I am desperate trying to configure a proper VLAN on my server

[verdezito]

Hi! I have been using Proxmox with a very basic setup from months now at home and I really LOVE it! But I want now to improve my server security using VLANs and after a week I come here asking for help.
I am not very used to the CLI, would appreciate if someone could point me what to do in the GUI.

What I have? A humble USG3 with a USW Flex mini as switch and a Proxmox server with some VMs. I want to have some different VLAN in the server for security (some VMs are for the children games, some for NAS, some for web hosting...want them to be in different VLANS)
My server has only 1 nic.

What I want?
Use 192.168.1.1 as VLAN 1 (Is the USG default VLAN, or so I think...) for management (router, switch and Proxmox itself with this IP range). And use (for example) 10.10.10.0 for the NAS, 20.20.20.0 for the web hosting VMs, etc.
(don't know if this is even possible! Please tell me if using 192.168.1.1 is dangerous, or if I should stick with 192.168.*.0 for different VLANS)

Right now the server has the vmbr0 with default setup ("vlan aware" unticked).

1.- Should I create another vmbr* for the different VLAN and let the default for VLAN 1? (if I need to create a new one would like some tips please)
2.- Should I stay with just the default vmbr0 and change it to be "vlan aware"? Or just let it untouched and create the CT and VMs with the VLAN option configured at creation?

As you can see I am a bit lost. I see a lot of asnswers in this forum with CLI parameters but I don't have much idea and would love some GUI configuration tips.

Thanks a lot in advance!

 

[Arvyr]

...
Use 192.168.1.1 as VLAN 1 ...
(don't know if this is even possible! Please tell me if using 192.168.1.1 is dangerous, or if I should stick with 192.168.*.0 for different VLANS)
...

Wondering if a private IP is dangerous but sticking to the default vlan 1, smh....
You can use whatever private IP you fancy, but changing - especially for management pruposes - vlan 1 to something else is considered best practice and mentioned in probably every hardening guide.
I'm also certain you can change the vlan in your USG.

So, if your server has multiple NICs then you can just bind them to separated vmbrs and connect those to your VMs/CTs and the USG.
If not, use your vmbr0 as vlan-aware bridge and just enter the tag your VMs/CTs should use in their configuration.

For your Proxmox management interface:
Creating a vmbr with vlan tag is easy, there's two ways:
1. create a vmbr0.xxx where xxx is the VLAN - you have to neither add the vlan raw device nor a vlan tag for that vmbr (this works with ifupdown 1 and 2)
2. create a vmbr and name it whatever you want and assign the vlan raw device and desired vlan tag. This works with ifupdown2 only iirc.

 

[jlebherz]

I sugest you to do it the following

USG
=> vlan 10 untagged = Management 192.168.1.0/24
=> vlan 100 tagged = Kids => 192.168.100.0/24
=> vlan 200 tagged = NAS => 192.168.200.0/24

in Proxmox you create only one bridge (vmbr0) and set it vlan aware

in your VM config you enter the vlan ID in the virtual network adapter

for example NAS VM = tag 200

thats it!

 

[spirit]

1.- Should I create another vmbr* for the different VLAN and let the default for VLAN 1? (if I need to create a new one would like some tips please)
2.- Should I stay with just the default vmbr0 and change it to be "vlan aware"? Or just let it untouched and create the CT and VMs with the VLAN option configured at creation?

You just need to add vlan tag in vm nic. It'll work without or without vlanaware bridge.

(without vlan-aware, proxmox will create a new vmbr0vY with eth0.Y for you where vm will start, with vlan aware bridge, the vlan tag is added to the brigde port directly like a true switch)