Restricting a VLAN trunk connected interface to a single VLAN?

A

ADFHogan

New Member
Feb 24, 2024
10
0
1
Melbourne, Australia
blog.anthony.hogan.id.au
I got some wonderful help in the last post I made, where I asked about trunking VLANs between VMs and physical hardware, and have things working at least now.

Question I have now..

Given the following interfaces file:

Code: 
root@pve:/etc/network# cat interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface enp4s0 inet manual
#Ethernet 1 - Admin LAN

iface enp5s0 inet manual
        bridge-access 2
#Ethernet 2 - NVR

iface enp6s0 inet manual
#Ethernet 3

iface enp7s0 inet manual
#Ethernet 4

iface eno1 inet manual
#SFP+ 1

iface eno2 inet manual
#SFP+ 2

iface eno3 inet manual
#SFP+ 3

iface eno4 inet manual
#SFP+ 4

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.254/24
        gateway 192.168.1.1
        bridge-ports enp4s0 enp5s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094
#Default admin bridge

source /etc/network/interfaces.d/*

I have enp5s0 connected to my security DVR with the intent of being able to see within its physically separate internal camera network. The physical connection is untagged, but I want it going into VLAN 2. I've used "bridge-access" directive against the NIC, and this appears to work, and I've been able to create a VLAN in OPNsense VM that has a VirtIO NIC attached to the vmbr0 gateway.

The way I'm reading things here, however, suggests that setting bridge-access in enp5s0 doesn't filter out other tagged VLANs going across the bridge to the NIC. What other directives on the enp5s0 NIC should I set? I'm thinking it's probably bridge-vids ? But what about untagged traffic on the bridge? Will that be disregarded because I've set the untagged vlan ID explicitly?

(For those curious, enp8s0 is my WAN interface, but to rule out chances of its packets leaking around firewall, it's PCI mapped directly to firewall VM)
 
Last edited:
Will this work?
bridge-ports enp4s0 enp5s0

I use always a bond, eg. bond0 setup ports to that bond and the attach the bond0 to the vmbr0.
 
What will the bond give me?
Semantically I'd normally see a bond between two interfaces for joining two segments of the same network - in this case one NIC has multiple VLANs (tagged and untagged), and one should only have a single untagged VLAN.

Or are you talking about putting some VLAN tag restrictions on the bond?
 
ok so you have 2 interfaces connected to OPNsense ?
one you want as untagged for the untagged network and the other as trunk?

if so you will need a bridge for the untagged interface thats not vlan aware that you include the untagged network card too
you then have a vlan aware bridge for the other card and attach the virtual nics to the relevant bridges.


either that or pass the untagged nic via pass though directly to opnsense
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back