Proxmox and VLANs

[12pharoh21]

Hello all,

I'm somewhat new to Proxmox, been using it for a couple months with just a few VMs for testing, but now I'm going through the process of moving all of my ESXi VMs to Proxmox to get away from ESXi.

I'm wanting to make sure I'm correctly understanding some info I'm finding, but I'm kinda lost. Here's what I'm trying to do.

I am running a SonicWall firewall in Proxmox, and I'm trying to have my main X0 interface handle a few VLANs. I would like to have the VLAN for the interface have a native VLAN 30 and still pass the other VLANs traffic through that interface. Within SonicWall I'm not able to specify a VLAN on the parent interface, which is why I wanted to set the native VLAN on the interface in Proxmox, then have the other VLANs pass into it. I have the following VLANs

30 (main LAN and want native on the interface)
50
60
100
110

I have several interfaces on this host, including a 10G SFP+ module.

eno1 is tied to vmbr0
enp130s0f1 is tied to vmbr1 (this is the 10G interface)
--Both of these interfaces are set to VLAN aware

For the NIC of the VM, I have it set to use vmbr1 with a VLAN tag of 30. If I'm understanding correctly, you're not able to set a VLAN on the interface in Proxmox and still have it use the other VLANs, you have to leave the VLAN field blank, then Proxmox will treat that interface as a trunk and pass all the VLANs, is that correct?

 

[pulipulichen]

Yes, Proxmox can assign VLAN tag 30 to a VM NIC, but that is usually the equivalent of putting that virtual NIC into VLAN 30, not making it a trunk with native VLAN 30 plus additional tagged VLANs.

If you want the SonicWall interface to carry multiple VLANs, you would normally leave the VM NIC untagged in Proxmox and use a VLAN-aware bridge, then handle the VLANs inside the firewall VM.

So the main question is whether SonicWall can treat that interface as a trunk and how it handles the untagged/native network, rather than whether Proxmox can tag VLAN 30 at all.

 

[12pharoh21]

Yes, Proxmox can assign VLAN tag 30 to a VM NIC, but that is usually the equivalent of putting that virtual NIC into VLAN 30, not making it a trunk with native VLAN 30 plus additional tagged VLANs.

If you want the SonicWall interface to carry multiple VLANs, you would normally leave the VM NIC untagged in Proxmox and use a VLAN-aware bridge, then handle the VLANs inside the firewall VM.

So the main question is whether SonicWall can treat that interface as a trunk and how it handles the untagged/native network, rather than whether Proxmox can tag VLAN 30 at all.

The SonicWall will treat the interface as a trunk without issue by setting up different VLANs as virtual interfaces with X0 being the parent. I have it setup on an ESXi server, though I don't have the native VLAN 30 but the default VLAN 1, and it is working. The reason I want to set the native VLAN to 30 is that I'm trying to setup one of my wifi SSIDs to use VLAN 30 for my admin devices so they will get an IP in the same subnet as my hardwired devices which are all in the X0 subnet. It sounds like what I'm trying to do isn't going to work, so I'll just need to leave the VLAN blank and have it pass all VLAN tags to the firewall, and separate the networks like I have been.

 

[pulipulichen]

Right, that makes sense if SonicWall cannot assign a VLAN ID to the parent interface. In that case X0 would likely always represent the untagged network.

Typically this might be handled by setting the native VLAN on the switch port that connects to the Proxmox host. The VM NIC in Proxmox could then remain untagged so the trunk is passed directly to the firewall VM.

This also seems slightly different from ESXi. In ESXi you would normally place a VM NIC into a port group that already has a VLAN ID defined, so the hypervisor effectively handles the tagging/untagging for that network. In Proxmox with a Linux bridge, setting a VLAN tag on the VM NIC behaves more like an access port, while leaving it empty tends to allow the trunk to pass through to the VM.

So the traffic flow might look something like this:

Switch port
native VLAN 30
tagged VLANs 50,60,100,110
│
│
Proxmox bridge
│
SonicWall VM
│
└ X0 (untagged network)
X0:V50
X0:V60
X0:V100
X0:V110

In that scenario the X0 interface would receive VLAN 30 traffic untagged, while the other VLANs would arrive tagged and could be created as VLAN interfaces inside SonicWall.

Just to confirm — how is the switch port connected to the Proxmox host currently configured? Is it already a trunk, and what is the native VLAN set to?

Also curious if others here would approach it the same way, or if there is a better pattern when running SonicWall as a VM on Proxmox.

 

[SteveITS]

Why not just create 5 virtual interfaces, one per VLAN, marked in PVE?

 

[12pharoh21]

Right, that makes sense if SonicWall cannot assign a VLAN ID to the parent interface. In that case X0 would likely always represent the untagged network.

Typically this might be handled by setting the native VLAN on the switch port that connects to the Proxmox host. The VM NIC in Proxmox could then remain untagged so the trunk is passed directly to the firewall VM.

This also seems slightly different from ESXi. In ESXi you would normally place a VM NIC into a port group that already has a VLAN ID defined, so the hypervisor effectively handles the tagging/untagging for that network. In Proxmox with a Linux bridge, setting a VLAN tag on the VM NIC behaves more like an access port, while leaving it empty tends to allow the trunk to pass through to the VM.

So the traffic flow might look something like this:



In that scenario the X0 interface would receive VLAN 30 traffic untagged, while the other VLANs would arrive tagged and could be created as VLAN interfaces inside SonicWall.

Just to confirm — how is the switch port connected to the Proxmox host currently configured? Is it already a trunk, and what is the native VLAN set to?

Also curious if others here would approach it the same way, or if there is a better pattern when running SonicWall as a VM on Proxmox.

Your example of traffic is what I was planning to do as a backup if this definitely doesn't work, which it sounds like it won't. Not a big deal, but I do have the option of making the switch port native 30, then tagging the other VLANs. It will just require some rework on the switch side for all of the other ports, but that's not a huge deal.

I actually work for SonicWall, and Proxmox is only newly supported in the virtual line of firewalls, so there isn't a ton of examples out there. I think doing the switch port is going to be the best way to go about this. I'll start working on all of this and migrate all my VMs to the Proxmox server.

I thank you for your time, you've been very helpful.

 

[12pharoh21]

Why not just create 5 virtual interfaces, one per VLAN, marked in PVE?

I don't want to assign each VLAN to it's own interface because the NSv only allows for 8, I want to utilize the virtual interfaces under X0. I use some of the other interfaces for testing other firewalls and devices and for high availability connection between my other Proxmox server for the backup firewall incase the first fails for some reason.