VLANs leaking traffic to untagged network

[Snk B]

Hello everyone! How are you?

First of all, I would like to thank you for your attention and apologize if there are any mistakes in English, since this is not my native language.

I am new to virtualized environments and have had a homelab at home for a few weeks.
I have about 4 virtual machines, running beautifully on my Proxmox host.
I have currently virtualized pfSense within my host and since then I have been using it as a router/firewall in my home, which has worked very well so far!
About 10 days ago, I decided to segment my guest and IoT network, since I have a Unifi and it is compatible with VLANs.
The problem with this is that according to the configuration I made, my 2 VLANs end up "leaking" tagged traffic to my untagged network.
Below, I will detail how my interfaces are configured.


Here, we have the interfaces as they are configured in my pfSense: WAN, LAN, NPt (this interface being ghost, being used only to obtain an IPv6 prefix from my ISP) and my VLAN interface:


Here, we have how my proxmox is configured.
I have the vmbr0 bridge that has the eno1 interface, which is my WAN.
I also have the vmbr1 bridge, containing the other interfaces enp3s0, enp4s0, enp5s0 as my LAN, this one serving as a "switch":


Here, in my vmbr1 bridge, I left the configuration that is being displayed, for passing my VLANs: VLAN aware activated and in VLAN IDs, I left the default space 2-4094 from Proxmox:


This is where my problem begins... My Windows computer is connected directly to the enp3s0 port of this bridge and my Unifi is connected to the enp4s0 port.
Since Unifi is prepared for VLANs, it can deliver the separate traffic as desired (of course, after configuring the segmented VLANs).
However, my Windows computer ends up receiving IPv6 broadcasts from the 3 networks I have (local network, IoT and guest), and it looks like this:

We have:

1 - Local network (this network does not have any VLAN tag, it is outside of any type of segregation)
10 - IoT network
20 - Guest network

I don't have a switch between my Windows computer and my Proxmox host.
Have you ever seen anything like this? Did I configure the host incorrectly?
To do this segregation, would I actually need to have a managed switch to separate this traffic?
I would appreciate any comments about this scenario... I've been testing various configurations and reading countless documents for 10 days, but none of them seem to help me.

 

[shanreich]

Am I understanding correctly that you want to attach your Windows host to the NIC on the Proxmox host and let the bridge act as a virtual switch? Is there any reason why you're not just directly connecting the Windows host to the switch instead? Your Windows host is receiving traffic from all VLANs, since it's part of a VLAN-aware bridge with no further settings applied.

Also, you seem to have 3 devices on the bridge, what's on enp5s0? If you want to use the proxmox host as a switch then that should be fine, but you need to be really careful to avoid loops. Also, it would be preferable to just attach everything directly to your managed switch instead of the Proxmox host if possible.

Addtionally, you have added the same bridge twice to OPNsense, which isn't necessary and, depending on your network setup inside the firewall (could you post that), can cause network loops and traffic to leak across VLANs if improperly configured.

I'm not 100% sure what's your end goal here and how your network looks like though, maybe you can elaborate a bit more on that?

 

[Snk B]

Am I understanding correctly that you want to attach your Windows host to the NIC on the Proxmox host and let the bridge act as a virtual switch? Is there any reason why you're not just directly connecting the Windows host to the switch instead? Your Windows host is receiving traffic from all VLANs, since it's part of a VLAN-aware bridge with no further settings applied.

Also, you seem to have 3 devices on the bridge, what's on enp5s0? If you want to use the proxmox host as a switch then that should be fine, but you need to be really careful to avoid loops. Also, it would be preferable to just attach everything directly to your managed switch instead of the Proxmox host if possible.

Addtionally, you have added the same bridge twice to OPNsense, which isn't necessary and, depending on your network setup inside the firewall (could you post that), can cause network loops and traffic to leak across VLANs if improperly configured.

I'm not 100% sure what's your end goal here and how your network looks like though, maybe you can elaborate a bit more on that?

Hello, how are you?!

Let's answer your questions:

Am I understanding correctly that you want to connect your Windows host to the network card in the Proxmox host and let the bridge act as a virtual switch? Is there any reason why you shouldn't connect the Windows host directly to the switch? Your Windows host is receiving traffic from all VLANs, since it is part of a VLAN-aware bridge without any additional configuration applied.

- Actually, the proxmox (using vmbr1) is my network switch. Since it is a residential network and my host has 4 physical interfaces, I ended up not putting any switches on my network. So, in this case, it makes sense that I am receiving the networks of the other VLANS on my computer, since I don't have any equipment doing this traffic filtering (like a managed switch).

Also, you seem to have 3 devices on the bridge. What is on enp5s0? If you want to use the Proxmox host as a switch, this should be enough, but you need to be very careful to avoid loops. Also, it would be preferable to connect everything directly to your managed switch instead of the Proxmox host, if possible.

- enp5s0 is connected to another access point in the house below. That access point is not VLAN-aware, so I believe that due to that, I had no problems there.

Also, you added the same bridge twice to OPNsense, which is not necessary and, depending on your network configuration inside the firewall (you could post this), can cause network loops and traffic leaks between VLANs if configured incorrectly.

- So, I actually made a mistake, the interfaces are different (different mac) inside pfSense. The first and third interfaces are my WAN, where the first one receives my ipv4 and does PPPoE dialing and the third one acts as a ghost interface, just receiving an ipv6 /64 block and doing NPt on my network. The second interface is my LAN and the fourth is the interface where my VLANs are connected (I believe that the latter can be deleted and the VLANs only exiting through the LAN interface).

I'm not 100% sure what your final goal is here and what your network is like, maybe you can explain a little more about it?

- Actually, my final goal is just to separate my IoT and Guest interfaces from my local network, and these are completely separated by firewall rules, so that neither of them "see" each other or my local network.

 

[shanreich]

- Actually, the proxmox (using vmbr1) is my network switch. Since it is a residential network and my host has 4 physical interfaces, I ended up not putting any switches on my network. So, in this case, it makes sense that I am receiving the networks of the other VLANS on my computer, since I don't have any equipment doing this traffic filtering (like a managed switch).

I figured as much, just wanted to make sure that I understand correctly before giving further advice...

Regarding your setup: You can configure VLANs on Linux bridges similar to how you would configure them on a managed switch. This can be done via the bridge CLI utility see [1]. With that you should be able to configure the port for your Windows computer (and potentially the other ports) properly such that it only receives the VLAN frames you intend to. When you're happy with your configuration you should probably add them as post-up commands to the interfaces file, so that they are persistent.

- Actually, my final goal is just to separate my IoT and Guest interfaces from my local network, and these are completely separated by firewall rules, so that neither of them "see" each other or my local network.

It might make sense then to use multiple bridges, and use your pfSense as a router between the networks. That would also help in separating / firewalling your networks and separating it from the PVE host if not all your equipment is suited for using VLANs.

[1] https://man7.org/linux/man-pages/man8/bridge.8.html#bridge_vlan_-_VLAN_filter_list