VM on VLAN tag 9 can’t reach gateway but host can

K

Kratus

New Member
Jan 24, 2025
14
2
3
Hi everyone,


I’m running Proxmox VE 8.3.0 on a host called alpha.
The host sits on vmbr0 (vlan‑aware yes → physical NIC ens1f0np0).
I have a Debian VM (ID 2000) whose virtual NIC is attached to vmbr0 with VLAN tag 9 and configured as 191.7.184.13/28 with gateway 191.7.184.9.


What works:

- The Proxmox host itself can ping 191.7.184.9 without any issue.

What doesn’t:


- The VM can’t reach the gateway (or anything else).
ip neigh on the guest shows the gateway in incomplete state.

Checks already performed


- bridge ‑d vlan confirms the tap device (tap2000i0) is tagged as VLAN 9.
- tcpdump ‑i vmbr0 vlan 9 and tcpdump ‑i ens1f0np0 vlan 9 both show the guest’s ARP requests (“Who‑has 191.7.184.9?”) leaving the host with tag 9.
- No ARP reply ever returns.
- Creating a vmbr0.9 sub‑interface (with or without an IP) made no difference, so I removed it and stayed with vmbr0 only.
- The physical switch port that connects Proxmox is a trunk allowing VLAN 9.

So the frame clearly leaves Proxmox, VLAN tag intact, but the gateway never answers. At this point I suspect the problem is external (gateway or switch mis‑handling VLAN 9), yet I’d like to hear if I’m missing anything on the Proxmox side before I escalate to the network team.


Thanks in advance for any insight!

1745351492217.png


1745351512201.png
1745351544584.png
1745351604820.png
 
If the traffic leaves the Proxmox VE node tagged correctly, then the issue is with the network gear after the PVE host. Have you checked the switch config?
 
  • Like
Reactions: Kratus
weehooey-bh said:
If the traffic leaves the Proxmox VE node tagged correctly, then the issue is with the network gear after the PVE host. Have you checked the switch config?
Click to expand...
I'm currently working to verify that possibility, and at first glance, the switch configuration seems fine. However, I haven’t seen the VM’s MAC address appear on the switch’s MAC table, which makes me suspect the return traffic is being dropped or filtered before it reaches the guest.
 
  • Like
Reactions: weehooey-bh
shanreich said:
Is this instance hosted on hetzner by chance?
Click to expand...
No hetzner, this is currently internal a test environment where we are evaluating a possible migration from vSphere to Proxmox. We're still gaining experience with the platform, and at this stage, we’re trying to understand the full network flow — especially how traffic leaves the VM, passes through the Proxmox host, and reaches the core switch connected to it.


From what I've tested so far, everything appears to be correctly set up. The Proxmox host (node alpha) is able to reach the gateway at 191.7.184.9 through the core switch, so the upstream path seems to be working fine.


However, the VM still can't reach the gateway or receive any return traffic. If there's any advanced diagnostic or specific Proxmox feature/tool that could help trace or capture this more deeply, I’d really appreciate any pointers.


Thanks again for the support — we’re trying to learn and get things right....
 
Kratus said:
I'm currently working to verify that possibility, and at first glance, the switch configuration seems fine. However, I haven’t seen the VM’s MAC address appear on the switch’s MAC table, which makes me suspect the return traffic is being dropped or filtered before it reaches the guest.
Click to expand...

Please provide the contents of your /etc/network/interfaces file.

Have you enabled the PVE firewall?
 
You must log in or register to reply here.
Top Bottom