Linux VLAN Interface On Host Prevents Guest Traffic on Same VLAN

[virtualbitz]

I have a host with a Linux Bond that I use for inband management and guest traffic. I have a Linux VLAN interface as part of the bridge which I use to access the host. All is well with this part of the config and everything works as expected.

The trouble starts when I have a guest that I want to run on the same VLAN as the host's Linux VLAN interface (VLAN 15). The guest cannot communicate across the bridge at all when a tag of 15 is applied to its VirtIO NIC. PCAPs from the guest show zero traffic coming in.

root@Ghost:~# cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface enx62b2b50d0b96 inet manual

iface enp71s0 inet manual

iface enx12e68fe61287 inet manual

iface enx763d12dc4f29 inet manual

iface enp72s0 inet manual

iface enxf2f20b01e65e inet manual

auto enp69s0f1
iface enp69s0f1 inet manual

iface enp74s0 inet manual

iface enp73s0 inet manual

iface enx56bcb03f2379 inet manual

auto enp69s0f0
iface enp69s0f0 inet manual

auto bond0
iface bond0 inet manual
        bond-slaves enp69s0f0 enp69s0f1
        bond-miimon 100
        bond-mode active-backup
        bond-primary enp69s0f1

auto vmbr0
iface vmbr0 inet manual
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vlan15
iface vlan15 inet static
        address 192.168.15.75/24
        gateway 192.168.15.1
        vlan-raw-device bond0

auto vlan11
iface vlan11 inet static
        address 192.168.11.75/24
        vlan-raw-device bond0

 

[lokses]

I have a host with a Linux Bond that I use for inband management and guest traffic. I have a Linux VLAN interface as part of the bridge which I use to access the host. All is well with this part of the config and everything works as expected.

The trouble starts when I have a guest that I want to run on the same VLAN as the host's Linux VLAN interface (VLAN 15). The guest cannot communicate across the bridge at all when a tag of 15 is applied to its VirtIO NIC. PCAPs from the guest show zero traffic coming in.

root@Ghost:~# cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface enx62b2b50d0b96 inet manual

iface enp71s0 inet manual

iface enx12e68fe61287 inet manual

iface enx763d12dc4f29 inet manual

iface enp72s0 inet manual

iface enxf2f20b01e65e inet manual

auto enp69s0f1
iface enp69s0f1 inet manual

iface enp74s0 inet manual

iface enp73s0 inet manual

iface enx56bcb03f2379 inet manual

auto enp69s0f0
iface enp69s0f0 inet manual

auto bond0
iface bond0 inet manual
        bond-slaves enp69s0f0 enp69s0f1
        bond-miimon 100
        bond-mode active-backup
        bond-primary enp69s0f1

auto vmbr0
iface vmbr0 inet manual
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vlan15
iface vlan15 inet static
        address 192.168.15.75/24
        gateway 192.168.15.1
        vlan-raw-device bond0

auto vlan11
iface vlan11 inet static
        address 192.168.11.75/24
        vlan-raw-device bond0

I also faced the problem that there was no network.
Delete vlan15 and create linux vlan interface: vmbr0.15 and then it will work

Settings in my proxmox node (i have use vlan 30)

auto vmbr0
iface vmbr0 inet manual
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0.30
iface vmbr0.30 inet static
        address 10.10.30.13/26
        gateway 10.10.30.1

 

[virtualbitz]

Marvelous, thank you!

 

[spirit]

yes, if you use vlan-aware bridge, you need to tag the bridge directly.

Tagging the physical interface can make conflict.

 

[virtualbitz]

I was able to get this to work through the CLI. Is is possible to do this through the GUI?

 

[lokses]

I was able to get this to work through the CLI. Is is possible to do this through the GUI?

naturally yes.
In System/Network > New > Linux VLAN
Name vmbr0.15 (15 is your virtual network tag)
And if you need an ip address in the interface, set ipv4.
Vlan raw device will be set automatically to vmrb0 and VLAN Tag will also automatically be assigned 15

 

[Evertos]

Just a note, in order to get this working please be aware that you might need to restart the vm / container to get this working.

The bellow config works fine but the machine's needed a reboot in order to work.

auto lo
iface lo inet loopback

iface enp3s0f0 inet manual

iface enp4s0 inet manual

auto enp3s0f1
iface enp3s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.x.x/24
        bridge-ports enp3s0f0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0.110
iface vmbr0.110 inet static
       address 192.168.x.x/24
       gateway 192.168.x.x

 

[virtualbitz]

Just a note, in order to get this working please be aware that you might need to restart the vm / container to get this working.

The bellow config works fine but the machine's needed a reboot in order to work.

auto lo
iface lo inet loopback

iface enp3s0f0 inet manual

iface enp4s0 inet manual

auto enp3s0f1
iface enp3s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.x.x/24
        bridge-ports enp3s0f0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

auto vmbr0.110
iface vmbr0.110 inet static
       address 192.168.x.x/24
       gateway 192.168.x.x

Interesting, did ifreload -a not work?

 

[nfawcett]

I am having the same issue trying to get a vm to work on vlan 9. Any thoughts? Vlan 9 where the proxmox host talks to the NFS store.


Network interface on vm.

 

[nfawcett]

Solved. I have attached some screenshots of how to make it work. With this setup, you can put the vlan number on the NIC of the VM for everything except the PVE management vlan. For that you will have to attach the vm nic to the vm bridge with the tagged bond. In my case I would attach the vm nic to vmbr1v9 without a vlan tag number.

 

[Evertos]

Interesting, did ifreload -a not work?

Well I dind't gave that a try! Will do that next time!

 

[gabriele.marsano]

Solved. I have attached some screenshots of how to make it work. With this setup, you can put the vlan number on the NIC of the VM for everything except the PVE management vlan. For that you will have to attach the vm nic to the vm bridge with the tagged bond. In my case I would attach the vm nic to vmbr1v9 without a vlan tag number.

View attachment 68331

i am in a pretty same situation, but i have only two nic aggregate in bond0.
I need a separated VLAN for the vm.


with this configuration i assign vms to the vmbr0v107 their can ping other vms on the same vlan but can't ping their vlan gateway .

my /etc/network/interfaces

auto lo
iface lo inet loopback

iface eno33np0 inet manual

iface eno34np1 inet manual

auto bond0
iface bond0 inet static
        bond-slaves eno33np0 eno34np1
        bond-miimon 100
        bond-mode 802.3ad
        bond-xmit-hash-policy layer2+3

iface bond0.107 inet manual

auto vmbr0v107
iface vmbr0v107 inet static
        bridge-ports bond0.107
        bridge-stp off
        bridge-fd 0

auto vmbr0
iface vmbr0 inet static
        address 172.16.0.142/24
        gateway 172.16.0.1
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0

source /etc/network/interfaces.d/*