Issue with VLAN Aware Linux Bridge

S

SirBillyMays

New Member
Oct 30, 2024
2
0
1
I am attempting to place virtual machines on different VLANs, using a VLAN Aware Linux Bridge.

1. When I use the network bridge without specifying a VLAN tag, the VMs get placed on the native (access) VLAN, and they can connect without issue.
2. When I set a VLAN tag, VM's with the same VLAN tag can talk to each other, but they cannot connect to the network gateway or devices outside the same node, on the same VLAN.
3. If I make a Linux VLAN for the same VLAN tag, make a bridge on that VLAN, then connect the VMs to that new bridge, they can connect to each other, the gateway, devices external to the proxmox nodes etc. without issue.
EDIT: 4. if I use the first configuration (network bridge, no VLAN tag) then configure vlan 30 on the guests they can connect to each other, but not to the gateway/outside of node. Same as point 2.

Am I misunderstanding or misconfiguring something in the bridge interface? Or is there perhaps some underlying driver/kernel issue or similar? I was under the impression that a VLAN aware bridge + a VLAN tag set for the VM should work.

For my troubleshooting steps, here's my base network/interfaces file:

Code: 
auto lo
iface lo inet loopback

iface end0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 172.20.0.21/24
        gateway 172.20.0.1
        bridge-ports end0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

I have two VM's, both deployed on the same Proxmox node, and both set to use the vmbr0 bridge with tag=30.

1730294367283.png

After setting the tag I turned both nodes off completely using the shutdown option, before starting them up again. The behaviour after rebooting is as follows:

1. The VMs can reach each other
2. The VMs cannot reach the gateway in that VLAN

1730294671327.png

If I remove the Linux bridge, make a linux VLAN, then bridge that VLAN instead, it works:

Code: 
auto lo
iface lo inet loopback

auto end0
iface end0 inet static
        address 172.20.0.21/24
        gateway 172.20.0.1

auto end0.30
iface end0.30 inet manual

auto vmbr30
iface vmbr30 inet manual
        bridge-ports end0.30
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

1730295154005.png
1730295181103.png
 
Last edited:
Can you tcpdump traffic going out from both versions on end0 ? Both setups should work from my pov, we might be able to pinpoint the issue by looking at the traffic leaving the node with both configurations and check if there are any differences.
 
Hi Stefan,

Sorry for taking so long to get back to you - life got in the way as they say. Thanks for confirming that both setups should work, I was fairly certain of that, but started to doubt myself after battling with this. I reproduced the configuration on some spare servers at work, and can confirm that the exact same configuration worked nicely there.

If I do a tcpdump on end0 I actually don't see any traffic that originates from the guest in the non-functional examples given above. If I do a dump on the bridge interface I can see the traffic between the guests if I use the following parameters:

tcpdump -vv -i vmbr0 \( vlan 30 \)

If I attempt to send traffic to "outside" the host on vlan 30 (e.g. the network gateway at 10.0.30.1) I see no traffic on the end0 interface, but I see ARP discovery attempts on the vmbr0:30 interface. I see no ARP replies.

If I add a static ARP entry using this command: "ip neigh change to 10.0.30.1 dev enp0s11 lladdr $externalNetworkGW" I no longer see the failed ARP attempts, but I still can't see the guest traffic beyond the vmbr0:30 interface. I am not entirely certain if I should use the mac address of the external network gateway or if I should use a more local mac address from the host, but as I don't get any arp replies to begin with something seems off here.

I suspect that this issue is unrelated to proxmox, but rather related to my platform/base OS installation. This is an installation on ARM using a base Debian image, and I am thinking that I should look more in that direction for further troubleshooting.

I'll still gladly take tips from here, should anyone have any wise suggestions :)

Best regards
 
Did you get to the bottom of your issues? - I'm also using arm, and with the the commented out line enabled, the host stops communicating. Commenting it out, and it's back online. But I want to have it VLAN aware, so I can allocate VLANs to guest VMs.

cat /etc/network/interfaces
Code: 
auto lo
iface lo inet loopback

iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.204/24
        gateway 192.168.1.1
        bridge-ports eth0
        bridge-stp off
        bridge-fd 0
#       bridge-vlan-aware yes   bridge-vids 2-4094
 
You must log in or register to reply here.
Top Bottom