VLAN best approach

mattps

New Member
Jul 25, 2025
5
0
1
Hi Proxmox forum!

I've only be using Proxmox for a few weeks and are loving it! Bit of a learning curve to find everything but I am getting there. I have a question around the best approach/practice for setting up VLANs in Proxmox.

I have one PVE running with half a dozen guests running on two virtual networks (10.0.1.0/24 - LAN1 and 10.0.6.0/24 - LAN2). Up until now I have been using Windows RRAS to route between the networks happily, but with the addition of a second PVE instance and a L3 switch I'd like to use the switch for inter-VLAN routing.

My question is what do I need to do the the virtual networks in Proxmox? This is my current interfaces file:

1753640711520.png 1753640744500.png

I have looked at some examples on line and a couple suggest that the vmbr0 Linux Bridge needs to have sub interfaces created. Would this be the correct approach, and then remove the virtual networks?

Would the IP address that I set on the bridge sub interface be the VLAN interface IP, meaning I don't need to set this on the switch VLAN?

Hope you can help forum. :)
 
im not a big fan of inter-vlan routing on the switch personally - i mean sure it does work, but it usually results in security gaps somewhere and lack of offlands (so you end up reliant on some other weaker cpu)

the major part of vlans outside of segmentation is that you get central management somewhere (and this place is usually the router itself, so that is the place i would suggest you do it all at)

if im following your question correctly, you'd be wanting to trunk vmbr0 into a trunk port so you'd define the trunk range like bridge-vids 101-106and do it that way, assuming you want say something on 106 to talk to 106
 
Hi @mrpops2ko ,

Yes that is correct. I want to use the switch for interval routing instead of SDN because the switch has security features (port access control, RADIUS etc) and I'm not sure if SDN on Proxmox supports this. I'm also trying to emulate production environments as closely as possible.

Matt
 
not used SDN on proxmox, but generally the reason why this is all done at the router level is because you can tailor all the rules

im guessing you have some kind of mikrotik switch too so you could define whatever firewall rules there but i just feel its messy and it gets a lot easier to have a 'single source of truth'

most places and people i've seen do it by virtue of each vlan terminating to the router and then the router applying firewall rules for the traffic because thats how you get very granular traffic and you can do traffic inspection much better, as well as do whatever else you want (like applying asymmetric routing rules, where A can contact B but B can't contact A)