VLAN10, 192.168.10.0/24, for router and proxmox management
VLAN11, 192,168,11.0/24, for virtualized machines inside Proxmox nodes on VLAN10
I want to have a virtualized LAN in order to isolate “operative” infraestructure/LAN (VLAN11) inside the IT LAN (VLAN10).
Besides Proxmox and virtualized machines setup, what would be the correct configuration of tagget/untagged in the router. Now I have the following conf (only what I believe is important for VLAN conf) but only VLAN10 is working (internet, LAN connection), VLAN11 outside proxmox working ok, VLAN11 inside proxmox seems not to have network connectivity (inside and outside):
The configuration doesn’t make sense - you have name=aBridge in /interface bridge but references to bridge=3TSBridge in /interface bridge vlan.
Also, do not set the bridge-to-CPU PVID in /interface bridge to have the same ID as an /interface vlan attached to the bridge.
Right know, Proxmox (and its contained VMs) cannot access anything on 192.168.11.x/24 (just 192.168.11.2 that lives inside proxmox machine static IP). @tdw, just a typo from playing with config: should be aBridge always, sorry. Sorry also for misunderstanding, which is the CPU PVID and where in the code I’m attaching it to de vlan attached to the bridge? (I believed it was CPU PVID was 0 for mikrotik)
Juan Ignacio,
You need a trunk port on both router and proxmox, this is how you are going to do it if your equipment is a CRS 3xx switch this is device specific , this is just a bare minimum and assume that your tagged port is ether1
Thanks @loloski,
I believed the solution was about trunk port, but did not know how to apply the the specific mikrotic implementation (tried randomly some changes related to tagged/untagged without success) I will try you solution in my scenario and then tell the about results!
Juan Ignacio.
There are many ways how to make a VLAN in mikrotik, even if it works it doesn’t mean it’s correct because if you are doing that on non CRS 3xx series it will consume CPU, so be careful
Got it working with single NIC on my Proxmox server. This tutorial and “How To Create VLANs in Proxmox For a Single NIC” on Youtube make me understand why we need “admit-only-vlan-tagged” and add “pvid=4094” to the bridge port on Mikrotik.
The default Proxmox network interface with bridge-vlan-aware look like this:
auto lo
iface lo inet loopback
iface enp0s25 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.99.100/24
gateway 192.168.99.1
bridge-ports enp0s25
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
source /etc/network/interfaces.d/*
If we want to utilize all available vlans on single NIC, nothing works except with the configuration above, i.e. adding non-existent pvid. With this specific configuration, we can use any available vlans inside Proxmox or it’s VMs.
auto lo
iface lo inet loopback
auto enp0s25
iface enp0s25 inet manual
auto vmbr0
iface vmbr0 inet manual
bridge-ports enp0s25
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4000
#vlans: 99, 210, 220;
auto vmbr0.99
iface vmbr0.99 inet static
address 192.168.99.100/24
gateway 192.168.99.1
#vlan-mgmt
auto vmbr0.210
iface vmbr0.210 inet static
address 192.168.210.100/24
#vlan-210
source /etc/network/interfaces.d/*
It should be noted that the value of iface’s bridge-vids 2-4094 (default) must be changed into something like bridge-vids 2-4090, then we use the value outside that range for pvid in the Mikrotik bridge/port. I’m not a linux expert. So I don’t know if this behavior applies to all linux bridges or only on Proxmox.
On VM inside Proxmox, simply tag the intended vlan:
Not entirely true. When setting VLAN-related thing on bridge and sub-items, things are pretty much divided:
items under bridge/port are about ingress behaviour
setting bridge port with frame-types=admit-only-vlan-tagged makes pirt to reject any untagged frame on i gress. Also makes setting pvid completely irrellevant
items under bridge/vlan are about egress behaviour
only frames, belonging to one of VLANs of which port is member, can egress that port. If port is set as untagged member of port, then VLAN header will be stripped upon leaving the port
items on bridge definition (under bridge) are either about bridge switch-like entity (very few of them) or about CPU-facing bridge port (most of items) … frame-types is one of CPU-facing port properties
And then there are a few interactions between first two items above, some are automatic and some have to be enabled explicitly:
when port is set with PVID (and it allways is even if with default value of 1) and frame-types setting allows untagged on ingress, then port is automatically added as untagged member of corresponding VLAN
This doesn’t happen in your case as frame-types setting doesn’t allow untagged frames on ingress
when ingress-filtering is enabled (by manual configuration) on bridge/port, then port VLAN membership (from bridge/vlan) is consulted when determinimg if a frame can be allowed to ingress or not.
I.e. if port is member of VLANs with IDs 100 and 200 and there’s frame with VID 300 “trying to enter”, it’ll be dropped with ingress-filtering ebabled … but would be alowed to ingress with ingress-filtering disabled (which is default setting).
The proxmox config woukd be mirrored on proxmox-facing MT port lije this:
The problem with config in the bridge/vlan section is that there can be only line targeting any given VLAN ID. So if there was a line like add bridge=bridge vlan-ids=300 tagged=bridge,etherX, configuration attempt would fail. It woukd have to be rewritten like this:
The config libe order doesn’t matter, what matters is “puncturing holes” in VID range of the upper line (and I’m not entirely sure if the syntax shown for merging two intervals is actually valid). And this need for “puncturing tge interval” is the biggest PITA when it comes to the way VLANs are configured in ROS (but it’s actually the same way as in linux bridge).
