Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
s
stale-painting-80203
03/22/2023, 11:19 PMI have gone through the Harvester docs, but it's unclear how I can setup networking to achieve the following: I have a server with single interface. LB VM which need to be accessed from the internet and several VMs behind the LB whose IP need to be on a private subnet (these VM need outgoing connection, but not incoming). Anyone know how this can be setup?
r
refined-analyst-8898
03/23/2023, 1:17 AMIt sounds like you're wondering if a single metal NIC will be too limiting and prevent you from having some VMs that are reachable from the internet and other VMs that are behind a private LB.
I don't think a single NIC will necessarily prevent you from doing that.
The VMs behind the private LB would need to be on a Harvester network, perhaps a tagged network/VLAN.
The exposed LB VM would have to have a public IP or be the target of a port forward from a public IP. This VM need to be on a Harvester network that's reachable by that method.
s
stale-painting-80203
03/23/2023, 1:56 AMNot concerned about the single NIC, and creating a VM exposed to the internet. I don’t have a VLAN switch, but I can create an untagged network. The issue is how do I configure the VMs to be on a private network, but allow the LB to still connect to them?
r
refined-analyst-8898
03/23/2023, 2:06 AMMy home lab doesn't have any metal VLANs available either. You've reminded me of a question I need to answer for myself too.
Do Harvester tagged networks require a VLAN metal switch, or is it a virtual-virtual-LAN?
I think it's the latter. I was confused at first because the VM I created on the tagged network showed a yellow pill like "DHCP failed", but then I learned that DHCP is not provided, and so there was no DHCP server on the same VLAN.
I will try it with a DHCP server to see if I can operate on the virtual Harvester-defined tagged network/VLAN.
Great news, it works.
No need for a "VLAN switch" at all. The VLAN is defined inside the Harvester network. It is necessary to provide a DHCP server or assign static addresses to interfaces in the network of type L2VlanNetwork.
Although DHCP worked I did not succeed at routing traffic from LAN to WAN through pfSense. I'm not sure yet whether it's a problem with the router configuration or a Harvester configuration.
s
stale-painting-80203
03/23/2023, 5:18 AMI am not using DHCP. I will be using static IPs, but in any case just seems difficult to create private subnets on Harvester
r
refined-analyst-8898
03/24/2023, 2:13 AMI'm still having some difficulty with this too.
I found that packets transmitted in the untagged network were received in the tagged network, and vice versa. The VLAN had a DHCP server that was issuing leases to devices on the untagged network. It seems like that should not be possible.
This leads me to think the Ethernet frames are not isolated by Harvester. I'm still not certain whether it's necessary to have a VLAN-aware metal switch attached to the Harvester node's NIC.
ref: https://docs.harvesterhci.io/v1.1/networking/deep-dive/I'm