Virtual Switch (advanced functionality)

Tell us your most wanted features from QNAP products.
Post Reply
bekax5
Starting out
Posts: 20
Joined: Wed Dec 21, 2016 1:01 am

Virtual Switch (advanced functionality)

Post by bekax5 »

I'd like to request some "advanced" functionality to be added on the virtual switch.

Given that these are used together with the QNAP hypervisor, they should support basic network functions so that VMs could use the network as they should.

For example, there is no way to really dedicate a NIC to a VM!
More specifically, every unicast packet without the VM's IP is dropped. And why does this happen if the VM has no IP since it's in promiscuous mode? It should receive in it's interface everything that has been sent to the QNAP physical interface!
Thus, the VM can't correctly use promiscuous mode, because the virtual switch drops the packets!
I believe the correct network mode should be "external-mode" according to QNAP. However this isn't in fact a dedicated mode since the QNAP vswitch controller appears to give instructions to drop packets whenever it "thinks" that the IP isn't inside of the QNAP.


So either:
- Fix the External-Mode, so it doesn't drop packets (this should be dealt by the VM and not the virtual switch with IP 0.0.0.0)
- Add support for Promiscuous Mode
- Add support for VM dedicated NIC


These are some really basic functions that I can't believe aren't yet working on QNAP devices!
It's crazy to thing there is a hypervisor but there's no way to force traffic to a VM or an interface!
User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Virtual Switch (advanced functionality)

Post by Don »

As stated many times this is a community forum and not QNAP support. You need to open a ticket with QNAP for feature requests.
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
bekax5
Starting out
Posts: 20
Joined: Wed Dec 21, 2016 1:01 am

Re: Virtual Switch (advanced functionality)

Post by bekax5 »

There's still a request for two features to be added, and I believe it's the correct forum section?
- Add support for Promiscuous Mode
- Add support for VM dedicated NIC

But maybe I could've kept the "broken" external-mode apart from this topic.

Edit:
My objective was exactly monitor network traffic in virtualization station.
Acoording to the support website and on a previous QTS version this was possible:
https://www.qnap.com/en-us/how-to/tutor ... on-station
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: Virtual Switch (advanced functionality)

Post by schumaku »

bekax5 wrote:There's still a request for two features to be added, and I believe it's the correct forum section?
Yes, it's the only place where other community members can see feature requests. Please don't forget to file the feature request (on all three items) with https:/hdelpdesk.qnap.com/ too.
bekax5 wrote:My objective was exactly monitor network traffic in virtualization station.
This was not a difficult guess.
bekax5 wrote:Acoording to the support website and on a previous QTS version this was possible: (URL)
Absolutely correct - we were able to have a fully transparent interface before the Virtual Switch was forced in.
bekax5
Starting out
Posts: 20
Joined: Wed Dec 21, 2016 1:01 am

Re: Virtual Switch (advanced functionality)

Post by bekax5 »

schumaku wrote:
bekax5 wrote:There's still a request for two features to be added, and I believe it's the correct forum section?
Yes, it's the only place where other community members can see feature requests. Please don't forget to file the feature request (on all three items) with https:/hdelpdesk.qnap.com/ too.
bekax5 wrote:My objective was exactly monitor network traffic in virtualization station.
This was not a difficult guess.
bekax5 wrote:Acoording to the support website and on a previous QTS version this was possible: (URL)
Absolutely correct - we were able to have a fully transparent interface before the Virtual Switch was forced in.
Thanks for the reply.

I submitted the ticket about the dedicated mode.
I'm not sure though if there is a subsection where one can request features?
I submitted under the virtual switch, since I couldn't find a better topic for it.
zeeohsix
Starting out
Posts: 15
Joined: Wed Jul 24, 2019 11:32 am

Re: Virtual Switch (advanced functionality)

Post by zeeohsix »

I hate to raise the dead with this post, but I didn't see that it was ever answered was looking for similar functionality. Here is my scenario and the answer:

My scenario is the WAN interface on my pfSense appliance being SPANed to the 2nd ethernet interface on my TS-251+. That physical interface is connected to a second v-switch in 'external mode' where the switch has no IP assigned. The only VM connected to that switch is an OSSIM machine in Virtualization Station for the purpose of SIEM. This OSSIM interface is for sniffing and analyzing traffic that hits the WAN interface in either direction. Initially, the traffic doesn't make it to OSSIM because of the v-switch. I expected this behavior since I've been a network engineer for 15 years.

The problem: Switches forward traffic based on the destination MAC address of received frames, and a table that contains known MAC addresses and the interfaces those addresses are known on. The switch learns the MAC addresses of the SPAN traffic from the upstream interface and even knows that those MACs aren't directly connected. The problem is that the switch is doing its job. It knows where the MAC addresses reside in relation to itself

This command shows that the switch knows two directly connected devices (local) and others that are not (the SPAN traffic):

[~] # brctl showmacs qvs1
port no mac addr is local? ageing timer
1 00:08:a2:0f:64:eb no 0.01
1 24:5e:be:31:7c:92 yes 0.00
1 dc:eb:94:b5:60:22 no 0.01
2 fe:54:00:96:7e:a6 yes 0.00


The solution: If a switch receives a frame with a destination MAC address it does not know about, it will flood the frame out of every interface. The MAC table entries have a timer to accommodate changes in the infrastructure, such as devices powering off, changing interfaces, etc. This keeps frames from continuing to be sent to a destination that no longer exists. As long as the MACs continue to be received, the timer stays fresh and the MACs stay known. Luckily, it can be broken because the timer is configurable! If the timer is set to zero, the MACs are never learned, and the traffic is finally flooded down to the OSSIM VM. It doesn't turn the switch into a hub, because logic is still involved from start to finish of each frame, and each interface is still a separate collision domain.

How to set the MAC age timeout: brctl setageing <brname> 0

<brname> is the name of the switch you'd like to configure. Use 'brctl show' to list them via CLI.

The result:

[~] # brctl showmacs qvs1
port no mac addr is local? ageing timer
1 24:5e:be:31:7c:92 yes 0.00
2 fe:54:00:96:7e:a6 yes 0.00

The switch no longer knows of the non-local MAC addresses, thus flooding SPAN frames down to the OSSIM VM interface. Lovely.
Post Reply

Return to “Features Wanted”