Virtual Ethernet device
Virtual ethernet device is ethernet device which can be used inside a VE. Unlike venet network device, veth device has a MAC address. Due to this, it can be used in configurations, when veth is bridged to ethX or other device and VPS user fully setups his networking himself, including IPs, gateways etc.
Virtual ethernet device consist of two ethernet devices - one in VE0 and another one in VE. These devices are connected to each other, so if a packet goes to one device it will come out from the other device.
Contents
Differences between venet and veth
- veth allows broadcasts in VE, so you can use even dhcp server inside VE or samba server with domain broadcasts or other such stuff.
- veth has some security implications, so is not recommended in untrusted environments like HSP. This is due to broadcasts, traffic sniffing, possible IP collisions etc. i.e. VE user can actually ruin your ethernet network with such direct access to ethernet layer.
- With venet device, only node administrator can assign an IP to a VE. With veth device, network settings can be fully done on VE side. VE should setup correct GW, IP/mask etc and node admin then can only choose where your traffic goes.
- veth devices can be bridged together and/or with other devices. For example, in host system admin can bridge veth from 2 VEs with some VLAN eth0.X. In this case, these 2 VEs will be connected to this VLAN.
- venet device is a bit faster and more efficient.
- With veth devices IPv6 auto generates an address from MAC.
The brief summary:
Feature | veth | venet |
---|---|---|
MAC address | Yes | No |
Broadcasts inside VE | Yes | No |
Traffic sniffing | Yes | No |
Network security | low [1] | hi |
Can be used in bridges | Yes | No |
Performance | fast | fastest |
- ↑ Due to broadcasts, sniffing and possible IP collisions etc.
Virtual ethernet device usage
Adding veth to a VE
vzctl set <VEID> --veth_add <dev_name>,<dev_addr>,<ve_dev_name>,<ve_dev_addr>
Here
- dev_name is ethernet device name in the host system
- dev_addr is its MAC address
- ve_dev_name is an ethernet device name in the VE
- ve_dev_addr is its MAC address
MAC addresses must be entered in XX:XX:XX:XX:XX:XX format. Note that this option is incremental, so devices are added to already existing ones.
Examples
vzctl set 101 --veth_add veth101.0,00:12:34:56:78:9A,eth0,00:12:34:56:78:9B --save
After executing this command veth device will be created for VE 101 and veth configuration will be saved to a VE configuration file. Host-side ethernet device will have veth101.0 name and 00:12:34:56:78:9A MAC address. VE-side ethernet device will have eth0 name and 00:12:34:56:78:9B MAC address.
Note: Use random MAC addresses. Do not use MAC addresses of real eth devices, beacuse this can lead to collisions. |
Removing veth from a VE
vzctl set <VEID> --veth_del <dev_name>
Here dev_name is the ethernet device name in the host system.
Example
vzctl set 101 --veth_del veth101.0 --save
After executing this command veth device with host-side ethernet name veth101.0 will be removed from VE 101 and veth configuration will be updated in VE config file.
Common configurations with virtual ethernet devices
Module vzethdev must be loaded to operate with veth devices.
Simple configuration with virtual ethernet device
Start a VE
[host-node]# vzctl start 101
Add veth device to VE
[host-node]# vzctl set 101 --veth_add veth101.0,00:12:34:56:78:9A,eth0,00:12:34:56:78:9B --save
Configure devices in VE0
[host-node]# ifconfig veth101.0 0 [host-node]# echo 1 > /proc/sys/net/ipv4/conf/veth101.0/forwarding [host-node]# echo 1 > /proc/sys/net/ipv4/conf/veth101.0/proxy_arp [host-node]# echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding [host-node]# echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
Configure device in VE
[host-node]# vzctl enter 101 [ve-101]# /sbin/ifconfig eth0 0 [ve-101]# /sbin/ip addr add 192.168.0.101 dev eth0 [ve-101]# /sbin/ip route add default dev eth0
Add route in VE0
[host-node]# ip route add 192.168.0.101 dev veth101.0
Virtual ethernet device with IPv6
Start VE
[host-node]# vzctl start 101
Add veth device to VE
[host-node]# vzctl set 101 --veth_add veth101.0,00:12:34:56:78:9A,eth0,00:12:34:56:78:9B --save
Configure devices in VE0
[host-node]# ifconfig veth101.0 up [host-node]# echo 1 > /proc/sys/net/ipv6/conf/veth101.0/forwarding [host-node]# echo 1 > /proc/sys/net/ipv6/conf/eth0/forwarding [host-node]# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Configure device in VE
[host-node]# vzctl enter 101 [ve-101]# /sbin/ifconfig eth0 up
Start router advertisement daemon (radvd) for IPv6 in VE0
First you need to edit radvd configuration file. Here is a simple example of /etc/radv.conf:
interface veth101.0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvHomeAgentFlag off; prefix 3ffe:2400:0:0::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; }; interface eth0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvHomeAgentFlag off; prefix 3ffe:0302:0011:0002::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; };
Then, start radvd:
[host-node]# /etc/init.d/radvd start
Add IPv6 addresses to devices in VE0
[host-node]# ip addr add dev veth101.0 3ffe:2400::212:34ff:fe56:789a/64 [host-node]# ip addr add dev eth0 3ffe:0302:0011:0002:211:22ff:fe33:4455/64
Virtual ethernet devices can be joined in one bridge
Perform steps 1 - 4 from Simple configuration chapter for several VEs and/or veth devices
Create bridge device
[host-node]# brctl addbr vzbr0
Add veth devices to bridge
[host-node]# brctl addif vzbr0 veth101.0 ... [host-node]# brctl addif vzbr0 veth101.n [host-node]# brctl addif vzbr0 veth102.0 ... ... [host-node]# brctl addif vzbr0 vethXXX.N
Configure bridge device
[host-node]# ifconfig vzbr0 up [host-node]# echo 1 > /proc/sys/net/ipv4/conf/vzbr0/forwarding [host-node]# echo 1 > /proc/sys/net/ipv4/conf/vzbr0/proxy_arp
Add routes in VE0
[host-node]# ip route add 192.168.101.1 dev vzbr0 ... [host-node]# ip route add 192.168.101.n dev vzbr0 [host-node]# ip route add 192.168.102.1 dev vzbr0 ... ... [host-node]# ip route add 192.168.XXX.N dev vzbr0
Thus you'll have more convinient configuration, i.e. all routes to VEs will be through this bridge and VEs can communicate with each other even without these routes.
Virtual ethernet devices + VLAN
This configuration can be done by adding vlan device to the previous configuration.