Proxmox support with no PCI passthrough

[rdelcorro]

Some people can't make PCI passthrough work due to hardware reasons. The readme tells that there is an option for this case

You can also solve the EAP/802.1X and VLAN0/802.1Q problem by setting the group_fwd_mask and creating a vlan0 interface to bridge to your VM. See Other Methods below.

Is it possible to explain a bit on how would you do this? I can directly attach the USB dongle but not the main PCI interface, as my proxmox breaks if I try to.

[A-vesalius]

I do this with Promox and OPNsense-VM as well as VyOS-VM to bridge across a BGW210. You still need 3 nics, and cables connected as pfatt describes but no netgraph. Use whatever interface names you have, but I'll call them eth0 (connected to ONT_IF), eth1 (connected to RG_IF), and Lan can be whatever Proxmox IF/vmbr you choose as normal. You then create 2 Proxmox linux bridges through the Proxmox GUI or editing /etc/network/interfaces (you will need to edit this file to add the necessary post-up command), I'll call them vmbr10 and vmbr11.

auto vmbr10 iface vmbr10 inet manual bridge-ports eth0.0 bridge-stp off bridge-fd 0

Vlan0 to ONT AT&T bypass

auto vmbr11 iface vmbr11 inet manual bridge-ports eth0 eth1 bridge-stp off bridge-fd 0 post-up echo 8 > /sys/class/net/vmbr11/bridge/group_fwd_mask

bridge RG to ONT for EAP Auth

post-up echo 8 > /sys/class/net/vmbr*/bridge/group_fwd_mask allows the EAP-auth magic to occur. This specific proxmox linux bridge (vmbr11 in this example) will not be used directly by any VM (in fact I hide it from my Proxmox GUI by creating a file named eap_auth in /etc/network/interfaces.d using br0 as the bridge name) but that is not necessary. Give your virtual router the vlan0 bridge (vmbr10 in this example) to use as wan. You can spoof the RG mac address either at the Proxmox router VM network device level or within the *sense wan setup in your case.

[rdelcorro]

I have setup the config as directed:

While running tcpdump on proxmox I can see that EAPOL from the GW is not being forwarded as intended. I also checked group_fwd_mask and its correctly set

GW ONT interface:

WAN interface (connected to fiber ONT):

As you can see, the external ONT is sending some EAPOL messages and the firewall is trying to do DHCP but since the first packet was not bridged it does not succeed.

Is there anything you may think is missing? Do I need to do a reboot of the host at some point? Changes were applied successfully as I did reboot the network

[A-vesalius]

I assume enx3c8cf8ebc108 is the USB dongle? I'Ll be honest that I have only used this with onboard or PCI nics. I would at least try unplugging the ONT and RG with Proxmox and the USB already initialized and up and running, in case the USB is slower to power up and start relative to the nics.

[natebc]

@rdelcorro I know this is an old thread/issue but I hit this problem as well and in my case it turned out that the VM inside proxmox is actually attached to a SECOND bridge that also needed to have the group mask set.

In my case this was fwbr500i2, the name is formatted fwbri so this is for the second interface on VM ID 500. Once I set 0x8 into /sys/class/net/fwbr500i2/bridge/group_fwd_mask.

[gpz1100]

@natebc I ran into this as well. Thanks @A-vesalius for pointing me to this thread.

Any thoughts why some users can get away without having to set the fwbr.... flag while others have to set it?

Perhaps the physical nic has something to do with it? I had to set this on a i211 nic.