VM isolation into its own VLAN

P

Peko

New Member
Oct 3, 2024
1
0
1
Greetings,

I started learning about VLANs and decided to try isolating my VM intoi its own VLAN (VLAN10).

My goal is to make this VM unreachable by other machines, while still allowing the VM to have full access to the internet.

I have watched numerous videos and read a few other threads that mentioned this goal to be achievable by utilizing Proxmox's firewall. However I would like to still achieve my original goal in the way that I have described.

I have also purchased a managed NETGEAR switch of model GS308Ev4.

So far, I start encountering connectivity issues in the VM, after I make my vmbr0 VLAN aware and also try to add a second group in the switch by creating a VLAN10 (ID=10) group with port 2(Proxmox server) and port 8(Router) added to it.

Could anyone kindly guide me in the right direction so I can achieve my original goal, or point out any areas I have misunderstood. I love learning but find VLANs to be quite complex to grasp.

Thank you.
 
The switch port that your Proxmox server is connected to needs to be configured as a VLAN trunk port, not as part of just one VLAN group if what you want is multiple vlans. Trunk a Vlan on that port for each private VM Segment that you need up to 4096

Then in Proxmox each VmBrX gets its own tag. The Tag must be the same as the VNI from the corresponding VLAN. For incoming packets Proxmox will then see those VLAN tags and can assign them to the correct virtual bridge interfaces.

You might also do this on the switch port your router is connected to if you want them to talk to it.
 
I do it a bit differently. I agree that the switch port needs to be tagged/a trunk port. But I only have only one bridge, and I don't assign bridges their own tag.

I have my /etc/network/interfaces configured as follows. This way the Proxmox management interface is on VLAN 100 at 10.10.10.4 and I can put any VM or LXC container on any VLAN I want in the network hardware configuration screen. If I want a VM to be on more than one VLAN, I just give it multiple NICs. I generally use DHCP in my VMs and manage IPs using IP reservations in my pfSense box. Alternatively you could set IP addressing inside of the VM OS

Code: 
auto lo
iface lo inet loopback

iface enp3s0 inet manual

auto vmbr0.100
iface vmbr0.100 inet static
        address 10.10.10.4/24
        gateway 10.10.10.1

auto vmbr0
iface vmbr0 inet static
        bridge-ports enp3s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4092
 
You must log in or register to reply here.
Top Bottom