[SOLVED] pass only untagged traffic to vm

D

dirks

Member
Feb 6, 2016
26
17
23
43
I have a bond binding two nics connected to two switch ports each with an untagged and multiple tagged vlans (802.1q). On top of the bond is a bridge (linux ifupdown2 not ovs). Now I add some VMs. VMs which receive a vlan tag see only the vlan tagged traffic, all good. VMs without a vlan tag see the trunk traffic and not only the untagged traffic (e.g. broadcast traffic from tagged networks). Makes sense in a way, but is there an option to pass only the untagged traffic to the vm?

Code: 
auto bond0
iface bond0 inet manual
        bond-slaves enp161s0f0np0 eno34np1
        bond-miimon 100
        bond-mode 802.3ad
        bond-xmit-hash-policy layer2
        bond-min-links 1

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.5/24
        bridge-ports bond0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
 
can you try to edit the vm config file, and add "trunks,..., tag=0" ?

I think it's a known bug in
/usr/share/perl5/PVE/Network.pm
where untagged is forced to vlan=1

Code: 
my $bridge_add_interface = sub {
     ....
       $tag = 1 if !$tag;
        eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', $tag, 'pvid', 'untagged']) };
        die "unable to add vlan $tag to interface $iface - $@\n" if $@;

}
 
  • Like
Reactions: dirks
Thanks. :)

Adding "tag=0" removes the network interface. The same is true if I add the trunks parameter without without vlan ids to it, e.g. trunks,tag=0. If I read man qm correctly trunks itself requires vlan ids seperated by ";", like trunks=0;5.


I tried

Code: 
net0: virtio=XX:XX:XX:XX:XX:XX,bridge=vmbr0,firewall=1,trunks=0

which keeps the network interface, but does not change the initial situation.

What actually helped was to set tag=1. I only see traffic from/to the untagged network now. I fuzzily recall you should not use tag id 1 as it is reserved for network management.

I guess there is some validity checking when the config file is parsed and thus the interface is dropped if it encounters trunk without further parameters or tag=0. I tried to determine if the tagged and untagged vlan actually have an 802.1Q Header or not. But to reliable capture that header with tcpdump seems to be a bit of an dark art. :)
 
Post helped me.
Just wanted to reply to post as this may help someone doing google on ESXI Trunk port to 4095
Proxmox you delete the tag in the gui or as posted above tag=0 via qm
"EXSI 4095 this activates VGT mode. In this mode, the vSwitch passes all network frames to the guest VM without modifying the VLAN tags, leaving it up to the guest to deal with them. "
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom