,我进行了更多的挖掘,似乎在 Proxmox 上一切都很好:

nmap --script broadcast-dhcp-discover -e vmbr0 结果是:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-06 12:32 CEST
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.88.155
|     DHCP Message Type: DHCPOFFER
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.88.1
|     Domain Name Server: 192.168.88.1, 8.8.8.8
|     IP Address Lease Time: 10m00s
|_    Server Identifier: 192.168.88.1
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.85 seconds

nmap --script broadcast-dhcp-discover -e vmbr0v200

结果是:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-06 12:32 CEST
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 45.xxx.xxx.236
|     DHCP Message Type: DHCPOFFER
|     Subnet Mask: 255.255.255.248
|     Router: 45.xxx.xxx.233
|     Domain Name Server: 8.8.8.8, 8.8.4.4
|     IP Address Lease Time: 10m00s
|_    Server Identifier: 45.xxx.xxx.233
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.72 seconds

编辑2:

关于我的设置的一些更多相关信息:

/etc/network/interfaces 的内容:

# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface enp99s0f0 inet manual

iface enx3a0de3575b59 inet manual

iface enp99s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.88.200/24
        gateway 192.168.88.1
        bridge-ports enp99s0f0 enp99s0f1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

proxmox 本身的防火墙设置都是默认的:我还没有做任何配置。因此,proxmox 应该可以让所有内容通过,并且在 VM 端应该没有任何阻止任何内容。此外,对于其他子网,DHCP 租约正常通过。

以下是我的 mikrotik 配置的相关部分:请注意:ether5 是我的 proxmox 服务器连接到的物理接口。

/interface vlan
add interface=bridge name=vlan-public vlan-id=200
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool_freedom ranges=45.xxx.xxx.234-45.xxx.xxx.238
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool_freedom interface=vlan-public lease-time=10m name=\
    dhcp-freedom
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge interface=vlan-public
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=45.xxx.xxx.233/29 interface=vlan-public network=45.xxx.xxx.232
/ip dhcp-server network
add address=45.xxx.xxx.232/29 dns-server=8.8.8.8,8.8.4.4 gateway=45.xxx.xxx.233 \
    netmask=29
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 disabled=yes name=router.lan
add address=8.8.8.8 name="Google DNS 1"
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input src-address=!192.168.88.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=passthrough chain=prerouting
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN src-address=\
    !45.xxx.xxx.232/29
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-freedom routing-table=\
    to-freedom
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=pppoe-freedom \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=45.xxx.xxx.232/29 gateway=45.xxx.xxx.232 \
    pref-src="" routing-table=main suppress-hw-offload=no

请注意,上面的导出中省略了不相关的条目。

相关内容