Help with vlan config

D

dr.dad

New Member
Jun 11, 2020
9
0
1
24
Hey all i have an issue that probably gets asked here 100 times in 100 different ways.

i am able to get the network to pass correctly to vlans however as soon as i start messing with subnets vlans seem to break.
i have tried to follow the config guide on the documentation and read a variety of posts and followed thier advice but none seem to work in my particular situation. so hopefully someone can help me.

right now my hardware topology looks like this
Code: 
OPNsense ---{trunk all}---> arista 7050t ---{trunk 1, 10, 20 eno1}---> proxmox host
                                         ---{trunk 10, 20 eno2} ---> proxmox host
in this host the interfaces config looks like this.
Code: 
/etc/network/interfaces

auto lo
iface lo inet loopback

auto eno1
iface eno1 inet static
        address 192.168.1.2/24
        gateway 192.168.1.1

auto eno2
iface eno2 inet static
        address 192.168.10.2/24
        gateway 192.168.10.1

auto eno2.20
iface eno2.20 inet static
        address 192.168.20.2/24
        gateway 192.168.20.1

iface eno3 inet manual

iface eno4 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.2/24
        gateway 192.168.1.1
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr0 inet static
        address 192.168.10.2/24
        gateway 192.168.10.1
        bridge-ports eno2
        bridge-stp off
        bridge-fd 0

auto vmbr2
iface vmbr0 inet static
        address 192.168.20.2/24
        gateway 192.168.20.1
        bridge-ports eno2
        bridge-stp off
        bridge-fd 0

what im trying to do is isolate vm traffic to vlan 10, proxmox gui traffic to vlan 1 and 20. any help on what im doing wrong to get this setup would be greatly appreciated.
 
First VLAN ID 1 is a reserved for untagged traffic for most switches. So I wouldn't use that for tagged VLANs.
Second you shouldn't use more than 1 gateway for the complete host.
Third there shouldn't be more than 1 NIC per VLAN/subnet.

If you want your WebUI on vlan 1 and 20 and VMs on vlan 10 you got 2 options:

1.) vlan unaware bridges
Code: 
auto eno1.1
iface eno1.1 inet static
        address 192.168.1.2/24
        gateway 192.168.1.1

auto eno2.10
iface eno2.10 inet manual

auto eno2.20
iface eno2.20 inet static
        address 192.168.20.2/24

iface eno3 inet manual

iface eno4 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.10.2/24
        bridge-ports eno2.10
        bridge-stp off
        bridge-fd 0

2.) vlan aware bridge
Code: 
auto eno1
iface eno1 inet manual

auto eno2
iface eno2 inet manual

auto eno3
iface eno3 inet manual

auto eno4
iface eno4 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno2
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 1-4096
       
auto vmbr0.1
iface vmbr0.1 inet static
        address 192.168.1.2
        address 192.168.1.1
       
auto vmbr0.20
iface vmbr0.20 inet static
        address 192.168.20.2
You can then use serveral VLANs on the same bridge. You just need to enable "vlan aware" for that bridge and go to your VMs Hardware Tab, select a virtual NIC and set the "VLAN tag" that the virtual NIC should be assigned to.
 
Last edited:
would the vlan aware bridge work with a bond? ultimately i want to do that. i just wanted to understand what how vlans work.
 
dr.dad said:
would the vlan aware bridge work with a bond? ultimately i want to do that. i just wanted to understand what how vlans work.
Click to expand...
It should. Just bridge it to the bond instead of a single NIC.
 
Last edited:
Code: 
auto lo
iface lo inet loopback

auto eno1
iface eno1 inet manual

auto eno2
iface eno2 inet manual

auto eno3
iface eno3 inet manual

auto eno4
iface eno4 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 1-4096

auto vmbr0.1
iface vmbr0.1 inet static
        address 192.168.1.14/24
        gateway 192.168.1.1

auto vmbr0.10
iface vmbr0.10 inet static
        address 192.168.10.14/24

auto vmbr0.20
iface vmbr0.20 inet static
        address 192.168.20.14/24

at this point im pretty lost. still no connection in the vm.
 
Can you ping the OPNsense IP from inside the VM? Maybe your OPNsense rules just don't allow routing between different VLANs/subnets.
 
Dunuin said:
Can you ping the OPNsense IP from inside the VM? Maybe your OPNsense rules just don't allow routing between different VLANs/subnets.
Click to expand...
i have no connection in the vm. :(

I dont think i have rules prohibiting traffic between vlans 1 10 and 20. i have wifi networks that pass vlans fine so i know its not the opnsense rules.

on the router i have allow, allow dns and allow ucmp. nothing else. seems to be working fine on all other parts of my network.

double checked my switch and port17/eno1 switchport trunk with vlans 1,10,20 on it.
rules are good on the router.

if i have to check anything else, cant think of anything.
 
Last edited:
removing tag from VM or using tag 1 gives network connection to VM but tagging it to 10 or 20 and he VM cant get a connection. as far as i got tonight. if anyone ;has any suggestions i would love to hear em. thanks!
 
You must log in or register to reply here.
Top Bottom