Proxmox VE 8 integrates an easy-to-operate SDN function plugin in the Web management backend. Essentially, it assigns different networks to different PVE users, providing logical isolation and avoiding conflicts caused by different users setting the same network address. For example, user A is assigned the address range 172.16.10.0/24, while another user has the range 172.16.20.0/24. If user A mistakenly sets a virtual machine to an address in user B’s range, it won’t be effective and won’t affect other users.

Environment Preparation

The components (software packages) included in SDN mainly are: SDN core `libpve-network-perl`, DHCP IPAM (IP Address Management), and FRRouting (an open-source internet routing protocol). If you are running PVE version 7.X, use the following commands to install the software packages:

After installing the software packages on the PVE host, you also need to modify the host’s network configuration. On the Debian command line of the host system, enter the directory `/etc/network` and append the line `source /etc/network/interfaces.d/*` to the network configuration file `interfaces`, ensuring not to omit the asterisk wildcard.

Before creating areas associated with SDN, the directory `/etc/network/interfaces.d` on the PVE host system is empty.

Verifying Network Isolation

To make it easier to understand, let’s do a simple plan. On a single node, create two resource pools, two groups, and users, then create two virtual networks and authorize them to the created user groups. Next, create two virtual machines, assigning them to different networks and resource groups. Unless otherwise specified, the following operations are performed in the PVE Web management backend.

1. Create Resource Groups

At the PVE data center level, click the menu button to create and name the resource groups with easily identifiable text.

In this case, I created two resource groups: “mypool” and “mypool1”.

2. Create Groups

At the PVE data center level, select the “Permissions” submenu “Groups” in the middle menu bar of the page, then click the “Create” button at the top of the page and enter text to name it.

3. Create Users

At the PVE data center level, create two users, user `usera` belonging to the group “mygrp” and user `userb` belonging to the group “bgrp”. The authentication method is “Proxmox VE authentication server” (this method does not require creating system users on the PVE host system, simplifying operations and reducing security risks).

4. Create SDN Areas

SDN areas are virtual network isolation identifiers. PVE supports five types of isolation: Simple, VLAN, QinQ, VxLAN, and EVPN. Due to conditions, this case demonstrates the isolation effect by creating a Simple area.

At the PVE data center level, select the “SDN” submenu “Zones” in the middle menu of the page, then click the “Create” button at the top, and enter text to name the area (text length is limited). If it is a cluster, you may need to select a physical node.

Create two areas “simple01” and “tsimple” for use.

5. Create Virtual Networks (VNET)

At the data center level, select the SDN submenu “Vnets”, click the “Create” button at the top menu, enter text to name it, and select the associated area “simple01”.

Select the created virtual network (Vnet) “mvnet”, click the “Create” button on the top right menu of the page, create a subnet (virtual segment), enter the network address and default gateway, and check “SNAT” (Source Network Address Translation).

Similarly, create a subnet “vnet01” for the other area “tsimple” with network parameters “192.168.88.0/24, 192.168.88.1”.

After confirming, select the “SDN” menu and click the “Apply” button at the top to activate the settings. Refresh the PVE Web management backend page, and the newly created areas will be displayed on the left side. If there are errors, icons will be displayed with a red cross.

Select the area “simple01” and assign group permissions “mygrp”, specifying the corresponding role.

Similarly, assign the area “tsimple” to the group.

6. Create Virtual Machines

Create two virtual machines, assigning them to different resource groups and specifying different bridge network interfaces (virtual NICs).

Create the virtual machine “RRR”, assigning it to the resource pool “mypool”. If not specified here, you can add it to the resource group after creating the virtual machine.

In the network bridge dropdown list, select the previously created virtual network interface “mvnet”, and set the virtual machine network address to “192.168.99.0/24”. After creating the virtual machine, install the Rocky 9 operating system, set the network address to “192.168.99.111”, the default gateway to “192.168.99.1”, and DNS to “223.6.6.6”. After the system starts normally, log in to the virtual machine system and use the commands “ping 192.16.99.1” and “ping www.163.com” to verify the network correctness.

Modify the IP address of this virtual machine to the PVE host network segment address, restart the virtual machine network service, and the network will be unavailable, achieving network isolation.

Create another virtual machine, assign it to the resource group “mypool1”, select its network bridge interface as the virtual NIC “vnet01”, install the operating system, and set its IP address to “192.168.88.111/24”, the default gateway to “192.168.88.1”, and DNS server to “223.6.6.6”. Start the virtual machine normally and test network connectivity.

Now, the virtual machines belonging to two resource groups have been created. Open two browsers and log in with users “usera” and “userb” respectively, checking the PVE WEB management backend to see if only their members (virtual machines or storage) are displayed.

SSH remote login to the two virtual machines, using commands to ping each other or SSH login to verify network connectivity.

Behind SDN

After setting up SDN items in the PVE Web management backend and applying them, a text file “sdn” is generated in the directory `/etc/network/interface.d` of the PVE host system Debian.

Linux system administrators should be familiar with this! It is network address translation.

Note that SDN Simple is suitable for single-node PVE. If it is a cluster, it is recommended to use VLAN mode, and the switch needs to support the function, at least to create a trunk.