VLAN configuration within Hosts and whether necessary to also configure a pve interface on the VLAN

[Kootenay]

Hi,

I'm running PVE 9.1.4 in a 3-machine cluster using Mini-PCs.

My scenario is this:

I have a 3 VLANs:

1. VLAN 1 : 192.168.2.0/24 - switch network. I have to have this one because the switch I have doesn't like to have its IP or VLAN changed, so I'm stuck with that.
2. VLAN 10 : 172.25.10.0/24 - main network. Within the switch this is the default PVID for the majority of ports.
3. VLAN 20 : 172.25.20.0/24 - lab network. This is where I spin up various VMs for a home lab relating to my job.

On VLAN 1 there is the main switch management IP (192.168.2.1), and also where I have a UniFi USG gateway.

This USG gateway is the router between all the VLANs, and has IPs on each VLAN as follows:

• VLAN 1 : 192.168.2.254
• VLAN 10 : 172.25.10.1 (default route to the Internet)
• VLAN 20 : 172.25.20.1

My UniFi controller application is running on a VM on one of the mini-PCs - let's call that particular mini-pc pve-1 and the host running the UniFi controller application unifi.

Right now, the vmbr0 interface of pve-1 is VLAN aware, but only has a single IP on it (172.25.10.2).

The unifi host has the IP 172.25.10.15.

What I would like to do is to add the unifi host to VLAN 1 and assign it the IP 192.168.2.15.

On the switch port that pve-1 is plugged into, the port is set is 10UP (untagged, pvid) and 1T (tagged)

Within the VM, I have the following defined:

3: ens18.1@ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether bc:24:11:80:c0:75 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.15/24 scope global ens18.1
       valid_lft forever preferred_lft forever
    inet6 fe80::be24:11ff:fe80:c075/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever

Despite this, I cannot ping the 192.168.2.15 address from the USG gateway.

My questions:

1. Does the pve-1 server need to also have an interface on VLAN 1? (eg, vmbr0.1) (I tried to add vmbr0.1 with IP 192.168.2.2/24 and after applying I could no longer reach the 172.25.10.2 address)
2. Am I missing something else?

Cheers

 

[Gilou]

Use tcpdump/wireshark to check what's happening, -e will go down to ethernet..
I'm not sure what 10UP (untagged, pvid) and 1T (tagged) really means, though I imagine all untagged trafic is tagged 10, and vlan 1 is allowed.

So either you need to have a separate NIC set for VLAN1 or try to set in in the guest like you did.. but I think there is a restriction on VLAN1 in the gui.. so you could either try to add a NIC tagged as 1 for unifi, and maybe that'll work (the GUI will let you, but I haven't tested). or you need to go for the CLI and try to enable vlan1. I think there is a restriction on the bridge itself, and on the NIC of the guest, parameters might be trunks..

Of course, you can also just add vlan1 directly on the proxmox NIC, and set a bridge on that vlan1, and attach a separate NIC to your VM there.