fix(sdn-controller): use correct bridge address to create tunnels (#5281)

Fixes xoa-support#2919

CHANGELOG.unreleased.md

@@ -22,6 +22,7 @@
 - [Self/VDI migration] Fix `not enough permissions` error (PR [#5299](https://github.com/vatesfr/xen-orchestra/pull/5299))
 - [Home] Hide backup filter for non-admin users [#5285](https://github.com/vatesfr/xen-orchestra/issues/5285) (PR [#5264](https://github.com/vatesfr/xen-orchestra/pull/5264))
 - [Backup/S3] Fix request signature error [#5253](https://github.com/vatesfr/xen-orchestra/issues/5253) (PR[#5315](https://github.com/vatesfr/xen-orchestra/pull/5315))
+- [SDN Controller] Fix tunnel traffic going on the wrong NIC: see https://xcp-ng.org/forum/topic/3544/mtu-problems-with-vxlan. (PR [#5281](https://github.com/vatesfr/xen-orchestra/pull/5281))
 
 ### Packages to release
 
@@ -40,6 +41,7 @@
 >
 > In case of conflict, the highest (lowest in previous list) `$version` wins.
 
+- xo-server-sdn-controller patch
 - xo-server-backup-reports patch
 - xo-server minor
 - xo-web minor

docs/sdn_controller.md

@@ -36,7 +36,7 @@ In the network creation view:
 
 :::tip
 
-- All hosts in a private network must be able to reach the other hosts' management interface.
+- All hosts in a private network must be able to reach the other hosts' management interface and all hosts must be able to reach one another on the interface selected for private networks creation.
   > The term ‘management interface’ is used to indicate the IP-enabled NIC that carries the management traffic.
 - Only 1 encrypted GRE network and 1 encrypted VxLAN network per pool can exist at a time due to Open vSwitch limitation.
   :::

packages/xo-server-sdn-controller/src/private-network/private-network.js

@@ -1,3 +1,4 @@
+import assert from 'assert'
 import createLogger from '@xen-orchestra/log'
 import { filter, forOwn, sample } from 'lodash'
 
@@ -61,13 +62,39 @@ export class PrivateNetwork {
       otherConfig['xo:sdn-controller:encrypted'] === 'true'
         ? createPassword()
         : undefined
+    const pifDevice = otherConfig['xo:sdn-controller:pif-device']
+    const pifVlan = +otherConfig['xo:sdn-controller:vlan']
+    const hostPif = hostClient.host.$PIFs.find(
+      pif =>
+        pif?.device === pifDevice &&
+        pif.VLAN === pifVlan &&
+        pif.ip_configuration_mode !== 'None'
+    )
+    const centerPif = centerClient.host.$PIFs.find(
+      pif =>
+        pif?.device === pifDevice &&
+        pif.VLAN === pifVlan &&
+        pif.ip_configuration_mode !== 'None'
+    )
+    assert(hostPif !== undefined, 'No PIF found', {
+      privateNetwork: this.uuid,
+      pifDevice,
+      pifVlan,
+      host: host.name_label,
+    })
+    assert(centerPif !== undefined, 'No PIF found in center', {
+      privateNetwork: this.uuid,
+      pifDevice,
+      pifVlan,
+      host: this.center.name_label,
+    })
 
     let bridgeName
     try {
       ;[bridgeName] = await Promise.all([
         hostClient.addInterfaceAndPort(
           network,
-          centerClient.host.address,
+          centerPif.IP,
           encapsulation,
           vni,
           password,
@@ -75,7 +102,7 @@ export class PrivateNetwork {
         ),
         centerClient.addInterfaceAndPort(
           centerNetwork,
-          hostClient.host.address,
+          hostPif.IP,
           encapsulation,
           vni,
           password,