Core dump of my brain:
Need to find out what’s drawing 10 Mbit/s on my WAN. Thank God I figured out that port mirroring is a thing before constructing that 3 node keepalived cluster idea to make a redundant virtual router through which all traffic would have to go.
Source is port 1 which goes to the router and port 23 is eno4 on pve3. It may have been sufficient to run “ip link set ens19 promisc on” inside the VM that I connected to the correspond bridge in Proxmox and turn off the firewall for the interface. That last bit was a tricky thing because I have no firewall rules in Proxmox. But apparently just having firewalling enabled kicks my plans of pushing all internet-related packets to my testmonitor right in the shins.
Along the way I switched standard Linux bridging for OpenvSwitch. Not sure if that was necessary but this configuration worked:
auto lo
iface lo inet loopback
iface eno3 inet manual
iface eno1 inet manual
iface eno2 inet manual
allow-vmbr1 eno4
iface eno4 inet manual
ovs_bridge vmbr1
ovs_type OVSPort
auto bond0
iface bond0 inet manual
bond-slaves eno2 eno3
bond-miimon 100
bond-mode balance-rr
auto vmbr0
iface vmbr0 inet static
address 192.168.1.23/21
gateway 192.168.0.1
bridge-ports bond0
bridge-stp off
bridge-fd 0
#auto vmbr1
allow-ovs vmbr1
iface vmbr1 inet manual
ovs_type OVSBridge
ovs_ports eno4
Update 2021-09-29 00:12
With Proxmox 7 it was sufficient to turned of firewall and run this command:
brctl setageing vmbr1 0Some more notes
Linux bridges can have STP support:
root@pve3:~# brctl showstp vmbr0
vmbr0
bridge id 8000.ac1f6bb1dd89
designated root 8000.ac1f6bb1dd89
root port 0 path cost 0
max age 20.00 bridge max age 20.00
hello time 2.00 bridge hello time 2.00
forward delay 0.00 bridge forward delay 0.00
ageing time 300.00
hello timer 0.00 tcn timer 0.00
topology change timer 0.00 gc timer 83.72
flags
bond0 (1)
port id 8001 state forwarding
designated root 8000.ac1f6bb1dd89 path cost 4
designated bridge 8000.ac1f6bb1dd89 message age timer 0.00
designated port 8001 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
fwpr103p0 (2)
port id 8002 state forwarding
designated root 8000.ac1f6bb1dd89 path cost 2
designated bridge 8000.ac1f6bb1dd89 message age timer 0.00
designated port 8002 forward delay timer 0.00
designated cost 0 hold timer 0.00
flags
I did not know that.
Here’s a really good idea if you have an internal authoritative DNS server for your domain and you use short TTL values so that changes will propagate quickly: DON’T SET THE PDNS SERVICE TO DISABLED. If you are an idiot like me, run this:
systemctl enable pdns
systemctl start pdnsI guess having your authoritative DNS server autostart is good no matter what your TTL values but it got real obvious real fast that something had gone to hell in a handbasket. At least I know now why things went all bananas the last time I rebooted the physical server where authdns01 runs…
I have a systemd service for a Docker-based PowerDNS GUI by the way:
root@authdns01:~# cat /etc/systemd/system/pdnsgui.service
[Unit]
Description=PowerDNS Admin Container
After=docker.service
Requires=docker.service
[Service]
TimeoutStartSec=45
Restart=always
ExecStartPre=-/usr/bin/docker stop pdnsgui
ExecStartPre=-/usr/bin/docker rm pdnsgui
ExecStart=/usr/bin/docker run --name pdnsgui -v pda-data:/data -p 9191:80 ngoduykhanh/powerdns-admin
[Install]
WantedBy=multi-user.target
Also not enabled…
systemctl enable pdnsgui
systemctl start pdnsguiSome have “ExecStartPre=/usr/bin/docker pull ngoduykhanh/powerdns-admin” in their pdnsgui-analogue but I don’t like living dangerously.