VLAN and SDN struggles

ptselios · Dec 16, 2025

Hello,
I have this setup:
Router (openWRT) <--> Unifi USW2.5G 5 switch <--> Proxmox VE

VE is installed on a 2 NICs mini PC. NIC 1 is connected to my primary network
NIC2 is a bridge which is used from the SDN.

Problem: Most VLANs are not working.

I have 3 zones, named LXC, OCP, BMC.
Each zone has one or more subnets.

Now, my main issue is that I have zero consistency on accessibility inside these zones.

Most of the time, I can fire up an LXC in the BMC network and I can get access to it. Or to have access to SOME of the VNets inside the OCP zone. LXC is 99% not working.
I have tried to setup different VLAN IDs, different subnets, still I get no consistency. Some times VNET A is working but making any change make it unusable.
Obviously I need some help here.
The configuration is the following:

JSON:

{
  "fabrics": {
    "ids": {}
  },
  "controllers": {
    "ids": {}
  },
  "version": 18,
  "subnets": {
    "ids": {
      "BMC-192.168.101.0-28": {
        "type": "subnet",
        "vnet": "BMCnet",
        "gateway": "192.168.101.1"
      },
      "LXCNet-192.168.201.0-25": {
        "vnet": "LXCSub",
        "type": "subnet",
        "gateway": "192.168.201.1"
      },
      "OCP-192.168.101.32-28": {
        "gateway": "192.168.101.33",
        "vnet": "Node",
        "type": "subnet"
      },
      "OCP-192.168.101.128-25": {
        "vnet": "VM",
        "type": "subnet",
        "gateway": "192.168.101.129"
      },
      "OCP-192.168.101.64-29": {
        "gateway": "192.168.101.65",
        "vnet": "External",
        "type": "subnet"
      },
      "OCP-192.168.101.48-28": {
        "vnet": "Storage",
        "type": "subnet",
        "gateway": "192.168.101.49"
      },
      "OCP-192.168.101.16-28": {
        "type": "subnet",
        "vnet": "Prov"
      }
    }
  },
  "vnets": {
    "ids": {
      "External": {
        "tag": 105,
        "zone": "OCP",
        "type": "vnet",
        "alias": "OCP External Network"
      },
      "VM": {
        "zone": "OCP",
        "tag": 106,
        "type": "vnet",
        "alias": "OCP VM Network"
      },
      "Storage": {
        "zone": "OCP",
        "tag": 104,
        "alias": "OCP Storage Network",
        "type": "vnet"
      },
      "Node": {
        "zone": "OCP",
        "tag": 103,
        "type": "vnet",
        "alias": "OCP Node management"
      },
      "Prov": {
        "alias": "OCP Provisioning",
        "type": "vnet",
        "zone": "OCP",
        "tag": 102
      },
      "BMCnet": {
        "alias": "BMC Network",
        "type": "vnet",
        "tag": 101,
        "zone": "BMC"
      },
      "LXCSub": {
        "tag": 201,
        "zone": "LXCNet",
        "alias": "LXC Network",
        "type": "vnet"
      }
    }
  },
  "zones": {
    "ids": {
      "OCP": {
        "type": "vlan",
        "ipam": "pve",
        "bridge": "vmbr1"
      },
      "LXCNet": {
        "bridge": "vmbr1",
        "ipam": "pve",
        "type": "vlan"
      },
      "BMC": {
        "bridge": "vmbr1",
        "ipam": "pve",
        "type": "vlan"
      }
    }
  }
}

ip link shows all the interfces up, including the VLANs on the bridge.

Apart from the Provisioning which has no GW, I try to see what traffic works and what doesn't.

So, I have this tcpdump running in PVE:

Code:

tcpdump -i enp4s0.VLANID host LXC_IP and '(port 22 or icmp)'

Now, I stop the LXC and assign an IP on each of them, then I try to reach the LXC from my PC:

So, the output is this:

Code:

# 101, OK:

ssh root@192.168.101.4
The authenticity of host '192.168.101.4 (192.168.101.4)' can't be established.
ED25519 key fingerprint is: SHA256:86xHkdSc+s/+/YADr+OObLUNsVmj5s7g3MszFeEid+Q
This host key is known by the following other names/addresses:

# 103, NOK:
ssh root@192.168.101.36
ssh: connect to host 192.168.101.36 port 22: Connection refused

tcpdump on the PVE shows NO traffic for 103.
On the router, I see this:

Code:

09:50:02.451091 IP 192.168.0.3.45726 > 192.168.101.36.22: Flags [S], seq 2871565335, win 64240, options [mss 1460,sackOK,TS val 810257169 ecr 0,nop,wscale 10], le
ngth 0
09:50:02.451210 IP 192.168.101.36.22 > 192.168.0.3.45726: Flags [R.], seq 0, ack 2871565336, win 0, length 0

Code:

#104, NOK
ssh root@192.168.101.68
ssh: connect to host 192.168.101.68 port 22: Connection refused

Again, I see nothing on the PVE and router's tcpdump shows again RST:

Code:

 tcpdump -ni br-lan  'host 192.168.101.68  and tcp port 22'
10:40:37.751717 IP 192.168.0.3.59584 > 192.168.101.68.22: Flags [S], seq 1082890419, win 64240, options [mss 1460,sackOK,TS val 251469019 ecr 0,nop,wscale 10], le
ngth 0
10:40:37.751798 IP 192.168.101.68.22 > 192.168.0.3.59584: Flags [R.], seq 0, ack 1082890420, win 0, length 0

Code:

ssh root@192.168.101.132
The authenticity of host '192.168.101.132 (192.168.101.132)' can't be established.

So, this works!

Finally:

Code:

ssh root@192.168.201.4
ssh: connect to host 192.168.201.4 port 22: No route to host

Router says this:

Code:

tcpdump -ni br-lan  'host 192.168.201.4  and tcp port 22'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes

10:46:59.930394 IP 192.168.0.3.44192 > 192.168.201.4.22: Flags [S], seq 4172331600, win 64240, options [mss 1460,sackOK,TS val 2207098193 ecr 0,nop,wscale 10], le
ngth 0
10:47:00.935243 IP 192.168.0.3.44192 > 192.168.201.4.22: Flags [S], seq 4172331600, win 64240, options [mss 1460,sackOK,TS val 2207099198 ecr 0,nop,wscale 10], le
ngth 0
10:47:01.959230 IP 192.168.0.3.44192 > 192.168.201.4.22: Flags [S], seq 4172331600, win 64240, options [mss 1460,sackOK,TS val 2207100222 ecr 0,nop,wscale 10], le
ngth 0
10:47:02.983247 IP 192.168.0.3.44192 > 192.168.201.4.22: Flags [S], seq 4172331600, win 64240, options [mss 1460,sackOK,TS val 2207101246 ecr 0,nop,wscale 10], le
ngth 0

So, this drives me nuts
Router has the same configuration for all the VLANs.
In the switch, I removed the PVE from its switch port and I connected my other server, a RHEL box, on which I configured all these VLANs. I have ZERO problems assigning IPs to VMs running on RHEL, which means the switch is also correct.

So, what is wrong with the Proxmox setup?

shanreich · Dec 16, 2025

Several things come to mind after looking at the configuration:

You have multiple zones for the same bridge, it is sufficient to create one zone per bridge.
Is the bridge VLAN-aware?
You configured a gateway for the subnets - but that settings doesn't do anything for L2 Zones / VNets (VLAN, QinQ, VXLAN). Did you configure the gateway in the LXC configuration as well?
On the host, if you want access to the VLANs you'd either need to point the PVE host to the router that is responsible for routing between all the VLANs (i.e. create a route for 192.168.101.0/x to via the router) - or, probably better and what you want, configure an IP for the PVE host manually.

Configuring an IP can be done by creating an entry in /etc/network/interfaces for every VLAN on vmbr1, where you want the host to have an IP - e.g.:

Code:

auto vmbr1.105
iface vmbr1.105 inet static
    address 192.168.101.65/29

This will automatically create a route for 192.168.101.64/29 via vmbr1.105

ptselios · Dec 16, 2025

Adding an IP is definitely not what I want. Also, it doesn't explain why this works just for some of the VNets. But I will delete at least one zone and see if this makes any difference.

shanreich · Dec 16, 2025

Can you post the network configuration of your host, as well as the generated network configuration files?

Code:

ip a
ip r
cat /etc/network/interfaces
cat /etc/network/interfaces.d/sdn
cat /etc/pve/sdn/.running-config

The configuration of one of the containers, that is on a VNet that is not working / as well as one where it is would also be interesting:

Code:

pct config <CTID>

ptselios · Dec 16, 2025

In the meantime, I removed zone LXC since it was not working at all:

Code:

cat /etc/network/interfaces.d/sdn
#version:19

auto BMCnet
iface BMCnet
bridge_ports ln_BMCnet
bridge_stp off
bridge_fd 0
alias BMC Network

auto External
iface External
bridge_ports ln_External
bridge_stp off
bridge_fd 0
alias OCP External Network

auto Node
iface Node
bridge_ports ln_Node
bridge_stp off
bridge_fd 0
alias OCP Node management

auto Prov
iface Prov
bridge_ports ln_Prov
bridge_stp off
bridge_fd 0
alias OCP Provisioning

auto Storage
iface Storage
bridge_ports ln_Storage
bridge_stp off
bridge_fd 0
alias OCP Storage Network

auto VM
iface VM
bridge_ports ln_VM
bridge_stp off
bridge_fd 0
alias OCP VM Network

auto ln_BMCnet
iface ln_BMCnet
link-type veth
veth-peer-name pr_BMCnet

auto ln_External
iface ln_External
link-type veth
veth-peer-name pr_External

auto ln_Node
iface ln_Node
link-type veth
veth-peer-name pr_Node

auto ln_Prov
iface ln_Prov
link-type veth
veth-peer-name pr_Prov

auto ln_Storage
iface ln_Storage
link-type veth
veth-peer-name pr_Storage

auto ln_VM
iface ln_VM
link-type veth
veth-peer-name pr_VM

auto pr_BMCnet
iface pr_BMCnet
link-type veth
veth-peer-name ln_BMCnet

auto pr_External
iface pr_External
link-type veth
veth-peer-name ln_External

auto pr_Node
iface pr_Node
link-type veth
veth-peer-name ln_Node

auto pr_Prov
iface pr_Prov
link-type veth
veth-peer-name ln_Prov

auto pr_Storage
iface pr_Storage
link-type veth
veth-peer-name ln_Storage

auto pr_VM
iface pr_VM
link-type veth
veth-peer-name ln_VM

auto vmbr1v101
iface vmbr1v101
bridge_ports  enp4s0.101 pr_BMCnet
bridge_stp off
bridge_fd 0

auto vmbr1v102
iface vmbr1v102
bridge_ports  enp4s0.102 pr_Prov
bridge_stp off
bridge_fd 0

auto vmbr1v103
iface vmbr1v103
bridge_ports  enp4s0.103 pr_Node
bridge_stp off
bridge_fd 0

auto vmbr1v104
iface vmbr1v104
bridge_ports  enp4s0.104 pr_Storage
bridge_stp off
bridge_fd 0

auto vmbr1v105
iface vmbr1v105
bridge_ports  enp4s0.105 pr_External
bridge_stp off
bridge_fd 0

auto vmbr1v106
iface vmbr1v106
bridge_ports  enp4s0.106 pr_VM
bridge_stp off
bridge_fd 0

Code:

cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

iface eno1 inet manual

iface enp4s0 inet manual

iface wlp3s0 inet manual

auto vmbr0
iface vmbr0 inet static
address 192.168.0.2/24
gateway 192.168.0.254
bridge-ports eno1
bridge-stp off
bridge-fd 0

auto vmbr1
iface vmbr1 inet manual
bridge-ports enp4s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

source /etc/network/interfaces.d/*

Code:

at /etc/network/interfaces.d/*
#version:19

auto BMCnet
iface BMCnet
bridge_ports ln_BMCnet
bridge_stp off
bridge_fd 0
alias BMC Network

auto External
iface External
bridge_ports ln_External
bridge_stp off
bridge_fd 0
alias OCP External Network

auto Node
iface Node
bridge_ports ln_Node
bridge_stp off
bridge_fd 0
alias OCP Node management

auto Prov
iface Prov
bridge_ports ln_Prov
bridge_stp off
bridge_fd 0
alias OCP Provisioning

auto Storage
iface Storage
bridge_ports ln_Storage
bridge_stp off
bridge_fd 0
alias OCP Storage Network

auto VM
iface VM
bridge_ports ln_VM
bridge_stp off
bridge_fd 0
alias OCP VM Network

auto ln_BMCnet
iface ln_BMCnet
link-type veth
veth-peer-name pr_BMCnet

auto ln_External
iface ln_External
link-type veth
veth-peer-name pr_External

auto ln_Node
iface ln_Node
link-type veth
veth-peer-name pr_Node

auto ln_Prov
iface ln_Prov
link-type veth
veth-peer-name pr_Prov

auto ln_Storage
iface ln_Storage
link-type veth
veth-peer-name pr_Storage

auto ln_VM
iface ln_VM
link-type veth
veth-peer-name pr_VM

auto pr_BMCnet
iface pr_BMCnet
link-type veth
veth-peer-name ln_BMCnet

auto pr_External
iface pr_External
link-type veth
veth-peer-name ln_External

auto pr_Node
iface pr_Node
link-type veth
veth-peer-name ln_Node

auto pr_Prov
iface pr_Prov
link-type veth
veth-peer-name ln_Prov

auto pr_Storage
iface pr_Storage
link-type veth
veth-peer-name ln_Storage

auto pr_VM
iface pr_VM
link-type veth
veth-peer-name ln_VM

auto vmbr1v101
iface vmbr1v101
bridge_ports  enp4s0.101 pr_BMCnet
bridge_stp off
bridge_fd 0

auto vmbr1v102
iface vmbr1v102
bridge_ports  enp4s0.102 pr_Prov
bridge_stp off
bridge_fd 0

auto vmbr1v103
iface vmbr1v103
bridge_ports  enp4s0.103 pr_Node
bridge_stp off
bridge_fd 0

auto vmbr1v104
iface vmbr1v104
bridge_ports  enp4s0.104 pr_Storage
bridge_stp off
bridge_fd 0

auto vmbr1v105
iface vmbr1v105
bridge_ports  enp4s0.105 pr_External
bridge_stp off
bridge_fd 0

auto vmbr1v106
iface vmbr1v106
bridge_ports  enp4s0.106 pr_VM
bridge_stp off
bridge_fd 0

Code:

cat /etc/pve/sdn/.running-config  
{"subnets":{"ids":{"OCP-192.168.101.16-28":{"type":"subnet","vnet":"Prov"},"OCP-192.168.101.64-29":{"gateway":"192.168.101.65","vnet":"External","type":"subnet"},
"OCP-192.168.101.48-28":{"vnet":"Storage","type":"subnet","gateway":"192.168.101.49"},"OCP-192.168.101.32-28":{"type":"subnet","vnet":"Node","gateway":"192.168.10
1.33"},"OCP-192.168.101.128-25":{"gateway":"192.168.101.129","type":"subnet","vnet":"VM"},"BMC-192.168.101.0-28":{"vnet":"BMCnet","type":"subnet","gateway":"192.1
68.101.1"}}},"version":19,"vnets":{"ids":{"BMCnet":{"alias":"BMC Network","type":"vnet","tag":101,"zone":"BMC"},"Prov":{"zone":"OCP","tag":102,"alias":"OCP Provis
ioning","type":"vnet"},"Node":{"zone":"OCP","tag":103,"type":"vnet","alias":"OCP Node management"},"Storage":{"tag":104,"zone":"OCP","alias":"OCP Storage Network"
,"type":"vnet"},"VM":{"type":"vnet","alias":"OCP VM Network","zone":"OCP","tag":106},"External":{"zone":"OCP","tag":105,"type":"vnet","alias":"OCP External Networ
k"}}},"zones":{"ids":{"OCP":{"type":"vlan","ipam":"pve","bridge":"vmbr1"},"BMC":{"bridge":"vmbr1","ipam":"pve","type":"vlan"}}},"fabrics":{"ids":{}},"controllers"
:{"ids":{}}}

NON working container:

Code:

pct config 100
arch: amd64
cores: 1
hostname: un.itcultus.net
memory: 2048
net0: name=eth0,bridge=External,gw=192.168.101.65,hwaddr=BC:24:11:FE:49:31,ip=192.168.101.68/29,type=veth
ostype: ubuntu
rootfs: local-zfs:subvol-100-disk-0,size=30G
swap: 2048
unprivileged: 1

WORKING container:

Code:

pct config 100
arch: amd64
cores: 1
hostname: un.itcultus.net
memory: 2048
net0: name=eth0,bridge=VM,gw=192.168.101.129,hwaddr=BC:24:11:04:F4:23,ip=192.168.101.132/25,type=veth
ostype: ubuntu
rootfs: local-zfs:subvol-100-disk-0,size=30G
swap: 2048
unprivileged: 1

(It's the same container)

ptselios · Dec 16, 2025

And the ip commands:

Code:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever

2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master vmbr0 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    altname enp2s0
    altname enxXXXXXXXXXXXX

3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr1 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    altname enxXXXXXXXXXXXX

4: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    altname wlxXXXXXXXXXXXX

5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 scope global vmbr0
       valid_lft forever preferred_lft forever
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

6: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

7: ln_BMCnet@pr_BMCnet: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master BMCnet state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

8: pr_BMCnet@ln_BMCnet: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v101 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

9: BMCnet: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

10: ln_External@pr_External: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master External state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

11: pr_External@ln_External: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v105 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

12: External: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

13: ln_Node@pr_Node: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master Node state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

14: pr_Node@ln_Node: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v103 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

15: Node: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

16: ln_Prov@pr_Prov: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master Prov state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

17: pr_Prov@ln_Prov: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v102 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

18: Prov: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

19: ln_Storage@pr_Storage: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master Storage state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

20: pr_Storage@ln_Storage: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v104 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

21: Storage: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

22: ln_VM@pr_VM: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master VM state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

23: pr_VM@ln_VM: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v106 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

24: VM: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

25: enp4s0.101@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v101 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

26: vmbr1v101: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

27: enp4s0.102@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v102 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

28: vmbr1v102: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

29: enp4s0.103@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v103 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

30: vmbr1v103: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

31: enp4s0.104@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v104 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

32: vmbr1v104: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

33: enp4s0.105@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v105 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

34: vmbr1v105: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

35: enp4s0.106@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v106 state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

36: vmbr1v106: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    inet6 fe80::XXXX:XXXX:XXXX:XXXX/64 scope link 
       valid_lft forever preferred_lft forever

37: veth100i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master VM state UP group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff link-netnsid 0

Code:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master vmbr0 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    altname enp2s0
    altname enxXXXXXXXXXXXX

3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr1 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    altname enxXXXXXXXXXXXX

4: wlp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    altname wlxXXXXXXXXXXXX

5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

6: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

7: ln_BMCnet@pr_BMCnet: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master BMCnet state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

8: pr_BMCnet@ln_BMCnet: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v101 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

9: BMCnet: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    alias BMC Network

10: ln_External@pr_External: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master External state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

11: pr_External@ln_External: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v105 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

12: External: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    alias OCP External Network

13: ln_Node@pr_Node: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master Node state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

14: pr_Node@ln_Node: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v103 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

15: Node: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    alias OCP Node management

16: ln_Prov@pr_Prov: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master Prov state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

17: pr_Prov@ln_Prov: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v102 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

18: Prov: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    alias OCP Provisioning

19: ln_Storage@pr_Storage: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master Storage state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

20: pr_Storage@ln_Storage: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v104 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

21: Storage: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    alias OCP Storage Network

22: ln_VM@pr_VM: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master VM state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

23: pr_VM@ln_VM: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v106 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

24: VM: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff
    alias OCP VM Network

25: enp4s0.101@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v101 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

26: vmbr1v101: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

27: enp4s0.102@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v102 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

28: vmbr1v102: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

29: enp4s0.103@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v103 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

30: vmbr1v103: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

31: enp4s0.104@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v104 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

32: vmbr1v104: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

33: enp4s0.105@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v105 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

34: vmbr1v105: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

35: enp4s0.106@enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vmbr1v106 state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

36: vmbr1v106: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff

37: veth100i0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master VM state UP mode DEFAULT group default qlen 1000
    link/ether XX:XX:XX:XX:XX:XX brd ff:ff:ff:ff:ff:ff link-netnsid 0

shanreich · Dec 16, 2025

Are you sure everything is set up properly on OpenWRT? If you see a TCP RST for some connections on the router (but not on the PVE host), then this might be an indicator that a firewall rejects packets. If you see nothing via tcpdump on the PVE host, then the traffic most likely isn't sent out from OpenWRT in the first place.

The 'no route to host' error message seems to indicate that OpenWRT doesn't even have a route for that subnet. How are the subnets set up on OpenWRT?

ptselios · Dec 16, 2025

As I said in the OP:
(which obviously means that openWRT is also OK)

In the switch, I removed the PVE from its switch port and I connected my other server, a RHEL box, on which I configured all these VLANs. I have ZERO problems assigning IPs to VMs running on RHEL, which means the switch is also correct.

shanreich · Dec 16, 2025

Yes I saw that, still, the TCP traffic doesn't seem to reach your PVE node - judging from the tcpdumps - and OpenWRT seems to send a TCP RST.
This usually happens when a REJECT firewall rule triggers, hence why I asked to double-check for possible issues there.

You can also use tcpdump -env (not sure if those flags work on BSD), so MAC addresses are visible.

Can you check if ARP traffic from OpenWRT is reaching the PVE node via tcpdump?
Do you have the Proxmox Firewall enabled?

ptselios · Dec 16, 2025

OpenWRT is linux based, so it should work.
No, Firewall in PVE has no rules.

I will dig a bit deeper. My first attempt will be to use plan old VLANs on PVE to replicate what I got in RHEL.

ptselios · Dec 18, 2025

Update: A combination of many different things.

openWRT has a limitation on the FW zone names which cannot be more than 11 characters and thus, all these "denied" where coming from it. I Changed the FW zone names and everything was OK for just these VLANs.
However, I never managed to find why the other VLANs where not working.

So, what I did was to drop everything, reboot the machine and try again. No change.
Then, I removed everything, created an OVS Bridge this time and everything worked. A good opportunity to learn a few more things about OVS

Search

Search

VLAN and SDN struggles

ptselios

New Member

shanreich

Proxmox Staff Member

ptselios

New Member

shanreich

Proxmox Staff Member

ptselios

New Member

ptselios

New Member

shanreich

Proxmox Staff Member

ptselios

New Member

shanreich

Proxmox Staff Member

ptselios

New Member

ptselios

New Member

We value your privacy