[SOLVED] Traffic does not pass through a specific VLAN tag on a virtual machine

[Liding]

There is a problem when adding a virtual machine to a VLAN.

The situation is as follows:

VLAN 10 is configured on Mikrotik. A DHCP server is also configured for this network.

When adding a VLAN tag to the virtual machine interface, the virtual machine does not receive an address via DHCP. If you make the settings static and enter the address yourself, there is no connection to the default gateway.

At the same time, if I assign another tag to the virtual machine (for example, 555), identical in settings to tag 10, then the virtual machine will receive an address via DHCP and will have a connection.

On Proxmox itself, the eno1np0 interface is configured, to which the vmbr0 bridge is attached. VLAN aware is enabled on vmbr0 and bridge-vids 2-4094 are permitted.

The firewall is disabled on the datacenter and virtual machine.

Based on the tcpdump output, DHCP address requests are sent to MikroTik, and the response comes back to the eno1np0 interface, but does not go to the vmbr0 and tap118i0 interfaces (118 is the ID of my virtual machine).

Below is the output of the tcpdump command for different interfaces.
tcpdump -eni eno1np0 'vlan 10 and (port 67 or port 68)'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eno1np0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:01:30.801625 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:01:30.806312 48:8f:5a:e4:da:e8 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 10, p 0, ethertype IPv4 (0x0800), 192.168.10.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
15:01:32.801657 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:01:33.385065 48:8f:5a:e4:da:e8 > bc:24:11:83:7d:3f, ethertype 802.1Q (0x8100), length 346: vlan 10, p 0, ethertype IPv4 (0x0800), 192.168.10.1.67 > 192.168.10.17.68: BOOTP/DHCP, Reply, length 300
15:01:35.039445 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:01:35.042574 48:8f:5a:e4:da:e8 > bc:24:11:83:7d:3f, ethertype 802.1Q (0x8100), length 346: vlan 10, p 0, ethertype IPv4 (0x0800), 192.168.10.1.67 > 192.168.10.17.68: BOOTP/DHCP, Reply, length 300
15:01:39.965960 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:01:39.969384 48:8f:5a:e4:da:e8 > bc:24:11:83:7d:3f, ethertype 802.1Q (0x8100), length 346: vlan 10, p 0, ethertype IPv4 (0x0800), 192.168.10.1.67 > 192.168.10.17.68: BOOTP/DHCP, Reply, length 300


tcpdump -eni vmbr0 port 67 or port 68
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:01:30.801636 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:01:32.801664 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:01:35.039453 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:01:39.965967 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:01:48.732715 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:02:05.558621 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:02:16.828551 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:02:18.828535 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
15:02:21.370864 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 10, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297


tcpdump -eni tap118i0 'port 67 or port 68'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tap118i0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:15:15.854742 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 339: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
11:15:17.854720 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 339: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
11:15:20.468537 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 339: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
11:15:25.232607 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 339: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297

This is setup of my network device on virtual machine:

 

[shanreich]

Can you post your current network configuration?

cat /etc/network/interfaces

ip a
ip r

 

[Liding]

Of course!

cat /etc/network/interfaces:

auto lo
iface lo inet loopback

auto eno1np0
iface eno1np0 inet manual

iface ens1f0 inet manual

iface eno2 inet manual

iface eno3 inet manual

iface eno4 inet manual

iface ens1f1 inet manual

iface eno2np1 inet manual

iface eno3np2 inet manual

iface eno4np3 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.28.10/24
gateway 192.168.28.4
bridge-ports eno1np0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

auto vmbr1
iface vmbr1 inet manual
bridge-ports eno2np1
bridge-stp off
bridge-fd 0

source /etc/network/interfaces.d/*


ip a:


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever


2: eno1np0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr0 state UP group default qlen 1000
link/ether a4:be:2b:26:0c:0c brd ff:ff:ff:ff:ff:ff
altname enp26s0f0np0

8: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether a4:be:2b:26:0c:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.28.10/24 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::a6be:2bff:fe26:c0c/64 scope link
valid_lft forever preferred_lft forever

3029: tap118i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
link/ether 32:59:b7:44:fc:dc brd ff:ff:ff:ff:ff:ff

ip r:

default via 192.168.28.4 dev vmbr0 proto kernel onlink
192.168.28.0/24 dev vmbr0 proto kernel scope link src 192.168.28.10

 

[shanreich]

You said in your initial post that DHCP works for any other VLAN tag? Would you mind posting a tcpdump of that?

can you post the output of the following command as well?

bridge fdb show

If you could post the command output in CODE tags, that would make parsing the output of the commands easier!

 

[Liding]

I assigned VLAN 555, which I mentioned earlier, to the virtual machine:

root@pve-test:~# bridge vlan show | grep 118

tap118i0          555 PVID Egress Untagged

Below is the tcpdump output while obtaining an address via DHCP:

root@pve-test:~# tcpdump -eni eno1np0 'vlan 555 and (port 67 or port 68)'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eno1np0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:04:53.074322 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 555, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
10:04:53.081334 48:8f:5a:e4:da:e8 > bc:24:11:83:7d:3f, ethertype 802.1Q (0x8100), length 346: vlan 555, p 0, ethertype IPv4 (0x0800), 10.28.4.1.67 > 10.28.4.50.68: BOOTP/DHCP, Reply, length 300

root@pve-test:~# tcpdump -eni vmbr0 'vlan 555 and (port 67 or port 68)'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:04:53.074331 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 343: vlan 555, p 0, ethertype IPv4 (0x0800), 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
10:04:53.081347 48:8f:5a:e4:da:e8 > bc:24:11:83:7d:3f, ethertype 802.1Q (0x8100), length 346: vlan 555, p 0, ethertype IPv4 (0x0800), 10.28.4.1.67 > 10.28.4.50.68: BOOTP/DHCP, Reply, length 300

root@pve-test:~# tcpdump -eni tap118i0 port 67 or port 68
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tap118i0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:04:53.074263 bc:24:11:83:7d:3f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 339: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:83:7d:3f, length 297
10:04:53.081342 48:8f:5a:e4:da:e8 > bc:24:11:83:7d:3f, ethertype IPv4 (0x0800), length 342: 10.28.4.1.67 > 10.28.4.50.68: BOOTP/DHCP, Reply, length 300

I have now returned tag 10 to my virtual machine.

root@pve-test:~# bridge fdb show | grep tap118i0
bc:24:11:83:7d:3f dev tap118i0 vlan 10 master vmbr0
32:59:b7:44:fc:dc dev tap118i0 vlan 10 master vmbr0 permanent
32:59:b7:44:fc:dc dev tap118i0 master vmbr0 permanent
33:33:00:00:00:01 dev tap118i0 self permanent
01:00:5e:00:00:01 dev tap118i0 self permanent

root@pve-test:~# bridge fdb show | grep 'dev vmbr0'
33:33:00:00:00:01 dev vmbr0 self permanent
33:33:00:00:00:02 dev vmbr0 self permanent
01:00:5e:00:00:6a dev vmbr0 self permanent
33:33:00:00:00:6a dev vmbr0 self permanent
01:00:5e:00:00:01 dev vmbr0 self permanent
33:33:ff:26:0c:0c dev vmbr0 self permanent
33:33:ff:00:00:00 dev vmbr0 self permanent

root@pve-test:~# bridge fdb show | grep 'dev eno1np0'
ec:d6:8a:81:6e:ca dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:a9:d4:90 dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:a9:d3:33 dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:a9:d4:5a dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:a9:d3:f3 dev eno1np0 vlan 1 master vmbr0
a0:ff:0c:d1:cd:51 dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:a9:d4:63 dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:a9:d3:5e dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:a9:d1:05 dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:a9:d1:7a dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:a9:d4:4c dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:a9:d1:92 dev eno1np0 vlan 1 master vmbr0
48:8f:5a:e4:da:e8 dev eno1np0 vlan 2820 master vmbr0
82:f2:d7:99:1b:09 dev eno1np0 vlan 2839 master vmbr0
3a:67:7c:99:f3:33 dev eno1np0 vlan 200 master vmbr0
9a:90:d4:ed:7d:39 dev eno1np0 vlan 2810 master vmbr0
48:8f:5a:e4:da:e8 dev eno1np0 vlan 2822 master vmbr0
48:8f:5a:e4:da:e8 dev eno1np0 vlan 2810 master vmbr0
48:8f:5a:e4:da:e8 dev eno1np0 vlan 200 master vmbr0
26:0b:27:8b:23:d4 dev eno1np0 vlan 1 master vmbr0
48:8f:5a:e4:da:e8 dev eno1np0 vlan 555 master vmbr0
64:29:43:0a:c7:df dev eno1np0 vlan 2810 master vmbr0
64:29:43:0a:c7:df dev eno1np0 vlan 200 master vmbr0
64:29:43:0a:c7:df dev eno1np0 vlan 2820 master vmbr0
48:8f:5a:e4:da:e8 dev eno1np0 vlan 1 master vmbr0
2c:c8:1b:71:e6:10 dev eno1np0 vlan 1 master vmbr0
0c:38:3e:1e:99:68 dev eno1np0 vlan 1 master vmbr0
64:29:43:0a:c7:df dev eno1np0 vlan 556 master vmbr0
48:8f:5a:e4:da:e8 dev eno1np0 vlan 556 master vmbr0
64:29:43:0a:c7:df dev eno1np0 vlan 2822 master vmbr0
64:29:43:0a:c7:df dev eno1np0 vlan 2839 master vmbr0
64:29:43:0a:c7:df dev eno1np0 vlan 555 master vmbr0
3c:1b:f8:4f:8f:b1 dev eno1np0 vlan 1 master vmbr0
48:8f:5a:e4:da:e8 dev eno1np0 vlan 2830 master vmbr0
64:29:43:0a:c7:df dev eno1np0 vlan 2830 master vmbr0
48:8f:5a:e4:da:e7 dev eno1np0 vlan 1 master vmbr0
18:e7:28:18:69:32 dev eno1np0 vlan 1 master vmbr0
08:54:11:12:43:83 dev eno1np0 vlan 1 master vmbr0
30:e1:71:6a:60:3c dev eno1np0 vlan 1 master vmbr0
bc:9b:5e:1a:41:bb dev eno1np0 vlan 1 master vmbr0
bc:9b:5e:32:ba:79 dev eno1np0 vlan 1 master vmbr0
64:29:43:0a:c7:df dev eno1np0 vlan 1 master vmbr0
3c:1b:f8:07:1a:26 dev eno1np0 vlan 1 master vmbr0
00:11:32:08:b3:23 dev eno1np0 vlan 1 master vmbr0
30:e1:71:6e:6a:8c dev eno1np0 vlan 1 master vmbr0
a4:be:2b:26:0c:0c dev eno1np0 vlan 4094 master vmbr0 permanent
a4:be:2b:26:0c:0c dev eno1np0 vlan 4093 master vmbr0 permanent
a4:be:2b:26:0c:0c dev eno1np0 vlan 4092 master vmbr0 permanent
...
...
...
a4:be:2b:26:0c:0c dev eno1np0 vlan 1 master vmbr0 permanent
a4:be:2b:26:0c:0c dev eno1np0 master vmbr0 permanent
33:33:00:00:00:01 dev eno1np0 self permanent
01:00:5e:00:00:01 dev eno1np0 self permanent
01:80:c2:00:00:21 dev eno1np0 self permanent
48:8f:5a:e4:da:e8 dev eno1np0.15 master vmbr0v15
64:29:43:0a:c7:df dev eno1np0.15 master vmbr0v15
a4:be:2b:26:0c:0c dev eno1np0.15 vlan 1 master vmbr0v15 permanent
a4:be:2b:26:0c:0c dev eno1np0.15 master vmbr0v15 permanent
33:33:00:00:00:01 dev eno1np0.15 self permanent
01:00:5e:00:00:01 dev eno1np0.15 self permanent
a4:be:2b:26:0c:0c dev eno1np0.11 vlan 1 master vmbr0v11 permanent
a4:be:2b:26:0c:0c dev eno1np0.11 master vmbr0v11 permanent
33:33:00:00:00:01 dev eno1np0.11 self permanent
01:00:5e:00:00:01 dev eno1np0.11 self permanent
a4:be:2b:26:0c:0c dev eno1np0.13 vlan 1 master vmbr0v13 permanent
a4:be:2b:26:0c:0c dev eno1np0.13 master vmbr0v13 permanent
33:33:00:00:00:01 dev eno1np0.13 self permanent
01:00:5e:00:00:01 dev eno1np0.13 self permanent
64:29:43:0a:c7:df dev eno1np0.12 master vmbr0v12
a4:be:2b:26:0c:0c dev eno1np0.12 vlan 1 master vmbr0v12 permanent
a4:be:2b:26:0c:0c dev eno1np0.12 master vmbr0v12 permanent
33:33:00:00:00:01 dev eno1np0.12 self permanent
01:00:5e:00:00:01 dev eno1np0.12 self permanent
64:29:43:0a:c7:df dev eno1np0.401 master vmbr0v401
a4:be:2b:26:0c:0c dev eno1np0.401 vlan 1 master vmbr0v401 permanent
a4:be:2b:26:0c:0c dev eno1np0.401 master vmbr0v401 permanent
33:33:00:00:00:01 dev eno1np0.401 self permanent
01:00:5e:00:00:01 dev eno1np0.401 self permanent
54:ef:44:48:53:da dev eno1np0.10 master vmbr0v10
48:8f:5a:e4:da:e8 dev eno1np0.10 master vmbr0v10
64:29:43:0a:c7:df dev eno1np0.10 master vmbr0v10
a4:be:2b:26:0c:0c dev eno1np0.10 vlan 1 master vmbr0v10 permanent
a4:be:2b:26:0c:0c dev eno1np0.10 master vmbr0v10 permanent
33:33:00:00:00:01 dev eno1np0.10 self permanent
01:00:5e:00:00:01 dev eno1np0.10 self permanent
64:29:43:0a:c7:df dev eno1np0.513 master vmbr0v513
a4:be:2b:26:0c:0c dev eno1np0.513 vlan 1 master vmbr0v513 permanent
a4:be:2b:26:0c:0c dev eno1np0.513 master vmbr0v513 permanent
33:33:00:00:00:01 dev eno1np0.513 self permanent
01:00:5e:00:00:01 dev eno1np0.513 self permanent

 

[shanreich]

Do you have an SDN VLAN zone for vmbr0? That has a VNet with Tag 10? Looks like it from the fdb output:

a4:be:2b:26:0c:0c dev eno1np0.10 vlan 1 master vmbr0v10 permanent
a4:be:2b:26:0c:0c dev eno1np0.10 master vmbr0v10 permanent

Traffic is probably ending up on vmbr0v10 instead of on vmbr0. Is it possible that you created the SDN zone before setting the vmbr0 bridge to VLAN aware? In any case, if you're using the SDN VLAN zone, then you need to select the generated VNet in the network device configuraiton instead of using vmbr0 directly. If you changed the VLAN-aware setting of the bridge that is configured in the zone, then you need to also re-apply the SDN configuration in order for the bridges to get generated correctly.

 

[Liding]

Problem solved! Indeed, the eno1np0.10 and vmbr0v10 interfaces turned out to be unnecessary.

I have no idea where they came from. They weren't in the GUI or in any configuration files. However, no one was using these interfaces. Once they were removed, traffic immediately started flowing in the right direction.

Thank you very much for your help!

 

[shanreich]

It is very likely they came from an SDN zone, which you can find under Datacenter > SDN > Zones. If you don't remove them there, they will pop up again when applying the SDN configuration again - so make sure that everything is in order there!

 

[Liding]

That's the funny thing: we don't have any SDN zones configured.