VLAN on bridge with multiple NICs

mvandenabeele

New Member
Jan 13, 2021
3
0
1
45
Hi

I'm relatively new to networking with VLANs, so I hope this isn't a dumb question.. I have a proxmox host with 4 nics. 1 goes to the modem, 3 others are connected to a vlan-aware Linux Bridge. A pfSense VM is connecting WAN and LAN. 1 of those internal NICs is connected to a trunk port of my Zyxel managed switch. Another internal NIC goes to a wifi accespoint. Other ports on the switch are all acces ports for VLAN1 and devices attached to it have functional internet connections. Now, I wanted to add a separate wifi network for untrusted devices. As a first step, I added it with VLAN enabled and set to VLAN1. I had expected this to work the same as the untagged wifi networks because (I assume) the primare VLAN id for the linux bridge is 1, but it isn't. I do not get an IP if I try to connect to this SSID. What am I doing wrong here, or what have I failed to understand about VLANs?

Kind regards,
Merijn
 
Hi Merijn

I'm not sure, if I understand your setup in the right way. As far as I understand your description, your setup would look like this, ...

1610997329793.png

... isn't it?

With this setup, if you want to add a new VLAN for untrusted devices, you'll have to use a VLAN capable access point. Then you'll have to configure a second VLAN with a different VLAN ID (VLAN1 is already used for LAN) and then set the AP port to trunk . On the Proxmox side, there are two ways to implement VLANs:

1. On the firewall, creating to VLAN interfaces (i. e. eth2.<vlan-idx> and eth2.<vlan-idy>)
2. On the VM settings, adding a new network interface and setting the VLAN ID on it.

In this setup, I would recommend to use different VLAN ID than ID 1 on the WLAN network interfaces in order to avoid confusion ... ;)

If you want to allow direct access to VLAN1 (LAN) or other VLANs from the trusted WLAN network without going through the firewall, then a VLAN capable switch is highly recommended too. The setup would look like this ...

1611001015605.png

This setup is more flexible and allows you to directly connect your access point with different networks. In this case, you'll have to set the VLAN-ID on the network interfaces of the VM (firewall).

This diagram shows just an example, so if you want to implement something like this, you'll have to adapt the concept to your needs.

One more thing. For every VLAN that you create, you'll have to configure a "DHCP server" on the firewall (or a DHCP scope if you use a central DHCP server) in order to assing IPs to the attached devices. If you use a central DHCP server, then you need to configure DHCP relay on the firewall too.

I hope that this helps you ... :)

Regards
Belegnor
 
Last edited:
Hi Belegnor

thank you for your detailed answer. The first image is indeed more or less my current setup. Only en01, eno2 and eno3 are bridged with a vlan capable linux bridge. I find your second setup very interesting. I had never thought of connecting the internet router to a vlan, but it probably solves the problem of high availability. Would it be possible to bridge the 4 nics to have a faster link to the server (4x1GB) or should I leave it the way it is? I'm not experiencing slow connections at the moment.

It seems I had a reasonable understanding of vlans but the issue was with my wifi access point. I had 2 ssid's which were untagged (defaulting to vlan 1) and 1 which was explicitely tagged with vlan 1. This did not work with the EAP245. Switching to vlan 5, everything started working.

Merijn
 
Hi Merijn

I don't have many experience configuring bonds, but I think that it should be possible to put the four NICs together. If you plan to build a cluster in the future, then you should consider to keep one NIC free for the corosync network.

A possible setup would be something like this ... just adapt it to your needs ... ;)

1611072734441.png

For more information about configuring bonds, please take a look at this ...

https://pve.proxmox.com/wiki/Network_Configuration

Best regards,
Belegnor

[Edit] : I forgot to mention that you'll have to configure an LACP bond on the Switch side too ... ;)
 
Last edited:
Probably another beginner question: why would I want Proxmox Management interface and Corosync on separate nics? Can't they all be in one large bond? I'm guessing there's not much traffic for these, and the bandwidth of the nic's might be put to use better if all four are combined in one bond?

And thanks for the diagram. What do you use to make those? Thinking of documenting my network...
 
Well, you don‘t need to bind the management to a separate NIC, if you don‘t want to do so. The diagram is just only an example ... ;)

But for corosnyc, a dedicated NIC is highly recommended for the cluster traffic, as sharing the bandwidth with VM or storage traffic may have some impact on the cluster communication.

Regarding diagrams, I use Wondershare EdrawMax.
 
Hi Merijn

I don't have many experience configuring bonds, but I think that it should be possible to put the four NICs together. If you plan to build a cluster in the future, then you should consider to keep one NIC free for the corosync network.

A possible setup would be something like this ... just adapt it to your needs ... ;)

View attachment 22860

For more information about configuring bonds, please take a look at this ...

https://pve.proxmox.com/wiki/Network_Configuration

Best regards,
Belegnor

[Edit] : I forgot to mention that you'll have to configure an LACP bond on the Switch side too ... ;)
This diagram was so helpful to me. Im doing a setup now with two upstream cisco switches in a VPC pair. So both switches will logically be one switch. Same concept though. Thank you Belegnor
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!