From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 647A91FF16B
	for <inbox@lore.proxmox.com>; Thu, 14 Nov 2024 11:29:28 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 8C32A2E704;
	Thu, 14 Nov 2024 11:29:28 +0100 (CET)
Message-ID: <fc3bd720-79fe-41b5-8897-fd8e1930a2e4@proxmox.com>
Date: Thu, 14 Nov 2024 11:29:25 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
 Stefan Hanreich <s.hanreich@proxmox.com>,
 Alexandre Derumier <aderumier@odiso.com>
References: <20231219083216.2551645-1-aderumier@odiso.com>
 <b0f4bf82-c871-4485-90b1-0d5879f6d6eb@proxmox.com>
From: Aaron Lauterer <a.lauterer@proxmox.com>
In-Reply-To: <b0f4bf82-c871-4485-90b1-0d5879f6d6eb@proxmox.com>
X-SPAM-LEVEL: Spam detection results:  0
 AWL -0.036 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [proxmox.com]
Subject: Re: [pve-devel] [PATCH pve-network 0/7] add dhcp support for all
 zones
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

A few thoughts from my side after an in-person talk with Stefan.

On  2024-11-13  20:09, Stefan Hanreich wrote:
> I can see this working with Simple and EVPN zone where the host has an
> IP because he is acting as a gateway.
> 
> But for VLAN / QinQ / VXLAN the way it is currently implemented is
> confusing imo, since we are 'abusing' the gateway field for what is
> essentially a bind address for dnsmasq.

In these cases, we should hide the gateway option in the zone settings 
as it doesn't apply at all!

> 
> There is already 'dhcp-dns-server' which configures the DNS server that
> dnsmasq sends. Maybe we could add 'dhcp-default-gateway' as well, so
> users can configure a default gateway that dnsmasq should send for those
> zones if they have a central external firewall in that VLAN.>
> And then maybe make the bind address explicit for VLAN / VXLAN / QinQ by
> moving it from gateway to 'dhcp-bind-address' and document that this
> address is then reserved? This would also solve the IPv6 issue, wouldn't it?

Yep, having it as DHCP options for the subnet would probably be the best 
place in the GUI.
* Gateway
* DNS Server(s)
* DHCP Listening Address

The DHCP listening address would need to be mandatory, while the gateway 
and DNS server announcements are optional.

> 
> Another issue is that the host is sending itself as default gateway and
> DNS server in those zones, which we should probably not do (we turn off
> forwarding on the interfaces, but it also overwrites resolv.conf, which
> can be quite confusing I think). That should be easy to change (I have
> it on my machine already).

If we stick with VLANs as example (should apply for VXLAN & QinQ as 
well), we usually have the gateway and DNS servers outside the PVE host. 
Think, the router/firewall in which all VLANs terminate. The DNS server 
could be on the router/firewall but also on a different machine in the 
network.

We probably don't want to announce any gateway & DNS if those settings 
are empty, just hand out IPs.

> 
> I have the changes ready on my machine, but I wanted to ask for your
> opinion as well, I can also just send them tomorrow and you can review
> them if you like.
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel