bridge-vids not filtering unwanted vlans?

Oct 7, 2019
803
332
108
Spain
Hello,

If I'm not mistaken, bridge-vids sets "the space separated list of VLANs to be allowed tagged ingress/egress on this interface" [1]. So, if I set a bridge vmbr0002 with bridge-vids 2-512, and connect some VMs to it but with a vlan id>512, the VMs network traffic should not get into the bridge. But it does and I don't know why.

This is the bridge in the host (is not linked to any nic of the host):
Code:
auto vmbr0002
iface vmbr0002 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-512
        mtu 9000

This is the configuration of the VMs:
Code:
agent: 1,fstrim_cloned_disks=1
bios: ovmf
boot: order=scsi0;ide2
cores: 4
cpu: host
efidisk0: NVME:vm-990011-disk-0,efitype=4m,size=1M
ide2: localiso:iso/proxmox-ve_8.0-2.iso,media=cdrom,size=1166488K
machine: q35
memory: 10240
meta: creation-qemu=6.1.1,ctime=1646672794
name: PVE01
net0: virtio=2A:E9:7E:93:8E:11,bridge=vmbr0001
net1: virtio=C6:3B:E4:FF:77:9D,bridge=vmbr0001
net2: virtio=3E:1B:FD:75:0C:E1,bridge=vmbr0002,tag=675
net3: virtio=4E:DA:B8:49:8F:86,bridge=vmbr0002,tag=676
net4: virtio=2A:28:5C:CE:74:E4,bridge=vmbr0002
net5: virtio=DE:A8:29:73:E9:8C,bridge=vmbr0002
numa: 1
ostype: l26
protection: 0
scsi0: NVME:vm-990011-disk-1,discard=on,iothread=1,size=40G,ssd=1
scsihw: virtio-scsi-single
smbios1: uuid=someuuid
sockets: 1
vmgenid: someuuid

VMs do see each other on the interfaces connected to vmbr0002, regardless of the vlanid configured, either on the VM or on the guest OS. Of course, this happens when using the same vlanid: traffic of different vlans stay isolated. A tcpdump -i vmbr0002 -lennn on the host on vmbr0002 shows traffic as tagged:

Code:
12:16:03.436697 2a:28:5c:ce:74:e4 > d6:2a:ee:7f:90:98, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.11 > 10.44.0.12: ICMP echo request, id 3551, seq 9, length 64
12:16:03.436810 d6:2a:ee:7f:90:98 > 2a:28:5c:ce:74:e4, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.12 > 10.44.0.11: ICMP echo reply, id 3551, seq 9, length 64
12:16:04.460685 2a:28:5c:ce:74:e4 > d6:2a:ee:7f:90:98, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.11 > 10.44.0.12: ICMP echo request, id 3551, seq 10, length 64
12:16:04.460807 d6:2a:ee:7f:90:98 > 2a:28:5c:ce:74:e4, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.12 > 10.44.0.11: ICMP echo reply, id 3551, seq 10, length 64
12:16:05.484768 2a:28:5c:ce:74:e4 > d6:2a:ee:7f:90:98, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.11 > 10.44.0.12: ICMP echo request, id 3551, seq 11, length 64
12:16:05.484883 d6:2a:ee:7f:90:98 > 2a:28:5c:ce:74:e4, ethertype 802.1Q (0x8100), length 102: vlan 1900, p 0, ethertype IPv4 (0x0800), 10.44.0.12 > 10.44.0.11: ICMP echo reply, id 3551, seq 11, length 64

Shouldn't bridge-vids 2-512 discard packets with VLANs outside of that range?


[1] https://manpages.ubuntu.com/manpages/jammy/en/man5/interfaces-bridge.5.html
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!