Problem to configure network for guest with tagged and untagged vlan

G

gech

New Member
May 13, 2021
2
0
1
51
I have a physical opnsense firewall with 4 NICs. The NICs are used for WAN, DMZ, and 2 separate environments. The traffic of each NICs will again be separated into different VLANs. My switch assigns the untagged traffic for each NIC to a different VLAN. This works fine. I want now to setup a test environment that has the same setup virtually.

Hi I have setup a fresh proxmox 6.3 on a server with 2 NIC. One NIC is for productive servers and one for test systems. The proxmox is generally working. On my old server I have several guests that are connected to the production with tagged VLANs.

But I am not getting the guest for virtual opnsense server working. I am new to proxmox but I think that it should be possible I just do it wrong.

I have fresh setup new proxmox and some guests that have tagged NICs to the linux bridges vmbr1 (tests environment) and they can reach servers on the network using the new virtual FW. But these guests use the VLANs assigned directly to the NIC in the firewall. When I want to uses a VLAN managed by the firewall no connection is possible.
The bridge is vmbr1
The untagged traffic of the firewall is vlan_2010
the tagged traffic is vlan_2015

The configuration on the guest is
Net0 = virtio=[mac],bridge=vmbr1,tag=2010

As far I can see vmbr1 don't give any traffic for the vlan_2015 to the firewall.
I made vmbr1 vlan aware. But it still don't work.

I think I need to remove the tag 2010 from the guest NIC but how do I assign then the untagged traffic coming from the guest to vlan 2010?

Do I need to assign different bridges to the firewall? I have seen that there is a command for untagged vmbr. But I have seen that it was used for untagged traffic inbound to the proxmox server. And that is not what I need.

Thanks for any suggestions.
 
Last edited:
I hope the diagram and the explanations help.

net-devices.png

eno2 is the physical NIC of the host and vmbr1 the bridge connected to it.
net0 - net3 are NICs defined to the guest FW.
net1 has the tag 30 as all traffic needs to go to VLAN 30. That works fine.
net0 should
- assign all untagged traffic from the guest to vlan 2010 and give it back as untagged
- pass the traffic for vlan 2110, 2211 and 2231
net2 should
- assign all untagged traffic from the guest to vlan 2015 and give it back as untagged
- but also pass the traffic for vlan 2510, 2511 and 2512
net3 should
- assign all untagged traffic from the guest to vlan 2016 and give it back as untagged
- but also pass the traffic for vlan 2910, 2911 and 2912

On the physical FW I make this with configuring the switch and I would like to set up the virtual FW the same way to be able to test a new setup and build a test environment.


The content of /etc/network/interfaces is
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface eno1 inet manual

auto eno2
iface eno2 inet manual

auto vmbr0
iface vmbr0 inet static
address 10.17.20.10/24
gateway 10.17.20.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
#management and load interface - prod

auto vmbr1
iface vmbr1 inet manual
bridge-ports eno2
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
#load interface - test
 
ah yes the diag makes it easier now. thanks.

my first thought was that's not possible with only one bridge 'cause how should the bridge handle untagged traffic from net0, net2, net3 and you want to distinguish it to vlan 2010, 2015, 2016 - the vlan tag in the frame is missing.
but I'm also not very good at debian networking :)

maybe there is a command to tell: net0 native vlan 2010, net2 native vlan 2015,...but I don't have enough knowledge with that.

I'm pretty sure creating separate bridges would be a workaround but I don't know if it is possible in your physical setup...
 
6uellerbpanda said:
ah yes the diag makes it easier now. thanks.

my first thought was that's not possible with only one bridge 'cause how should the bridge handle untagged traffic from net0, net2, net3 and you want to distinguish it to vlan 2010, 2015, 2016 - the vlan tag in the frame is missing.
but I'm also not very good at debian networking :)

maybe there is a command to tell: net0 native vlan 2010, net2 native vlan 2015,...but I don't have enough knowledge with that.

I'm pretty sure creating separate bridges would be a workaround but I don't know if it is possible in your physical setup...
Click to expand...
I also believe this is correct, I have not been able to create tagged and untagged in the same bridge.
 
Hi, I have looked at the code, it's already possible to define it with "trunks" net option.
it's not available in the gui, but you can edit your vmid.conf file,

with for example:

Code: 
net2: .....,tag=2015,trunks=2510;2511;2512
 
  • Like
Reactions: DaVV
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom