VLAN tagging for host and guest

[lukesky333]

Hello,

I'm new here and, as expected, I have a question.

Is it possible to tag the Proxmox host interface AND the guest interface?

Example:
The Proxmox server has only one network connection (Linux Bridge), which is tagged with VLAN ID 120.

On the guest system (Debian), three virtual network adapters should be created via the previously created Linux Bridge interface. These adapters should also be tagged with IDs 120, 121, and 122.

Is this possible, and if so, how? I've tried many things, but nothing has worked.
Thank you in advance for your help!

 

[shanreich]

Create a VLAN-aware bridge on the host (e.g. vmbr0) and then a sub-interface vmbr0.120 where you configure the VLAN.

In the guest, either configure the parent bridge (vmbr0) as network device and then configure the VLANs inside the guest - or attach 3 network devices to the guest, one per VLAN

 

[david_tao]

Hi lukeshy333:
Another way is you can create a vmbr? (Linux bridge) for each vlan interface, and then connect vm to corresponding vmbr? the /etc/network/interfaces will looks as following.

auto lo
iface lo inet loopback

auto enp65s0f1
iface enp65s0f1 inet manual

auto enp65s0f1.100
iface enp65s0f1.100 inet manual

auto enp65s0f1.101
iface enp65s0f1.101 inet manual

auto vmbr0
iface vmbr0 inet manual
        bridge-ports enp65s0f1
        bridge-stp on
#Default VLAN 1

auto vmbr100
iface vmbr100 inet manual
        bridge-ports enp65s0f1.100
        bridge-stp on
#VLAN 100

auto vmbr101
iface vmbr101 inet static
        address 172.16.101.65/24
        bridge-ports enp65s0f1.101
        bridge-stp on
#VLAN 101

 

[lukesky333]

Create a VLAN-aware bridge on the host (e.g. vmbr0) and then a sub-interface vmbr0.120 where you configure the VLAN.

In the guest, either configure the parent bridge (vmbr0) as network device and then configure the VLANs inside the guest - or attach 3 network devices to the guest, one per VLAN

I tried it your way - that is my config:

auto lo
iface lo inet loopback

iface eno1 inet manual

iface eno2 inet manual

iface eno3 inet manual

iface eno4 inet manual

iface eno49 inet manual

iface eno50 inet manual

iface eno51 inet manual

iface eno52 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.103/24
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 120-122

auto vlan120
iface vlan120 inet static
        address 192.168.120.253/24
        vlan-raw-device vmbr0

With this config the host is available under both IPs. I created three interfaces for the guest (VM) with the VLAN tags (vlan120, vlan121, vlan122), but they are not accessible.

Do you have any idea why?

 

[shanreich]

You can either create a separate bridge for every VLAN (becomes cumbersome quite quickly):

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.103/24
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 120-122

auto vlan120
iface vlan120 inet static
        address 192.168.120.103/24
        bridge-ports vmbr0.120
        bridge-stp off
        bridge-fd 0

auto vlan121
iface vlan121 inet static
        address 192.168.121.103/24
        bridge-ports vmbr0.121
        bridge-stp off
        bridge-fd 0

[...]

Then you would use vlan120 for your network device on the VM, you'd do the same for 121 and 122. This has the downside of creating a bridge for every VLAN you want to use (which is okay for 3 VLANs, but can get out of hand with, say, 100 VLANs).

--------------------------

Or you can just configure the IP for the host directly on vmbr0.120:

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.103/24
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 120-122


auto vmbr0.120
iface vmbr0.120 inet static
        address 192.168.120.103/24

And then set the VLAN tags on the network device, note the tag setting here (it will then use vmbr0.120):

net0: virtio=AA:AA:AA:45:B5:24,bridge=vmbr0,firewall=1,tag=120
net1: virtio=AA:AA:AA:45:B5:25,bridge=vmbr0,firewall=1,tag=121

This way you can just configure IPs for the host on whichever VLAN you want and set the VLAN tags directly on the network device without having to create separate bridges.

--------------------------

The last option is to pass vmbr0 directly to the VM, without any tag:

net1: virtio=AA:AA:AA:45:B5:25,bridge=vmbr0,firewall=1

Then configure the VLANs with the network stack inside the VM. This gives the host the ability to send packets on ANY VLAN or untagged, so it depends on whether you can trust your guest or not.

 

[SteveITS]

With this config the host is available under both IPs.

Is your question about removing the untagged IP? Because that’s possible…

 

[lukesky333]

I've shut down the VM and removed all virtual interfaces and rebooted the host. After that I configured everything again and now it is working. In my opinion nothing has changed - but hey, it's working now.