Hello,
If I'm not mistaken, bridge-vids sets "the space separated list of VLANs to be allowed tagged ingress/egress on this interface" [1]. So, if I set a bridge vmbr0002 with
This is the bridge in the host (is not linked to any nic of the host):
This is the configuration of the VMs:
VMs do see each other on the interfaces connected to vmbr0002, regardless of the vlanid configured, either on the VM or on the guest OS. Of course, this happens when using the same vlanid: traffic of different vlans stay isolated. A
Shouldn't
[1] https://manpages.ubuntu.com/manpages/jammy/en/man5/interfaces-bridge.5.html
If I'm not mistaken, bridge-vids sets "the space separated list of VLANs to be allowed tagged ingress/egress on this interface" [1]. So, if I set a bridge vmbr0002 with
bridge-vids 2-512
, and connect some VMs to it but with a vlan id>512, the VMs network traffic should not get into the bridge. But it does and I don't know why.This is the bridge in the host (is not linked to any nic of the host):
Code:
auto vmbr0002
iface vmbr0002 inet manual
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-512
mtu 9000
This is the configuration of the VMs:
Code:
agent: 1,fstrim_cloned_disks=1
bios: ovmf
boot: order=scsi0;ide2
cores: 4
cpu: host
efidisk0: NVME:vm-990011-disk-0,efitype=4m,size=1M
ide2: localiso:iso/proxmox-ve_8.0-2.iso,media=cdrom,size=1166488K
machine: q35
memory: 10240
meta: creation-qemu=6.1.1,ctime=1646672794
name: PVE01
net0: virtio=2A:E9:7E:93:8E:11,bridge=vmbr0001
net1: virtio=C6:3B:E4:FF:77:9D,bridge=vmbr0001
net2: virtio=3E:1B:FD:75:0C:E1,bridge=vmbr0002,tag=675
net3: virtio=4E:DA:B8:49:8F:86,bridge=vmbr0002,tag=676
net4: virtio=2A:28:5C:CE:74:E4,bridge=vmbr0002
net5: virtio=DE:A8:29:73:E9:8C,bridge=vmbr0002
numa: 1
ostype: l26
protection: 0
scsi0: NVME:vm-990011-disk-1,discard=on,iothread=1,size=40G,ssd=1
scsihw: virtio-scsi-single
smbios1: uuid=someuuid
sockets: 1
vmgenid: someuuid
VMs do see each other on the interfaces connected to vmbr0002, regardless of the vlanid configured, either on the VM or on the guest OS. Of course, this happens when using the same vlanid: traffic of different vlans stay isolated. A
tcpdump -i vmbr0002 -lennn
on the host on vmbr0002 shows traffic as tagged:
Code:
12:16:03.436697 2a:28:5c:ce:74:e4 > d6:2a:ee:7f:90:98, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.11 > 10.44.0.12: ICMP echo request, id 3551, seq 9, length 64
12:16:03.436810 d6:2a:ee:7f:90:98 > 2a:28:5c:ce:74:e4, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.12 > 10.44.0.11: ICMP echo reply, id 3551, seq 9, length 64
12:16:04.460685 2a:28:5c:ce:74:e4 > d6:2a:ee:7f:90:98, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.11 > 10.44.0.12: ICMP echo request, id 3551, seq 10, length 64
12:16:04.460807 d6:2a:ee:7f:90:98 > 2a:28:5c:ce:74:e4, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.12 > 10.44.0.11: ICMP echo reply, id 3551, seq 10, length 64
12:16:05.484768 2a:28:5c:ce:74:e4 > d6:2a:ee:7f:90:98, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.11 > 10.44.0.12: ICMP echo request, id 3551, seq 11, length 64
12:16:05.484883 d6:2a:ee:7f:90:98 > 2a:28:5c:ce:74:e4, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.12 > 10.44.0.11: ICMP echo reply, id 3551, seq 11, length 64
Shouldn't
bridge-vids 2-512
discard packets with VLANs outside of that range?[1] https://manpages.ubuntu.com/manpages/jammy/en/man5/interfaces-bridge.5.html