"VLAN aware" checkbox has no function

D

dasfliege

New Member
Jan 24, 2024
8
0
1
I've setup a new 8.1.3 proxmox cluster and was kind of surprised that my VM using a tagged VLAN had network connection, even though "VLAN aware" was not ticked on the bridge interface. Did a few tests and it seems that this checkbox has absolutely no impact, whether or not VLANs are passed through to the VMs. I can tag VLANs inside a guest OR on the VMs virtual NIC and it's working perfectly fine, even with VLAN aware unchecked.

Did i completely missunderstand something regarding the "VLAN aware" checkbox?
 
Last edited:
I have noticed the same. Funny enough, I found this post googling for "proxmox whixh interface vlan aware check box" (misspelling left intact) for this exact reason.
 
ofc it is you dont understand the feature.

ok if youre not vlan aware, the vm is running on vlan 0 aka untagged, and ofc all tagged also gets passed. in that case we need to config within the vm itself to go trough tagged traffic and associate additional interfaces for it.

if vlan aware is tagged you can assign a tagged vlan to a virtual nic on an vm. for the vm this traffic looks regular untagged and you wont see any other tagged traffic there.

now this is ofc a security trap.personally i would suggest run the bridge interface as a trunk interface and ALWAYS assign some vlan to virtual nics or use the newly shiny sdn feature.

or you can fully trust your vms.
 
Read my initial post. Even if you don't tick vlan aware on the bridge, tagging a vlan on the VMs virtual NIC is working perfectly fine. Try it and proof me wrong ;-)
 
dasfliege said:
I've setup a new 8.1.3 proxmox cluster and was kind of surprised that my VM using a tagged VLAN had network connection, even though "VLAN aware" was not ticked on the bridge interface. Did a few tests and it seems that this checkbox has absolutely no impact, whether or not VLANs are passed through to the VMs. I can tag VLANs inside a guest OR on the VMs virtual NIC and it's working perfectly fine, even with VLAN aware unchecked.

Did i completely missunderstand something regarding the "VLAN aware" checkbox?
Click to expand...
Went back and looked at this and it appears it does not do "that", but it does do "something."

The VLAN-aware checkbox is a new addition that allows Proxmox to act as a trunk in a switch that will pipe multiple VLANs over one connection. Although it is not important to enable it, however, it is a new way of handling VLANs on the bridge. For example, if we need to implement 10 VLANs, we will need to create 10 virtual bridges in the traditional Linux bridge way. However, using the VLAN-aware option, we can create one bridge and just add the VLAN ID to it, thus saving a lot of time typing out multiple bridge configurations. (https://www.oreilly.com/library/vie...ware checkbox is,handling VLANs on the bridge.)

So, what we both observed appears to be normal.
 
with bridge vlan-aware,the vlan tagging is done at bridge port level

without vlan-aware, the vlan tagging is done at interface level with a additional non vlan-aware bridge create in background (eth0.<vlan> ----> vmbrV<vlan>)


Without vlan-aware, you can't do trunk or transport vlan inside the vm.
 
Hi, it is possible to put into virtual machine only selected vlans on one nic? To create tagged vnet with selected multiple vlans. In gui it is possible to have only one vlan.
 
iwik said:
Hi, it is possible to put into virtual machine only selected vlans on one nic? To create tagged vnet with selected multiple vlans. In gui it is possible to have only one vlan.
Click to expand...
yes. you need to use a vlan-aware bridge for classic network, or check the vlan-aware vnet. (I think you can create the vlan iwthout vlan, or with vlan=1 for default vlan).

Then, multiple vlans should be allowed. (It's allso possible to filter vlans list in vmid.conf directly, net0:.....,trunks=1,5,8,9 ... )
 
Without VLAN aware ticked on a bridge, a guest in the native VLAN can just add themselves a tagged virtual vlan interface (inside the guest)
dasfliege said:
Read my initial post. Even if you don't tick vlan aware on the bridge, tagging a vlan on the VMs virtual NIC is working perfectly fine. Try it and proof me wrong ;-)
Click to expand...
Yes tagging VM NIC works fine
but it also leaves a hole where if you have other guests on native vlan, inside the guest they can add a virtual vlan interface and that stuff will go out that vlan, i.e. they can gain access to other VLANs.
It looks like 'VLAN Aware' introduces vlan filtering perhaps?
I have only done a quick test, but that is what I see.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom