Overview
Improve the Cilium configuration on Genmachine (Talos) with BGP control plane, Maglev load balancing, and native routing mode — replacing MetalLB L2 announcements with a more scalable approach.
Current state
Cilium is deployed with L2 announcements (MetalLB-compatible mode) and VXLAN overlay.
Proposed improvements
BGP Control Plane (replaces MetalLB)
cilium:
bgpControlPlane:
enabled: true
# Announce LoadBalancer IPs via BGP to the routerWith a CiliumBGPPeeringPolicy pointing at the home router (if it supports BGP — e.g., pfSense, OPNsense, or a Mikrotik). Eliminates the need for separate L2 announcements.
Native routing mode (no overlay)
routingMode: native
autoDirectNodeRoutes: true
ipv4NativeRoutingCIDR: 10.0.0.0/8
Removes VXLAN encapsulation overhead. Pod traffic is routed directly between nodes. Requires all nodes to be on the same L2 segment (which they are on Proxmox).
Maglev load balancing
loadBalancer:
algorithm: maglev
mode: dsr # Direct Server ReturnMaglev provides consistent hashing (connections stick to the same backend through scaling events). DSR means reply traffic from pods goes directly to the client, bypassing the LB node — better throughput for high-bandwidth services.
Bandwidth manager with BBR
bandwidthManager:
enabled: true
bbr: trueCompatibility notes
- Native routing requires Linux 5.10+ ✅ (Talos uses recent kernels)
- DSR mode works with direct node routing ✅
- L2 announcements can be kept alongside BGP during transition
Reference
- Inspired by szinn/k8s-homelab Cilium config
- Manifest location:
gitops/manifests/cilium/genmachine/genmachine-values.yaml
Overview
Improve the Cilium configuration on Genmachine (Talos) with BGP control plane, Maglev load balancing, and native routing mode — replacing MetalLB L2 announcements with a more scalable approach.
Current state
Cilium is deployed with L2 announcements (MetalLB-compatible mode) and VXLAN overlay.
Proposed improvements
BGP Control Plane (replaces MetalLB)
With a
CiliumBGPPeeringPolicypointing at the home router (if it supports BGP — e.g., pfSense, OPNsense, or a Mikrotik). Eliminates the need for separate L2 announcements.Native routing mode (no overlay)
Removes VXLAN encapsulation overhead. Pod traffic is routed directly between nodes. Requires all nodes to be on the same L2 segment (which they are on Proxmox).
Maglev load balancing
Maglev provides consistent hashing (connections stick to the same backend through scaling events). DSR means reply traffic from pods goes directly to the client, bypassing the LB node — better throughput for high-bandwidth services.
Bandwidth manager with BBR
Compatibility notes
Reference
gitops/manifests/cilium/genmachine/genmachine-values.yaml