VLANs not working with LXC

[infecticide]

I have updated all Debian / Proxmox packages as of today.

Running Proxmox 6.3-2

I've just started diving into the world of VLANs and have run into an issue that I can't seem to get around.

Host network config:
auto lo
iface lo inet loopback

auto eno3
iface eno3 inet manual

auto eno4
iface eno4 inet manual

iface enp0s29f0u2 inet manual

iface eno1 inet manual

iface eno2 inet manual

iface enp0s29f0u2c2 inet manual

auto vlan1
iface vlan1 inet static
address 192.168.2.150/24
gateway 192.168.2.1
ovs_type OVSIntPort
ovs_bridge vmbr0

iface vlan1 inet6 static
address 2600:70ff:b85d::150/64
gateway 2600:70ff:b85d::1

auto vlan2
iface vlan2 inet manual
ovs_type OVSIntPort
ovs_bridge vmbr0
ovs_options tag=2
#VLAN2_Wireguard

auto bond0
iface bond0 inet manual
ovs_bonds eno3 eno4
ovs_type OVSBond
ovs_bridge vmbr0
ovs_options lacp=active bond_mode=balance-slb

auto vmbr0
iface vmbr0 inet manual
ovs_type OVSBridge
ovs_ports bond0 vlan1 vlan2

LXC Config:
arch: amd64
cores: 2
hostname: 50m-wireguard-001
memory: 128
net0: name=eth0,bridge=vmbr0,gw=10.2.0.1,gw6=2600:70ff:b85d:2::1,hwaddr=D2:6E:2B:4F:65:7F,ip=10.2.0.2/24,ip6=2600:70ff:b85d:2::2/64,ta$
onboot: 1
ostype: ubuntu
rootfs: nas-002:127/vm-127-disk-0.raw,mountoptions=noatime,size=5G
startup: order=1,up=30
swap: 64
unprivileged: 1


I have a LXC running Wireguard and I want to put it on VLAN2.

As soon as I set the VLAN tag, the network connectivity disappears in the lxc, can't even ping the gateway (10.20.0.1)

If I attempt to ping the gateway and run a tcpdump against the veth, I can see the packets but if I run tcpdump against the vmbr0 bridge, they are not present.

I have no firewalls configured on the host or the lxc.

What have I overlooked?

 

[spirit]

AFAIK, tcpdump on ovs bridge is not working. (I think they are a ovs-tcpdump fo this).

you don't need to create "iface vlan2" here (only if you need to put an ip for your proxmox host on it).

Setting vlan on vm nic is enough. (Proxmox will tag the virtual vmbr0 port where the vm is plugged).


Is your gateway (10.2.0.1) in the same vlan2 ?

 

[infecticide]

Ok, I have removed the vlan2 OVSIntPort.

My physical network layout is as such:

Internet ---- 50m-pfsense-001 ---- 50m-switch-001 ---- 50m-switch-002 ---- 50m-virt-003 (Proxmox)

50m-pfSense-001 has a VLAN2 setup with a gateway address of 10.2.0.1, when the VLAN tag is not set on the LXC, I can see it and access it
I have an LACP LAG of two ports between 50-switch-001 and 002
I have an LACP LAG of two ports between 50m-switch-002 and 50m-virt-003

I still need to troubleshoot my switch VLANs but I was hoping to at least confirm that the ICMP packets are making it from the lxc to 50m-switch-002 in a step by step process working my way towards the pfSense box.

ovs-tcpdump on the proxmox host returns the following:

~# ovs-tcpdump
Traceback (most recent call last):
File "/usr/bin/ovs-tcpdump", line 29, in <module>
import netifaces
ModuleNotFoundError: No module named 'netifaces'

 

[infecticide]

I did a tcpdump on the eno3 and eno4 physical NICs and I can see the packets leaving the host.

I can also see the ICMP packets on 50m-pfsense-001 now but the gateway is not responding...

So, it appears that my switches are configured correctly, now I need to do some PFsense work to complete the setup.

Thanks for the info about that vlan2 OVSIntPort and the tcpdump not working on OVS bridges, that's good to know.