VLAN bridging and tagging mixed

[aalejandro]

Hello,

I am using Proxmox 3.0. I have been using the default bridge vmbr0 (NO VLAN configuration on Proxmox) and I was able to bridge VLAN packets without issue into the guest (a mikrotik router)

Something like this:

[Switch] VLAN 10 tagged ---> [Proxmox eth0] VLAN 10 tagged ---> [Virtual Machine running Mikrotik] VLAN 10 tagged

This worked fine until I created another virtual machine and used the same vmbr0 but with vlan 10 configuration under Proxmox Network settings for the Network card of the virtual machine. Like this:

[Switch] VLAN 10 tagged ---> [Proxmox eth0] VLAN 10 tagged ---> [New VM] VLAN 10 untagged

This worked fine for the new virtual machine but this caused the mikrotik that was running fine to loose access and I had to reconfigure the network cards for the Mikrotik to behave exactly like the new VM in order to work.

So the question is will vmbr0 stop forwarding VLAN traffic as soon as I use an interface with VLAN tags under proxmox? Not possible to use both?

root@vm01:~# pveversion -vpve-manager: 3.0-23 (pve-manager/3.0/957f0862)
running kernel: 2.6.32-22-pve
proxmox-ve-2.6.32: 3.0-107
pve-kernel-2.6.32-20-pve: 2.6.32-100
pve-kernel-2.6.32-22-pve: 2.6.32-107
lvm2: 2.02.95-pve3
clvm: 2.02.95-pve3
corosync-pve: 1.4.5-1
openais-pve: 1.1.4-3
libqb0: 0.11.1-2
redhat-cluster-pve: 3.2.0-2
resource-agents-pve: 3.9.2-4
fence-agents-pve: 4.0.0-1
pve-cluster: 3.0-4
qemu-server: 3.0-20
pve-firmware: 1.0-23
libpve-common-perl: 3.0-4
libpve-access-control: 3.0-4
libpve-storage-perl: 3.0-8
vncterm: 1.1-4
vzctl: 4.0-1pve3
vzprocps: 2.0.11-2
vzquota: 3.1-2
pve-qemu-kvm: 1.4-13
ksm-control-daemon: 1.1-1

 

[tapsa]

This is quite good question. As far I understand this is brain dead feature or bug in linux kernel.
When you have configuration eth0 - br0 - tap0 it forwards tags without problem. But if you add vlan 10 to eth0 that eth0 stops providing all other vlans to bridge.
Also when you tcpdump eth0 you can see all traffic (example vlan 20) but if you try put tcpdump -i eth0 vlan 20 you cannot see it. So it also mesh up pcap somehow.
If someone know howto resolve this problem I am very happy to hear. Currently I have resolved this problem with giving own interface for "trunk" bridge. Anyhow this is serious bomb because if someone add single machine with vlan for this interface it will mesh up all other machines networks.

 

[mir]

A work-a-round is to configure a bridge for each desired vlan and then attach bridge having the desired vlan to VM.

 

[spirit]

Hi, this is a redhat 2.6.32 kernel bug, it's work fine with a standard linux kernel.

(if you don't use openvz, you can use debian wheezy kernel)

If you need openvz, you need to wait for rhel7 kernel next year.

 

[tapsa]

Not a real workaround. you need reboot guest every time when you add new vlan.
BUT real workaround is put dedicated interface "vlan trunk" use and give it only VM's what use it directly. Still there is problem that if you add another vm with tagged interface you will blow up that trunk.
Anyhow you can protect this with somekind like this in Network.pm

PVE::Tools::dir_glob_foreach($dir, '(tap\d+.*)', sub {
my ($slave) = @_;
die "bridge '$bridge' have untagged slaves. Adding vlan bridge to same device will break it\n";
});

 

[mir]

Not a real workaround. you need reboot guest every time when you add new vlan.

This is not true. ifup vmbrx will bring up the new bridge without restarting the server.

 

[tapsa]

This is not true. ifup vmbrx will bring up the new bridge without restarting the server.

Yes it will bring up bridge but how you attach it to virtual without restarting it?