Stuck with VLAN configuration

[El Granjero]

For the past weeks I've been trying to get the following to work, without success. As of now, I'm even doubting whether it's possible to achieve.

What i want to achieve
I've got 2 mini PC's with intel N95 processor, both running PVE and are clustered. I want to be able to host containers on either node, while keeping a network connectivity between both containers. As example, have a container running NGINX as proxy on node 1, and have node 2 host a webserver container. I want to achieve this by using VLANs, so i can separate them IP wise. Say 192.168.2.* for NGINX, and 192.168.10.* for the webserver.

Available hardware
- 2 Mini PC's running PVE;
- TP-Link archer ax50 (only supports static routing, no VLAN (tagging) whatsoever);
- TP-Link TL-SG108E (Layer 2 switch).

As I've spent a lot of time trying all sort of different configurations without any luck, I'm curious whether it's technically even possible for me to achieve. Any feedback on the possibility, or any tips to get the configuration in a working state are greatly appreciated.

 

[fba]

I want to achieve this by using VLANs, so i can separate them IP wise. Say 192.168.2.* for NGINX, and 192.168.10.* for the webserver.

You dont need VLANs for using different IP networks on same link. If both devices are in a different IP networks, they will need a router anyway, to communicate with each other. The router can be container or vm on one of the PVE nodes of course.
What do you want to gain in this setup by using VLANs?

 

[El Granjero]

My understanding was that by using VLAN's, i would be able to achieve what i stated above, but it looks like that is not how it works. Next to that I'd like to use VLAN's as it's used in professional environments too, simply to get a better understanding and gain some experience by using them.

 

[fba]

VLANs are can be used for various reason, separating different types of traffic on the same physical layer is most common. In your example you have two machines which need to exchange data. If you put them in different IP networks, you need a router to interconnect these networks.
If you in addition put them in different VLAN you will still need a the router but just added the complexity of VLAN to the configuration.

So for example it could be like that:
nginx
interface 1: ip 192.168.2.2/24 in vlan 2
interface 2: ip <from external network> (untagged)
The nginx will need the second interface to the public/external network only if access from external network is required, no VLAN tag here.

webserver
interface 1: ip 192.168.10.2/24 in vlan 10

router
interface 1: ip 192.168.2.1/24 in vlan 2
interface 2: ip 192.168.10.1/24 in vlan 10

Create the Linux VLANs on your PVE nodes and assign them to the network interfaces of the VMs.
Make sure that your switch forwards vlan tagged traffic for the chosen VLANs on the ports your PVE nodes are connected to.
As router you can use the Linux distribution of your choice, smaller is usually better, because the router has nothing fancy to do here. The IP 10.1 of the router should be configured as gateway for the webserver. For the nginx the default route should point to the external network, probably the wifi router (?), just a single route to the webserver via the router's ip 2.1 needs to be added.

 

[El Granjero]

Thanks a lot, that's some food for thought. I'll be experimenting the coming time to see if i can get it all to work. I'll get back here once I've got it all working, to write it all down, and hopefully help someone else in case they ever run into the same question/issue I'm currently having.

 

[cave]

You have one LAN cable to a NIC per N95 Server. That NIC has one static IP.

So they are already separated IP-wise.
Put them both servers on the same untagged Switch, maybe even on the switched Ports of your ax50/Archer.
Connect them to your vmbr0 Bridge on both PVE Nodes, and you should be able to migrate/replicate them in your HA Cluster in both directions.

Skip VLAN in your setup, and read some VLAN Docu more often.

Thrash the ax50 Archer and get a openWRT capable Router (TP-L: WDR4300, ArcherA7). As your question is more Network related, the openWrt forums will bring more knowledge, as its a more common question there.