Proxmox 8.4.0 - VM multiple vlans

[tgwaku]

Hey peeps,

I've tested almost every configuration i can think of and am still having issues.

i have an ubuntu server and i've configured the netplan yaml to vlan 10 and 100 to ens18

netplan applys and works as expected

vlans only seem to work if i tag the actually nic in the hardware of the vm.

now... i want to tag the nic for multiple vlans.. you all probably know already that the nic will only let you tag one vlan.

i can get around this by adding multiple nics to my server and configuring an ip for each.

but surely there is a way to trunk the vm nic so i can configure the vlans in ubuntu yaml and have it pass through the vlan tags (10 and 100) to my switch....

i've read almost every post and watched every video online (i swear!) either im missing a critial step or this or my proxmox networking is bugged somehow (the only conclusion i can come to *laugh*)

i've create a bridge in proxmox networking that is vlan aware, created a linux vlan and pointed its raw device to the physical interface (enp42s0) with the tag 100 (for example)

and unless i have the nic tagged as 100, it doesnt pass traffic... let alone trying to make ANOTHER linux vlan and pointing to the nic to have both 10 an 100 vlans tagged on my physical interface that the bridge points to (vmbr1 -> enp42s0)

and ALSO, i've tried pointing the linux vlans for 10 and 100 to the vmbr1 bridge but no success.

im really grasping at straws here. please tell me what im doing wrong.

-tgwaku

 

[mjtbrady]

You can tag multiple VLANs on the VM NIC, but not using the GUI. Or least I have never figured out how if you can.

In the VM's config file you use "trunks" instead of "vlan".

Config files are in /etc/pve/qemu-server.

For example

net2: virtio=52:54:00:ea:d9:47,bridge=vmbr0,trunks=46;12;16;56;27;11;18;20;14;84

and stop and start the VM.

vmbr0 is a vlan aware bridge. In my case the bridge is connected to the switch using a 2 port bond. The bond is configured for tagged traffic only on the switch end. All other VMs on vmbr0 will need to have a "vlan" set on their NIC.

Documentation is here https://pve.proxmox.com/pve-docs/pve-admin-guide.html. Do a text search for "trunks".

 

[tgwaku]

i've configured the trunks=10;100;etc with a vlan aware bridge that points to enp42s0 physical network interface but the vm still cant ping the gateway ip. ip settings are configured on the OS in netplan yaml (with vlans setup on the os netplan)

so:

1. netplan = static ip / vlans configured
2. vm nic trunk=10;50;100 enabled in the vm .conf file
3. host proxmox networking has bridge (vmbr1) vlan aware and point at enp42s0 physical nic.
4. cisco switch = tagged ports 10,50,100 on switchport mode trunk on both link to router lan interface and proxmox host nic enp42s0
5. pfsense router tagged lan interface, vlan 10/50/100
6. firewall rules allow vm's ip on 100 vlan to allow all ports to vlan gateway.
7. ping from vm to gateway fails.. (unless "trunks=" option removed and vlan tag added in which case it pings fine)

still no worky

 

[mjtbrady]

The example I sent was out of the config for my pfSense VM, so this does work.

Can you send the Proxmox

/etc/network/interfaces

file and the VM config file.

If those are correct then it is the switch, the Ubuntu VM or pfSense. Can you configure an access port for vlan 100 on the Cisco and plug something into that. Can either the pfSense or the VM be accessed from there? If you can't get to either, my first guess would that it is the switch?

Has netplan actually configured everything correctly in the VM? Best way to check is in the VM do an

ip a

and an

ip r

 

[tgwaku]

The example I sent was out of the config for my pfSense VM, so this does work.

Can you send the Proxmox

/etc/network/interfaces

file and the VM config file.

If those are correct then it is the switch, the Ubuntu VM or pfSense. Can you configure an access port for vlan 100 on the Cisco and plug something into that. Can either the pfSense or the VM be accessed from there? If you can't get to either, my first guess would that it is the switch?

Has netplan actually configured everything correctly in the VM? Best way to check is in the VM do an

ip a

and an

ip r

Thanks for your help mate but i think i've finally fixed it...

my god i hope this helps someone in future because this is pretty confusing and hard to find information with lots of different answers.

Multipule vlans on single nic proxmox vm.... (trunk nic)

1. create vmbr1 bridge and make (tick) vlan aware...



2. Create linux vlans (in my example vlan 10 and 100) using enp42s0.10 or enp42s0.100 format auto fills the info for you... but you CAN use a custom name if you desire.



3. after creating linux vlans, go back into vmbr1 bridge and point bridge to linux vlans in the bridge ports section... (seperate with a space) you can put as many vlans as you want here.


4. with two vlans configured it should look something like this:


5. apply configuration changes button at the top...

6. go to your vm that you want to trunk the nic of or have multipule vlans on one nic.. and add a virtual network interface to the vm under "hardware"
select the vmbr1 bridge, and DO NOT set a vlan tag.

7. then, login to proxmox shell and cd to "/etc/pve/qemu-server/"
once in the folder you can use the command "ls" to list the vm configs.
run "sudo nano 101.conf" to edit the config (replace 101 with vm number)
add the "trunks=10;100" to the net line, e.g. 10/100 being your vlans that you wanna tag/trunk... (you CAN have more than two, im just using this for demo). should looks like this: net0: virtio=BF:24:12:ED:994,bridge=vmbr1,trunks=10;100

8. start or reboot your VM and trunking / vlans 10 and 100 should work on vmbr1 bridge assinged to your vm NIC!!!!!

Additional Notes:
you must make sure your ip settings/ethernet adapter e.g. interface INSIDE your OS are vlan tagged for 10 and 100, and either static or dhcp to your desire.
also if you must have a switch capable of tagging switchports as vlans, you'll need to have 10 and 100 tagged on the switch side of your proxmox nic (enp42s0) and the lan uplink to the router must be tagged a well (10 and 100) and inside your router OS you must have the lan link tagged for vlans 10 and 100
also... firewall rules for your subnets/vlans (if using mulitiple) must allow traffic between vlan/subnets.

PHEW!! i hope this tutorial brings you great happiness!

-tgwaku

 

[mjtbrady]

That does not look right. You should not need the Linux VLAN interfaces as bridge ports. Only the interface itself (enp42s0) should be required.

The interfaces file from one of my PVE hosts is below.

auto lo
iface lo inet loopback

auto enp2s0
iface enp2s0 inet manual

auto enp3s0
iface enp3s0 inet manual

iface enp4s0 inet manual

iface enp5s0 inet manual

auto bond0
iface bond0 inet manual
    bond-slaves enp2s0 enp3s0
    bond-miimon 100
    bond-mode 802.3ad

auto vmbr0
iface vmbr0 inet manual
    bridge-ports bond0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp5s0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094
#WAN

auto Management
iface Management inet static
    address 10.42.27.26/24
    gateway 10.42.27.11
    vlan-id 27
    vlan-raw-device vmbr0

 

[tgwaku]

your right it ended up not working, idk what i did...

okay, so now.. my vmbr1 bridge is "vlan aware" and bridge port is enp42s0 (the physical nic)
my ubuntu server vm has "trunk=50;100", and a second nic ive added which is tagged vlan 10 on the nic settings
the vm has vmbr1 on both nics as the interface:


this is my yaml file in ubuntu server:



the idea is the have ens19 (the second nic on the vm hardware tab) as a mangement nic.
and then have ens18 tagged for 50 and 100 vlans.

i can ping the default vlan gateway for vlan 10 (192.168.10.1) but not the gw for 192.168.100.1 :'(

 

[mjtbrady]

A few things.

1. You don't need ens19.10. ens19 is receiving untagged traffic.
2. ens18 should not have an ip address.
3. ens18.50 and ens18.100 need to have ip addresses for there respective vlans.