7.x VLAN leaking on bridge

V

Victimofareload

Member
Apr 19, 2022
2
0
6
Hello,

I started recently having an issue that is odd.

I have a node running 7.1-12 (Latest I believe). It has a 10G uplink to a Juniper EX3300 switch.

On this switch, I have vlan 1 untagged. And a handful of VLAN's tagged as I have a few guests on the PVE box which connect to various other VLAN's. Everything works fine, However I'm seeing a VLAN leak.

I have a windows 10 guest (And it only happens on this guest). It's only got 1 network interface (VIRTIO) and it has no VLAN tag assigned (So it's in VLAN 1).

It works fine, and I have a static IPv6 address assigned to it. After a minute or two, it'll learn via SLAAC a 2nd and 3rd IPv6 address from other VLAN's it's not a member of (VLAN 100 and VLAN 666). Which are tagged on the from the juniper, the this particular guest isn't a member of them.

Doing a wireshark capture on the windows guest, it's getting IPv6 Multicast IPv6 Router Advertisements (RA's). They are reaching the guest untagged.

I have tried enabling "vlan aware" on vmbr0, but that didn't make any difference. Why is the linux bridge capturing multicast traffic on VLAN's 100 and 666 and forwarding it to a guest that isn't a member of that VLAN? Better yet, why is it popping the VLAN tag off in the process?

I have confirmed that if I remove the tagged VLAN from the juniper switch port (meaning the tagged frames never make it to proxmox) then the issue doesn't happen. So I firmly believe this VLAN leak is occurring on the linux bridge and not elsewhere.

Screenshot of untagged IPv6 MCAST RA the windows 10 Guest is receiving.
 

Attachments

  • ipv6ra.png
    ipv6ra.png
    23.5 KB · Views: 5
Better yet, why is it popping the VLAN tag off in the process?
Click to expand...

Non-vlanware bridge don't known nothing about vlan. (they simply remove the vlan header when packet is going through the bridge).

With non vlan-aware bridge, if you define a vlan tag on a vm nic, proxmox create a new bridge like "vmbrXvY" with ethX.Y. (So packet follow vlan Y from ethX.Y to the vmbrXvY). without any vlan tag defined, all vlan are going to the main vmbrX and vlan header will be removed.

With vlan-aware bridge, the vlan header is not removed inside the bridge
if you don't define any vlan on the vm nic, it'll allow all vlan (2-4096) to go the the vm nic (like a trunk on cisco switch, I don't known the naming on juniper), + the special vlan1 as default vlan. (untagged coming packets are tagged with vlan1).
if you defined a vlan on the vmnic, it's only allow this vlan (like an access port on cisco switch). Guest vlan is also removed.
 
spirit said:
Non-vlanware bridge don't known nothing about vlan. (they simply remove the vlan header when packet is going through the bridge).

With non vlan-aware bridge, if you define a vlan tag on a vm nic, proxmox create a new bridge like "vmbrXvY" with ethX.Y. (So packet follow vlan Y from ethX.Y to the vmbrXvY). without any vlan tag defined, all vlan are going to the main vmbrX and vlan header will be removed.

With vlan-aware bridge, the vlan header is not removed inside the bridge
if you don't define any vlan on the vm nic, it'll allow all vlan (2-4096) to go the the vm nic (like a trunk on cisco switch, I don't known the naming on juniper), + the special vlan1 as default vlan. (untagged coming packets are tagged with vlan1).
if you defined a vlan on the vmnic, it's only allow this vlan (like an access port on cisco switch). Guest vlan is also removed.
Click to expand...
Yes. I understand all of that. However you say "if you defined a vlan on the vmnic, it's only allow this vlan (like an access port on cisco switch). Guest vlan is also removed." This is not true in my instance. The windows VM has no vlan defined on the vmnic (untagged), but it is receiving IPv6 Multicast packets from tagged vlans but it's receiving them untagged. IE, the linux bridge is disregarding vlan tags for IPv6 Multicast traffic.

I've attached a diagram. As well as the vmnic config. (the vm only has this one NIC)

The windows VM is learning via IPv6 autoconfig, IPv6 addresses inside VLAN 100 and VLAN 666. Again, which it is not a member of.

If I modify the juniper switch config, removing either vlan 100 or vlan 666 from xe-0/1/2, the VM no longer learns addresses in that vlan. Meaning the traffic is reaching the proxmox machine tagged. And it's proxmox which is stripping the tag.
 

Attachments

  • Screenshot 2022-04-19 081951.png
    Screenshot 2022-04-19 081951.png
    65.1 KB · Views: 10
  • Screenshot 2022-04-19 082749.png
    Screenshot 2022-04-19 082749.png
    19.1 KB · Views: 10
I use ikuai gateway, I have same issue, and I have to disable ipv6 in win10 to solve this issue
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom