"VLAN aware" checkbox has no function

D

dasfliege

New Member
Jan 24, 2024
8
0
1
I've setup a new 8.1.3 proxmox cluster and was kind of surprised that my VM using a tagged VLAN had network connection, even though "VLAN aware" was not ticked on the bridge interface. Did a few tests and it seems that this checkbox has absolutely no impact, whether or not VLANs are passed through to the VMs. I can tag VLANs inside a guest OR on the VMs virtual NIC and it's working perfectly fine, even with VLAN aware unchecked.

Did i completely missunderstand something regarding the "VLAN aware" checkbox?
 
Last edited:
I have noticed the same. Funny enough, I found this post googling for "proxmox whixh interface vlan aware check box" (misspelling left intact) for this exact reason.
 
ofc it is you dont understand the feature.

ok if youre not vlan aware, the vm is running on vlan 0 aka untagged, and ofc all tagged also gets passed. in that case we need to config within the vm itself to go trough tagged traffic and associate additional interfaces for it.

if vlan aware is tagged you can assign a tagged vlan to a virtual nic on an vm. for the vm this traffic looks regular untagged and you wont see any other tagged traffic there.

now this is ofc a security trap.personally i would suggest run the bridge interface as a trunk interface and ALWAYS assign some vlan to virtual nics or use the newly shiny sdn feature.

or you can fully trust your vms.
 
Read my initial post. Even if you don't tick vlan aware on the bridge, tagging a vlan on the VMs virtual NIC is working perfectly fine. Try it and proof me wrong ;-)
 
dasfliege said:
I've setup a new 8.1.3 proxmox cluster and was kind of surprised that my VM using a tagged VLAN had network connection, even though "VLAN aware" was not ticked on the bridge interface. Did a few tests and it seems that this checkbox has absolutely no impact, whether or not VLANs are passed through to the VMs. I can tag VLANs inside a guest OR on the VMs virtual NIC and it's working perfectly fine, even with VLAN aware unchecked.

Did i completely missunderstand something regarding the "VLAN aware" checkbox?
Click to expand...
Went back and looked at this and it appears it does not do "that", but it does do "something."

The VLAN-aware checkbox is a new addition that allows Proxmox to act as a trunk in a switch that will pipe multiple VLANs over one connection. Although it is not important to enable it, however, it is a new way of handling VLANs on the bridge. For example, if we need to implement 10 VLANs, we will need to create 10 virtual bridges in the traditional Linux bridge way. However, using the VLAN-aware option, we can create one bridge and just add the VLAN ID to it, thus saving a lot of time typing out multiple bridge configurations. (https://www.oreilly.com/library/vie...ware checkbox is,handling VLANs on the bridge.)

So, what we both observed appears to be normal.
 
with bridge vlan-aware,the vlan tagging is done at bridge port level

without vlan-aware, the vlan tagging is done at interface level with a additional non vlan-aware bridge create in background (eth0.<vlan> ----> vmbrV<vlan>)


Without vlan-aware, you can't do trunk or transport vlan inside the vm.
 
Hi, it is possible to put into virtual machine only selected vlans on one nic? To create tagged vnet with selected multiple vlans. In gui it is possible to have only one vlan.
 
iwik said:
Hi, it is possible to put into virtual machine only selected vlans on one nic? To create tagged vnet with selected multiple vlans. In gui it is possible to have only one vlan.
Click to expand...
yes. you need to use a vlan-aware bridge for classic network, or check the vlan-aware vnet. (I think you can create the vlan iwthout vlan, or with vlan=1 for default vlan).

Then, multiple vlans should be allowed. (It's allso possible to filter vlans list in vmid.conf directly, net0:.....,trunks=1,5,8,9 ... )
 
Without VLAN aware ticked on a bridge, a guest in the native VLAN can just add themselves a tagged virtual vlan interface (inside the guest)
dasfliege said:
Read my initial post. Even if you don't tick vlan aware on the bridge, tagging a vlan on the VMs virtual NIC is working perfectly fine. Try it and proof me wrong ;-)
Click to expand...
Yes tagging VM NIC works fine
but it also leaves a hole where if you have other guests on native vlan, inside the guest they can add a virtual vlan interface and that stuff will go out that vlan, i.e. they can gain access to other VLANs.
It looks like 'VLAN Aware' introduces vlan filtering perhaps?
I have only done a quick test, but that is what I see.
 
unclemonk said:
I have noticed the same. Funny enough, I found this post googling for "proxmox whixh interface vlan aware check box" (misspelling left intact) for this exact reason.
Click to expand...
to everyone here i find that it does do something.

When you create a vlan network and add tagging to it, the vlan tag actually adds an additional header to the packets, so if the network is untagged the packets coming out dont have vlan tags (in networking we treat this as vlan 0 by default but it can be any value but this is just logical not in the actual hardware or l2 packets).

I set up a multi vlan and multi subnet network at home, after getting annoyed that spawning many ubuntu VM templates kept messing up the network. separating everything and giving the dev vm network its own large subnet helped a lot too. What would happen is my router would randomly not route VM packets so VMs would not have any networking (prior to vlan and subnetting).

The vlans are tagged on both the router and switch. I use a managed switch so the same wire passes multiple vlans to each proxmox server. When i put a VM on a tagged network and the NIC is untagged it doesnt work or expects the OS to have it set in its NIC Settings, so it does make a difference if you have network hardware configured as well whereas it doesnt make a difference if you are using vlans on proxmox only but not the switch. The difference between the checkbox is really just whether the guest OS should perform its own vlan tagging or proxmox for the VM. checking the box means that the vlan terminates at proxmox. My managed switch is fully managed and does L3 routing as well.

In my setup not only is the hardware configured with multiple vlans and subnets but its the same with proxmox. While i dont need to provide a subnet to every vlan on proxmox, each vlan has its own separate bridge. no bonding or bridging happens over multiple vlans (which may explain no difference to your situation). So if i have 4 vlans that means i have the NIC + 4 vlan interfaces on proxmox and 5 bridges on proxmox by default (if you add and dont remove the default config).

I've been spawning and deleting VM templates just to learn kubernetes and the network isolation is key to this, and i find the checkmark really does make the difference between having network access and not having network access if im using a tagged vlan prior to installing any kubernetes on the node itself. the big issue with network access comes when i use both ipv4 and ipv6 where i only get partial access (some sites load, some dont) but that may just be a router configuration issue, although ipv6 can be difficult depending on the ISP.
 
You must log in or register to reply here.
Top Bottom