Mapping a VM interface to a bridge native VLAN

O

olaszfiu

Renowned Member
Feb 23, 2015
7
0
66
Hello,
My PVE hypervisor has an interface eth0 connected to a switch port configured as a trunk, where VLAN1 is the native (untagged) VLAN and a number of other (tagged) VLANs are allowed.
On top of eth0 I created a "vlan aware" bridge, named vmbr0.

When I create a network interface for a new VM I can easily map it to a certain VLAN on vmbr0, using the "VLAN tag" option from the GUI.

But how can I map the new VM NIC to the native VLAN (i.e. untagged VLAN 1) ?

If I put "1" in "VLAN tag" from the GUI that obviously doesn't work, because the traffic gets tagged.
If I choose no tag in "VLAN tag", than the new VM sees the untagged VLAN1 traffic... but it also sees all the tagged traffic coming from other VLANs, which is not desirable for security issues.

The only workaround I found, so far, is manually adding "trunks=999" in the NIC definition of the VM config file, where "999" is a black-hole VLAN (i.e. no traffic in there).
In this way, the VM correctly sees the untagged VLAN1 traffic and no other tagged VLANs traffic (except for the 999, which has nothing in it).

I wonder if there is a more appropriate way to do this.. ?

Any help would be appreciated, thanks.

Ros
 
Don't set the bridge into vlan_aware, then for every vlan you configure on a VM a separate bridge will be created.
 
Thanks Alwin,
as you said, if vmbr0 is not vlan_aware a separate bridge is created for every "tagged" VLAN I configure on VMs. Anyway, I would still have no way to configure a VM on a bridge created on top of the native (untagged) VLAN 1... right ?
 
You should also see that each bridge is mapped to a interface with vlan tag naming (eg. enp1s0.20). This leaves the bridge without tag naming (eg. vmbr0) as untagged.
 
HI Alwin,
I tried that. I see each bridge mapped to a interface vlan tag but this doesn't seem to leave vmbr0 untagged. In fact, If I create a new VM and I map its network card to vmbr0 I still can see, from the VM (using tcpdump), a lot of 802.1q traffic coming from other VLANs.
 
This is normal, as all traffic that is not filtered away by a vlan interface (eg. enp1s0.20) is passed through. If all vlans that are allowed on that switch port are filtered, then there should only be un-tagged traffic left.

But why not tag the traffic on the switch for the interface where PVE is on and any other switch port that needs un-tagged traffic is set to it? All of those devices & VMs will see each other.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back