omv5 or OS blocking network after subnet change

  • Hi


    Problem: after changing subnet of omv5, the external connection to my nas and dns is no longer working


    - I installed the latest omv5 on SD card (terramaster nas F4-422: intell cpu, 12Gb ram and 3 nic's insite) by creating an vmware image, convert the image, update grub, update os, (...) I used DHCP address with fixed lease of 192.168.1.12/24. Gateway and DNS given by dhcp: 192.168.1.1. Everything is working fine.

    - I switched my server subnet 192.168.30.x/24 (by gui or omv-firstaid).

    - Reboot.


    Problem:

    - DNS no longer working: on ssh prompt nlookup http://www.google.be -> no server found.

    - external connection is no longer possible (e.g. ping)


    However:

    - after reboot: I got my dhcp addresses 192.168.30.12

    - after reboot the ssh message is telling me my gui is available on 192.168.30.12:80

    - on the ssh prompt I see my gui is listening on *:80. with telnet I can check this: ok. site reachable


    What I tried:

    network:

    - omv-firstaid: nic fix addresses. somethimes it gave me errors back, sometimes not.

    - omv-firstaid: reconfigure gui port

    --> I checked /etc/netplan/* and applied netplan. It is not here where it is going wrong.

    - restart nginx, reconfigure nginx: "omv-salt stage run deploy"

    - I make sure apache is off.

    - iptables => alle chains accept. No firewall configured.

    - routing: my routes for the new subnet looks fine.

    DNS:

    - manual overwrite dns in /etc/resolv.conf by adding my dns server


    I slowly realised it is propably not the omv install itself, but somewhere in my OS level, my subnet is hardcoded. When I go back to the old subnet, everything is working fine.



    Can someone point me out where else I can dig?;(


    regards


    Johan.

  • votdev

    Hat das Thema freigeschaltet.
  • Hi


    I did some more research:

    - complete new install starting from my subnet (192.168.30.x): on vmware level everythings works fine. After that I need to convert to an img file, write it to my SD-card and put it on my omv nas.

    - I connected a laptop to my omv network cable to check if my switch is configured well.

    - my switch (zyxel 1900, L2 switch) is setup to tag all packages with vlan ID 3.

    --> conclusion: I have the same issues: on ssh shell: dns is blocking; omv is not reachable from outsite; I can get dhcp addresses.


    lesson: I learned omv is not blocking some IP's / IP's are not hardcoded insite. However, vlan tagging is not working as expected on omv.


    Second experiment:

    - create nic enp2s0 without vlan: 192.168.1.12 using omv-firstaid

    - create vlan port on enp2so.3 (192.168.30.17)

    - config switch to be on default (no vlan) network, be a trunk and let pass tagged ID3 traffic.



    conclusion: both interfaces are working fine. Nice. It seems tagging traffic down the road on the switch is not a good idea with omv. However it works fine for other devices.


    to be continued:

    - I like to block regular access and only keep the tagged vlan3 traffic.

    - I need to bond 2 nic on this vlan3. this can't be done via gui. LACP protocol used.

    - I have a third 10Gbit nic which should directly connect, without switch, to one of my PC's.


    Johan.

  • Hi


    First 2 points accomplished:

    - I like to block regular access and only keep the tagged vlan3 traffic.

    - I need to bond 2 nic on this vlan3. this can't be done via gui. LACP protocol used.


    1) first point: my bonding port bond0 has no explicitly assigned ip address. See config below. In theorie a hacker could gain access on my terramaster, reconfigure my network and assign himself an regular address. It is not blocked on switch level. (If I do so, the vlan 3 subnet won't work anymore)


    2) second point: Define on switch level a LAG with 802.3ad (also called LACD) support.

    3) for backup purposes, I keep a simple config created via the omv5 gui. This will be overwritten afterwards.

    I created a 60-myconfig.yaml file. This file is executed after the other one. Pay attention, you may no longer apply network config via the gui. It will may clear /etc/netplan/*


    execute and apply network:

    netplan --debug try

    netplan --debug generate

    netplan --debug apply

    systemctl restart networking


    The last point is remaining. Keep you posted.


    And my original question: still stands. omv doesn't like vlan tagging on my switch. I found a workaround by using bond0.3 subnetting without giving the bon0 interfaces an IP in the main subnet.

  • Hi


    After weeks of searching, I managed to get most of it working:

    - my omv has 3 nic's (terramaster):

    -> 2x 1Gb, bonded to one 2 Gbit line. It is connected to a Gb switch/router. (192.168.30.12/24)

    - >1x 10Gb link directly connected to my main PC without switch/routing. (omv 192.168.60.1/24 and .2 on my main PC)

    - my main PC has a several nics. One is connected to the a Gb switch/router. (192.168.30.xxx/24) and the 10Gb card. Directly connected to my ovm.


    Problems I ran into:

    - network stack of my main pc (win10 was corrupt). I had to reset.

    - configuring bonding on my switch zyxel and omv via 802.3ad. -> check bonding info:

    Code
    cat /proc/net/bonding/bond0
    networkctl list


    - making sur omv respons to the same interface as the tcp package is comming from. -> using routing tables in netplan. I debugged with wireshark on my main pc an iftop on linux.

    - OMV only supports simple network setups. More advanced onces should be handled via ssh and /etc/netplan. Use netplan starting with 60 so OMV generated netplan files are overwritten. I did not define any interface in omv gui.

    - wrong MTU values. Please start with the default "1500" and if this is working, change it to the desired value. In my case 9014 on a Marvell AQtion 10Gbit Network Adapter set to "mtu = 9000". (header bytes should be taken into account on omv)


    Working config om my OMV: /etc/netplan/60.yaml

    - omv connected to 2 subnets

    - unknown ip's are rerouted to the default gateway.


    I abandon the use of vlans.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!