How do I assign VLANs?

PonyoHam

Member
May 23, 2018
20
1
8
39
Hi,

I'm having problems with Proxmox and VLANs.

I have pfsense running inside proxmox and I want other VMs to connect to be assigned to the VLAN by pfsense.

I'm running Proxmox on a intel nuc with only 1 NIC.

Pfsense config
vmbr0 => bridged with eno1, assigned as wan to pfsense
vmbr1 => VLAN10, assigned as LAN in pfsense
vmbr2 =>VLAN20, assigned as LAN in pfsense

Windows host inside proxmox as vmbr1 assigned as well.

Without VLANs everything works fine and the Windows host receives an IP from pfsense. However once I turn to VLANs, Windows is not receiving an IP.

The problem is I got no clue how to properly do VLANs in proxmox. I've googled and looked at the documentation but it is not clear to me what the correct way of doing VLANs is.

I tried enabling VLAN and tagged them with the correct VLAN on vmbr1 and vmbr2 (pfsense and windows) as well but no joy.

1. Do I need to enable VLAN and set the correct VLAN tag on vmbr1 and vmbr2 assigned to pfsense?
2. Do I need to enable VLAN and set the correct VLAN tag on vmbr1 assigned to the Windows host?
3. If not, how should all this be configured?

edit: Some other things I noticed I'm not sure of are;
1. network configurations to proxmox are not applied until after a reboot?
2. What would you set on port/slaves for a interface that is only virtual and doesn't connect to a hardware NIC? Free to set whatever you want?
 
  • Like
Reactions: mediacj
1. Do I need to enable VLAN and set the correct VLAN tag on vmbr1 and vmbr2 assigned to pfsense?
2. Do I need to enable VLAN and set the correct VLAN tag on vmbr1 assigned to the Windows host?
3. If not, how should all this be configured?
Set the vlan in the VM config of every VM accessing the pfsense and configure your pfsense to have traffic tagged.

1. network configurations to proxmox are not applied until after a reboot?
Yes, as it is not reliable to just restart the networking service.

2. What would you set on port/slaves for a interface that is only virtual and doesn't connect to a hardware NIC? Free to set whatever you want?
What do you want to set?
 
I've got it configured like that but it doesn't work.

Node
upload_2018-5-24_15-40-36.png

pfSense VM
upload_2018-5-24_15-41-12.png

Win10 VM
upload_2018-5-24_15-41-52.png

pfSense VLAN
upload_2018-5-24_15-42-41.png

What do you want to set?

Not sure because I don't understand if or how whatever it is you set there relates to the rest of the system.
 
Did you follow this how to for the pfsense install?
https://doc.pfsense.org/index.php/Virtualizing_pfSense_on_Proxmox

You also need to set your bridges to 'bridge_vlan_aware yes' if you work with VLANs.

AFAICS, you already separate your networks, so only routing (firwalling) would be needed and you can skip the VLAN setup altogether.
 
Only one NIC so I want to use VLANs so I can connect the NUC to a switch and then access the VM's behind pfSense through VLAN from a physical machine connected to the switch.

I have very little experience with VLANs so my own incompetence is at work here but it is unclear to me how proxmox and VLANs work.

1) vmbr0 is bridged to the hardware NIC on the NUC
2) vmbr0 vlan aware yes
3) In the proxmox pfsense hardware tab, do I need to tag vmbr0? This should be the port that acts as trunk.
4) vmbr1 should act as a virtual interface for pfsense where other VM's connect to.
5) Does it matter what i put in port/slave for vmbr1?
6) In the proxmox pfsense hardware tab, do I need to tag vmbr1?

Google shows many results for people wanting to do the same thing, but I don't think I've found a post that successfully describes how to do this with proxmox. On bare metal it is fairly straight forward.
 
Only one NIC so I want to use VLANs so I can connect the NUC to a switch and then access the VM's behind pfSense through VLAN from a physical machine connected to the switch.

I have very little experience with VLANs so my own incompetence is at work here but it is unclear to me how proxmox and VLANs work.

1) vmbr0 is bridged to the hardware NIC on the NUC
2) vmbr0 vlan aware yes
3) In the proxmox pfsense hardware tab, do I need to tag vmbr0? This should be the port that acts as trunk.
4) vmbr1 should act as a virtual interface for pfsense where other VM's connect to.
5) Does it matter what i put in port/slave for vmbr1?
6) In the proxmox pfsense hardware tab, do I need to tag vmbr1?

Google shows many results for people wanting to do the same thing, but I don't think I've found a post that successfully describes how to do this with proxmox. On bare metal it is fairly straight forward.


for pfsense vm
--------------------
If you tag vlan inside pfsense, simply enable vlan aware on bridge. All ports will be trunk. (advantage, if you have a lot of vlans, you only need 1 vnic)

if you don't tag vlan inside pfsense, set tag vlan in proxmox vm nic configuration. (1nic by vlan). This will be a "access vlan @cisco".

for vm
---------
simply add vlan tag in vm nic.
 
But that is exactly what isn't working.

- vmbr0 allow vlan, linked to eno1 (physical nic)
- vmbr1 allow vlan, tagged 100
- in pfsense just a normal static ip on vmbr0 as the wan
- vmbr1 set up as lan with vlan tagging (em0.100)

But the VM connected to pfsense won't receive an IP with this configuration.

Also, what do I need to put into port/slaves? Do I need to do something like eth1.100 to make the tagging work? I don't understand what port/slave is supposed to do.
 
I'm sorry spirit but I don't understand what you are saying.

If I remove vlan aware and tagging from vmbr1, and remove vlan tagging on vmbr1 in pfsense, then how will the LAN be assigned to a VLAN? VMBR1 is supposed to be a virtual interface tagging all the VM's that connect to it.

Also, does it matter what I put as a name in port/slave or are you free to put whatever you want there?

Is there not documentation that explains the basics of this? I searched but couldn't find anything that explains the fundamentals.
 
I
If I remove vlan aware and tagging from vmbr1, and remove vlan tagging on vmbr1 in pfsense, then how will the LAN be assigned to a VLAN? VMBR1 is supposed to be a virtual interface tagging all the VM's that connect to it.

in your screenshot, you have

eth1.10->vmbr1--pfsense opt2
-- windows vm
eth1.20->vmbr2--pfsense opt3


What I want to said, is that you don't need vlan inside the vmbr1 or vmbr2
The vlan tag will be added when packet will go out the nic to physical network.
and it's isolated inside each vmbr



with vlan aware, you can do something like

eth1--->vmbr1---pfsense opt2 (tagging in proxmox qemu nic or inside pfsense)
---pfsense opt3 (tagging in proxmox qemu nic or inside pfsense)
---windows vm (tag in proxmox)
 
  • Like
Reactions: PonyoHam
@spirit thanks, after trying a lot of different things I did eventually get it working with all the VLANs created on the vmbr0 interface.

@PonyoHam would you mind posting some screenshots of the final config you landed on to get this all working? I am in a similar situation, single NIC, tagged VLAN traffic coming into Proxmox, with the hope of passing through to pfSense VM. I can't seem to get it working correctly no matter what I try, and help would be greatly appreciated!
 
For anyone reading here in the future, I've found that with a VLAN setup in the switches that already tags one default VLAN and allows some more others, you must not tag again in the VM if it uses the default VLAN. (default VLAN does not mean VLAN 1 here)
 
  • Like
Reactions: geokvant

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!