Myatu
15-06-2011, 18:38
Originally Posted by DigitalDaz
Proxmox question
Originally Posted by DigitalDaz
DigitalDaz
15-06-2011, 18:22
Thanks again guys for the advice.
You learn something new everyday, I never realised you could allocate the same virtual mac to multiple IP's. I now have my eth0:0 again and its working perfectly
Thanks again!
You learn something new everyday, I never realised you could allocate the same virtual mac to multiple IP's. I now have my eth0:0 again and its working perfectly
Thanks again!
Myatu
15-06-2011, 17:17
The benefit of using virtual MACs is that it brings routing as well as security down to the router/switch level, rather than the host.
OVH has full programmatic control over the MACs and associated routing, whereas Proxy_ARP does this on "whoever answers first". In a VLAN, private subnet or an environment where you have full control over the VMs/well protected host, this would be acceptable.
However it could wreak havoc if your ARP cache becomes polluted with faked answers. You run the chance that your own VM's become inaccessible, because too many other (fake) answers are taking precedence or your traffic is routed elswhere (blackholed). On that same note, traffic routing could be directed to a particular machine(s) (Read: DoSsed). This is one of the reasons why OVH had sent out those e-mails about ARP answers going outside outside of their allowed realm...
Lastly on this, because OVH has full programmatic control, this means they know what MAC address belongs to who. If someone uses the same MAC as one of your VMs (slim chance, but in a situation where someone purposely tries to spoof you after discovering it), OVH denies routing to this spoofed system. Proxy_ARP doesn't have this without additional protection from a firewall (can be done with iptables) or static ARP table.
You could look into using a VLAN for your servers, which will allow you to use your RIPE block freely in Proxmox (Search for a forum post here by Loic for full setup details).
Alternatively, you could use NAT translation, although in a hosted environment - especially VoIP - this might not be the best (or prettiest) thing.
OVH has full programmatic control over the MACs and associated routing, whereas Proxy_ARP does this on "whoever answers first". In a VLAN, private subnet or an environment where you have full control over the VMs/well protected host, this would be acceptable.
However it could wreak havoc if your ARP cache becomes polluted with faked answers. You run the chance that your own VM's become inaccessible, because too many other (fake) answers are taking precedence or your traffic is routed elswhere (blackholed). On that same note, traffic routing could be directed to a particular machine(s) (Read: DoSsed). This is one of the reasons why OVH had sent out those e-mails about ARP answers going outside outside of their allowed realm...
Lastly on this, because OVH has full programmatic control, this means they know what MAC address belongs to who. If someone uses the same MAC as one of your VMs (slim chance, but in a situation where someone purposely tries to spoof you after discovering it), OVH denies routing to this spoofed system. Proxy_ARP doesn't have this without additional protection from a firewall (can be done with iptables) or static ARP table.
You could look into using a VLAN for your servers, which will allow you to use your RIPE block freely in Proxmox (Search for a forum post here by Loic for full setup details).
Alternatively, you could use NAT translation, although in a hosted environment - especially VoIP - this might not be the best (or prettiest) thing.
yonatan
15-06-2011, 17:12
Originally Posted by DigitalDaz
the proxy_arp method is faster and it's easy to config, as you don't need do change anything on the manger, just ip route add and you are done.
darj
15-06-2011, 16:32
Originally Posted by DigitalDaz
Could you give me more information on how you setup the proxy arp within your server please?
DigitalDaz
15-06-2011, 00:10
What are the advantages and disadvantages of using proxy_arp vs virtual macs.
I just got another box and as is pretty usual for me, my ripe block wasn't working properly but this is now sorted.
I'm now having difficulty assigning a second IP address to a KVM machine, can't just add an eth0:0 like I could using proxy arp because of the virtual macs.
I'm now wondering why I'm bothering going back to the virtual macs.
TIA
I just got another box and as is pretty usual for me, my ripe block wasn't working properly but this is now sorted.
I'm now having difficulty assigning a second IP address to a KVM machine, can't just add an eth0:0 like I could using proxy arp because of the virtual macs.
I'm now wondering why I'm bothering going back to the virtual macs.
TIA