Linux VLAN Bridge

I

itobin

Active Member
Apr 18, 2019
52
5
28
44
Hi,

im trying to create a new VLAN interface for my VMs

Im not using a VLAN aware bridge, I want to create a dedicated VLAN interface that I select when adding a NIC to the VM, pretty much like VMWare.

When i create the Linux VLAN, presumably its better to assign it to the NIC rather than the vmbr? which i have done and i can see it in the list of interfaces.

However on the VM it doesnt appear as an interface to choose, am i missing something?

Im running v 6.4-8

thanks!

Ian
 
You will always have to use a vmbr in some form to connect the VM NICs to. Think of the bridge as a virtual switch. Now you can set the VLAN ID on the VMs NIC or if you want to have dedicated vmbr for certain VLANs, you can create a new vmbr (comments are useful to indentify them) and either use the bridge port in dot notation to set the vlan of the vmbr, eg: eno1.20 for vlan 20. The other option would be to use the newly created vlan interface as bridge port.
 
Hi,

thanks for the response, so im a little confused on the purpose of the option Linux VLAN which i have created.

1624560165976.png

this is an example of one i want to create for mangement, so from here how would the VMs see this in the config options? Physical switch side, i have tagged the ports etc.

thanks

Ian
 
ok i think i understand a bit more now, so i have done this

1624560759787.png

so essentially, create VLAN and assign to nic, create new VMBR and bridge to VLAN just created.
 
Yes, that will work. But using just one vlan aware bridge and setting up the VLANID for each virtual NIC would be way more elegant.
 
Dunuin said:
Yes, that will work. But using just one vlan aware bridge and setting up the VLANID for each virtual NIC would be way more elegant.
Click to expand...
yeah i hear you.

other than the method i suggested, what would be the point in the Linux VLAN if its a long winded way of setting up? maybe its premature at this stage.
 
Linux VLAN interfaces are still useful if you want to give the host a IP in an VLANs subnet.
Using a single vlan aware bridge is more elegant because you don't need 10 extra VLAN interfaces and 10 extra bridges if you want to attach VMs to 10 different vlans. That also means that external monitoring tools need to monitor 20 additional interfaces, you get way longer outputs using CLI commands and so on. And each time you need a new vlan you need to edit the hosts network configuration and add new vlan interfaces and bridges.
With vlan aware bridges you just create 1 bridge that every VLAN can use and thats it. Then you only need to set the vlan tag for the VM you are creating and virtio will automatically filter packets by the given tag (from host to guest) and tag untagged traffic (from guest to host) with that VLAN ID. So there is no need to edit VLANs inside the VMs too, because the virtio NIC is doing the tagging and everything that reaches the VM is untagged.
 
Last edited:
Dunuin said:
Linux VLAN interfaces are useful if you want to give the host a IP in an VLANs subnet.
Using a single vlan aware bridge is more elegant because you don't need 10 extra VLAN interfaces and 10 extra bridges if you want to attach VMs to 10 different vlans. That also means that external monitoring tools need to monitor 20 additional interfaces, you get way longer outputs using CLI commands and so on. And each time you need a new vlan you need to edit the hosts network configuration and add new vlan interfaces and bridges.
With vlan aware bridges you just create 1 bridge that every VLAN can use and thats it. Then you only need to set the vlan tag for the VM you are creating and virtio will automatically filter packets by the given tag and tag untagged traffic.
Click to expand...

ok i understand now, i guess i have been trying to mirror the way VMware works with port groups tagged and that VM allocating that port group to its nic.

thanks for the explanation :)
 
Like I said, both ways are fine and will work. The version with vlan aware bridges is just cleaner and better to manage.
Another benefit is that if you really want you are able to use VLANs inside your VMs. Lets say I want to create a OPNsense VM that is routing between these 10 VLANs. Now I could give the OPNsense VM 10 virtual NICs to be able to attach it to 10 different bridges attached to 10 different vlan interfaces...or I just create 1 virtio NIC, assign no VLAN to it (that way the VM recieves all tagged traffic) and let OPNsense hande the VLAN stuff. That way the OPNsense can use all 10 VLANs with just one virtual NIC.

That isn't working without vlan aware bridges, because everything would get untagged as soon as it travels from the physical NIC through the vlan interface to the bridge.
 
Last edited:
very good point, and firewall is something else i need to look into, but that is for another day :)

im weighing things up at the moment but thinking about it after your explanation, it does make more sense to do it the elegant way :)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back