Help with management vlan

J

juju01

Member
May 16, 2020
87
3
13
I have setup my management on vlan5 and eno1 port with the code below. The problem is, other vlans seem to be going through this as well. For instance, I am able to get vlan 20 to get an ip in the 20 subnet even if I use vmbr0. How can I restrict this to only vlan 5 ?

Code: 
iface eno1.5 inet manual

auto vmbr0v5
iface vmbr0v5 inet static
        address  10.1.5.21/24
        gateway  10.1.5.1
        bridge-ports eno1.5
        bridge-stp off
        bridge-fd 0

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
 
Not sure but maybe something like this might help?

Code: 
auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 5
        
auto vmbr0.5
iface vmbr0.5 inet manual
        address  10.1.5.21/24
        gateway  10.1.5.1
In that case only VMID 5 should be able allowed over that bridge.
 
Dunuin said:
Not sure but maybe something like this might help?

Code: 
auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 5
       
auto vmbr0.5
iface vmbr0.5 inet manual
        address  10.1.5.21/24
        gateway  10.1.5.1
In that case only VMID 5 should be able allowed over that bridge.
Click to expand...

no reference to bridge-ports eno1.5 and iface eno1.5 inet manual ?
 
juju01 said:
no reference to bridge-ports eno1.5 and iface eno1.5 inet manual ?
Click to expand...
In that case you don't need eno1.5. Eno1 will carry tagged and untagged packets. Because vmbr0 is set to "vlan aware" (bridge-vlan-aware yes) with only VMID5 allowed (bridge-vids 5) it can also carry untagged packets and packets tagged with VMID 5.
Then there is a linux VLAN interface "vmbr0.5" ontop of that bridge that will use VMID 5.

Edit:
Hm, but on second thought that might be problematic too if you want your management interface as much separated as possible from the guests.

What is your VLAN ID used for untagged traffic? Lets say your PVID would be 1 then you could try:
Code: 
iface eno1 inet manual

iface eno1.1 inet manual

auto eno1.5
iface eno1.5 inet static
        address  10.1.5.21/24
        gateway  10.1.5.1

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1.1
        bridge-stp off
        bridge-fd 0
Then guests attached to vmbr0 should only be able to use your PVID/VMID 1 used for untaggec traffic by your switch.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back