How to restrict VM to the only native VLAN of VLAN-aware bridge?

[nva]

My PVE host is connected to switch on a trunked port with tagged VLAN 20, 30 and also a native untagged VLAN. PVE management interface is on VLAN 20.

Current network settings:

auto lo
iface lo inet loopback

iface enp89s0f0np0 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports enp89s0f0np0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 20 30

auto vmbr0.20
iface vmbr0.20 inet static
        address 10.0.20.2/24
        gateway 10.0.20.1

I have this untrusted Windows VM that needs to be on native untagged VLAN. There's a problem: if i give it vmbr0 without a VLAN tagging, whatever inside the VM can decide to tag the traffic and have access other VLANs.

If this VM was to be in VLAN 20 or 30, it'd be trivial to solve by setting the VLAN on VM network config. But how do i solve this with native untagged VLAN? I thought about creating another bridge on same port but this one is not VLAN-aware, but web GUI didn't allow me to do so.

 

[FireStormOOO]

The default is VLAN is 1 unless you changed the native VLAN on the bridge. I did a little testing, and explicitly putting VLAN 1 in the VM's interface config will give it *only* VLAN 1 untagged, whereas leaving it blank will give it VLAN 1 untagged, plus any tagged interfaces the VM configures.

Thanks for posting this, I was just looking for how to do exactly the opposite and give a VM unfiltered access to all the VLANs.