VLAN config for VM

[natharas]

Hi, I'm after some help, I've got my pfSense VM setup on Proxmox and is working well. I have a few VM's on Proxmox and want to connect them to a VLAN, this VLAN will be 50. How do I go about setting the VM in Proxmox to connect to the VLAN 50? Should it be a case of going to the VM and selecting Hardware, network device and then assigning the appropriate VLAN tag? When I set the VLAN tag, I find that it then breaks my internet access on my desktop computer and a restart of my Proxmox server then resolves the loss of internet access on my desktop.

My pfSense VM network config consists of VMBR0 - WAN and VMBR1 - LAN, should the VM be set with network device of VMBR1?

 

[B.Otto]

You can edit the interface of each internal VM and give it that VLAN tag. The Bridge has to be VLAN-aware then. Or you can add an interface corresponding to that VLAN in the Proxmox and add this to a new Bridge.

But how does your environment look? One Proxmox server with PFsense-Firewall connected to the WAN and every other VM running locally on the same server? Then I dont see why you would need VLANs, since the WAN/LAN traffic is separated by bridges already...

 

[natharas]

You can edit the interface of each internal VM and give it that VLAN tag. The Bridge has to be VLAN-aware then. Or you can add an interface corresponding to that VLAN in the Proxmox and add this to a new Bridge.

But how does your environment look? One Proxmox server with PFsense-Firewall connected to the WAN and every other VM running locally on the same server? Then I dont see why you would need VLANs, since the WAN/LAN traffic is separated by bridges already...

I've attached what my current Proxmox network looks like, it is currently running on the default 192.168.1 IP range, though I would like to move it to VLAN 50.

Currently with my Windows VM, it's getting an IP on the 192.168.1.x range, I want it to be on the 192.168.75.x range (camera VLAN). The purpose of this is it will be running my home cameras and I want to keep them isolated from anything external but also be able to connect to it via my desktop on the VLAN 50 which is my general equipment.

 

[B.Otto]

So you are planning to have two networks:

• 'Normal network': 192.168.1.0/24 - VLAN 1
• 'Camera network': 192.168.75.0/24 - VLAN 50

Both the cameras and the other stuff are hooked to some switch network (which supports VLANs) and the Proxmox is connected to that network via one single port (which one?).

 

[vesalius]

Does pfsense have vlan50 set up, using vtnet# was created, with vmbr0 as parent? If so does pfsense have a DHCP server for the proposed 192.168.75.0/24 set up for vlan50?

 

[natharas]

So you are planning to have two networks:

• 'Normal network': 192.168.1.0/24 - VLAN 1
• 'Camera network': 192.168.75.0/24 - VLAN 50

Both the cameras and the other stuff are hooked to some switch network (which supports VLANs) and the Proxmox is connected to that network via one single port (which one?).

I want to get rid of the 192.168.1.0/24 network, currently only wireless and the proxmox box are still on them, the goal is to move the proxmox to VLAN 50 which will be server stuff. 75 will be only for cameras and I will setup one for wireless / IOT devices.

I've got two TP-Link 8 port POE switches that are currently being used, proxmox is currently connected to one of those switches and ultimately I was going to move proxmox from VLAN 1 to VLAN 50. It has two cables connected to it, first goes to the modem for WAN and the second goes to the TP-Link switch.

 

[natharas]

Does pfsense have vlan50 set up, using vtnet# was created, with vmbr0 as parent? If so does pfsense have a DHCP server for the proposed 192.168.75.0/24 set up for vlan50?

Yes, I can confirm that pfsense has both VLAN 50 and 75 created and both are giving DHCP leases at the moment.

 

[vesalius]

So what does your /etc/network/interfaces look like?

First I would make vmbr1 vlan-aware (check box when you edit vmbr1). After that, you should be able to edit the windows VM-hardware--network device and use vmbr1 as bridge with vlan tag 50 to connect to pfsense vlan50. You may need to restart the windows VM.

To get proxmox on vlan50 with a VLAN aware vmbr1 bridge Example: Use VLAN 5 for the Proxmox VE management IP with VLAN aware Linux bridge

So something like the below would be added to /etc/network/interfaces:

auto vmbr1.50
iface vmbr1.50 inet static
        address  192.168.75.191/24 #choose whatever IP you would like
        gateway  192.168.75.1

And you would remove the Address and Gateway lines from vmbr0

 

[natharas]

So what does your /etc/network/interfaces look like?

First I would make vmbr1 vlan-aware (check box when you edit vmbr1). After that, you should be able to edit the windows VM-hardware--network device and use vmbr1 as bridge with vlan tag 50 to connect to pfsense vlan50. You may need to restart the windows VM.

To get proxmox on vlan50 with a VLAN aware vmbr1 bridge Example: Use VLAN 5 for the Proxmox VE management IP with VLAN aware Linux bridge

So something like the below would be added to /etc/network/interfaces:

auto vmbr1.50
iface vmbr1.50 inet static
        address  192.168.75.191/24 #choose whatever IP you would like
        gateway  192.168.75.1

And you would remove the Address and Gateway lines from vmbr0

This is what my interface looks like
auto lo iface lo inet loopback auto eno1 iface eno1 inet manual auto eno2 iface eno2 inet manual auto vmbr0 iface vmbr0 inet static address 192.168.1.191/24 gateway 192.168.1.1 bridge-ports eno1 bridge-stp off bridge-fd 0 bridge-vlan-aware yes bridge-vids 2-4094 auto vmbr1 iface vmbr1 inet manual bridge-ports eno2 bridge-stp off bridge-fd 0

I'll have to check out that second link when I've got a little bit more time later today, thanks for the reply.

 

[natharas]

First I would make vmbr1 vlan-aware (check box when you edit vmbr1). After that, you should be able to edit the windows VM-hardware--network device and use vmbr1 as bridge with vlan tag 50 to connect to pfsense vlan50. You may need to restart the windows VM.

I find that if I make VMBR1 VLAN aware and apply the configuration, within 30 seconds I loose network connectivity on my desktop, it goes to a 169 address. If I then revert the VLAN aware on VMBR1, network connectivity is then restored on my desktop.

 

[vesalius]

Did you reboot the desktop (this is a windows VM right?) instead of just waiting?

Something seems off with connectivity in pfsense LAN which you stated was on vmbr1. what do the network devices look like in the proxmox host for the pfsense VM?

What device is 192.168.1.1 is that your internet router or pFsense?

From the proxmox host CLI can you ping pfsense over vmbr1 or vmbr0?

 

[natharas]

Did you reboot the desktop (this is a windows VM right?) instead of just waiting?

Something seems off with connectivity in pfsense LAN which you stated was on vmbr1. what do the network devices look like in the proxmox host for the pfsense VM?

What device is 192.168.1.1 is that your internet router or pFsense?

From the proxmox host CLI can you ping pfsense over vmbr1 or vmbr0?

The Windows VM isn't even powered on at the moment. The desktop that is freezing is my physical home desktop that I'm connecting to the proxmox server via to make changes.

192.168.1.1 is my home internet router, pfsense is 192.168.2.1.

What is the best way to ping pfsense via the CLI, I've just been using putty?

 

[vesalius]

How is the physical Windows PC connected ... Wired to the internet router, wired to switch, or wired to proxmox?

From the proxmox host what is eno2 physically wired/connected to?

You could try starting the Windows VM with those setting I recommended in place and see if pulls an IP from pfsense.

 

[natharas]

How is the physical Windows PC connected ... Wired to the internet router, wired to switch, or wired to proxmox?

From the proxmox host what is eno2 physically wired/connected to?

You could try starting the Windows VM with those setting I recommended in place and see if pulls an IP from pfsense.

Physical PC is wired to switch.

eno2 is connected to the switch, eno1 goes to my router

What is interesting is that with the Windows VM, I turned off VLAN Tag 75 on vmbr1 and now it is getting an IP on the 192.168.2.40 from pfsense and can see it in the pfsense dhcp lease as well. Why would it be getting the .2 range and not 75 as per my camera VLAN?

 

[vesalius]

Since you made vmbr1 vlan-aware you can now think of vmbr1 as a separate virtual managed switch with unlimited ports.

You control the port your windows VM connects to on vmbr1 by adding or removing that vlan-tag at the proxmox host-Windows VM-network device-vlan_tag level. Putting nothing there results in the windows VM being connected to the default vlan of that vmbr1 switch (which is your pfsense lan and getting a DHCP address from pfsense in the 192.168.2.0/24 range). If you add vlan-tag 75, it should get a DHCP address from pfsense in the 192.168.75.0/24 range. If you add vlan-tag 50, it should get a DHCP address from pfsense in the 192.168.50.0/24 range.

What type of physical switch are you using? does it support vlans?

 

[natharas]

Since you made vmbr1 vlan-aware you can now think of vmbr1 as a separate virtual managed switch with unlimited ports.

You control the port your windows VM connects to on vmbr1 by adding or removing that vlan-tag at the proxmox host-Windows VM-network device-vlan_tag level. Putting nothing there results in the windows VM being connected to the default vlan of that vmbr1 switch (which is your pfsense lan and getting a DHCP address from pfsense in the 192.168.2.0/24 range). If you add vlan-tag 75, it should get a DHCP address from pfsense in the 192.168.75.0/24 range. If you add vlan-tag 50, it should get a DHCP address from pfsense in the 192.168.50.0/24 range.

What type of physical switch are you using? does it support vlans?

That's the thing though, as soon as I set vmbr1 to vlan aware it still breaks the physical desktop internet access.

The switch I've got is TL-SG2210P that supports VLAN's.

 

[vesalius]

More likely the port configuration on your switch is the real issue.

What is the physical switch vlan config on the following ports:
1. connected to your physical Windows VM
2. connected to your proxmox host eno2
3. connected to your internet router

 

[natharas]

More likely the port configuration on your switch is the real issue.

What is the physical switch vlan config on the following ports:
1. connected to your physical Windows VM
2. connected to your proxmox host eno2
3. connected to your internet router

Physical windows VM and eno2 are both connected to Port 5 on switch, that is tagged PVID 50
Internet router goes directly to Port 1 on my Dell server

 

[vesalius]

Physical windows VM and eno2 are both connected to Port 5 on switch, that is tagged PVID 50
Internet router goes directly to Port 1 on my Dell server

Sorry Also meant to ask about meant to about the physical Windows PC and what it connects to. plugs into the switch? - what is this switch port config - tagged/untagged vlans?

Is the dell server the proxmox node or the window PC?

Switch Port 5 is tagged 50 - also tagged 75? - untagged or native to what vlan?

 

[natharas]

Sorry Also meant to ask about meant to about the physical Windows PC and what it connects to. plugs into the switch? - what is this switch port config - tagged/untagged vlans?

Is the dell server the proxmox node or the window PC?

Switch Port 5 is tagged 50 - also tagged 75? - untagged or native to what vlan?

Windows PC is connected to switch port 7 which in untagged on vlan 50

The dell server is the proxmox node