Adding a Second (Tagged) Interface to a VM

[norsemangrey]

I have an Ubuntu VM for which I want two interfaces: one interface for untagged traffic (i.e. VLAN 1) and one for a specific VLAN. I am not quite sure about the correct way to configure this in Proxmox.

I have a VLAN aware bridge where a VLANs are trunked (vmbr4) and if I create a VM with a network card either untagged or tagged (e.g. with VLAN 200), that interface on the Ubuntu VM is assigned an IP address in the correct VLAN range.

However, if I add a second network card, that interface shows up (ens19 in the below snapshot), but the link is DOWN and is not assigned an IP from the DHCP.



Am I missing something or is this the wrong approach to assigning multiple network interfaces / vlans to a VM?

 

[Dunuin]

What is the error when you try to up that ens19 inside the VM? I'd guess the problem is your guests network config. It's usually no problem to add multiple virtual NICs to a VM and use VLAN.

When using VLAN1 and tagging a virtual NIC with VLAN1, keep in mind that those packets will be tagged so your switch needs to allow tagged VLAN1. If you want to send untagged packets, you could add a virtual NIC without any VLAN tag. But then the VM would also be able to listen to packets of all VLANs, in case that is a security concern for you.

What does your PVEs network config (/etc/network/interfaces) and your guests network config look like?

 

[norsemangrey]

If i try to up the link the link status goes to UP (I do not see any error message), but it still does not get any IP.

sudo ip link set dev ens19 up

I have not done anything with the Guest OS network config in particular. It is an Ubuntu Server image on which I have installed UFW and Docker and that's about it.

PVE network config.

auto vmbr4
iface vmbr4 inet manual
        bridge-ports enp2s0f3
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

Guest network config.

 

[norsemangrey]

I managed to solve it.

I had to go into the network configuration on the guest OS and add the new interface (ens19) for dynamic address assignment. I would have thought this would happened automatically when a new interface is added.

/etc/netplan/00-installer-config.yaml

network:
  ethernets:
    ens18:
      dhcp4: true
    ens19:
      dhcp4: true
  version: 2

 

[norsemangrey]

When using VLAN1 and tagging a virtual NIC with VLAN1, keep in mind that those packets will be tagged so your switch needs to allow tagged VLAN1. If you want to send untagged packets, you could add a virtual NIC without any VLAN tag. But then the VM would also be able to listen to packets of all VLANs, in case that is a security concern for you.

This is a good point. I would like for the VM to only listed for packets on the selected VLAN. I am using untagged VLAN / VLAN 1 as a management VLAN which an application on the VM should have access to. Not sure what you mean exactly when you say that the switch needs to allow tagged VLAN 1. My router is also running as a VM on Proxmox so there is not a physical switch between the router and the VM. All VLANS are trunked trough vmbr4, but when adding VLAN 1 as an interface on the VM is there a difference between setting the VLAN Tag to 1 and not setting it at all?

 

[Dunuin]

All VLANS are trunked trough vmbr4, but when adding VLAN 1 as an interface on the VM is there a difference between setting the VLAN Tag to 1 and not setting it at all?

Yes. When setting your virtio NICs "VLAN Tag" to 1, your VM will send untagged packet, they will be tagged with VLANID 1 and your router VM then has to allow incoming packets tagged with VLANID 1.
When not setting any "VLAN Tag" for the virtio NIC and also not tagging packets with a VLAn inside that VM, PVE won't tag those packets. Those packets will be untagged so your router VM needs to be configured to properly handle untagged packets. For example allowing incoming untagged packets and then tag them internally with VLAN 1 as PVID.

 

[iprowell]

Thanks for the pointers. This helped me get things working!