Proxmox VLAN Configuration: Management IP, Bridge, and Virtual Machines

If you are running VLANs in your network, you may want your Proxmox VE management IP on your management VLAN, or you may need to connect your virtual machines to separate VLANs. Let’s look and see how we can do this.

What are VLANs?

First, let’s get a quick primer on what VLANs are exactly. VLANs (virtual local area networks) are logical networks you can create that separate devices and broadcast domains. They enable isolating network traffic between devices all without having separate physical network infrastructure. VLAN-aware network switches can assign a VLAN tag that identifies a unique network and broadcast domain.

Network and VLAN terms

Before diving into VLANs, let’s review some essential networking concepts:

network device: A network device is really anything (physical or virtual) that can connect to a computer network

Linux Bridge: A Linux bridge enables more than one network interface to act as a single network device.

Virtual Machine (VM): A virtualized instance of an operating system running on a hypervisor

IP Address: A numeric identifier of network devices on a network. These must be unique.

Default Configuration: The initial settings applied to a device or software.

Networking Service: Software that manages network connections and traffic flow

Management Interface: In Proxmox VE this is the network interface that allows you to access the web UI and command line interface of your Proxmox host.

Physical Network Interface (NIC): The physical connection from a computer to a physical network switch port.

Network Interfaces File: In Linux systems this is where you setup the network configuration for your network interfaces.

Proxmox default network configuration

In the below screenshots, I am using one of my Supermicro hosts that is configured with (2) 1 GbE connections and (2) 10 GbE connections.

In the Proxmox network connections, you will see the individual physical adapters and then you will see the Proxmox Linux bridge configured by default.

Below:

• Individual physical adapters are named eno1, eno2, eno3, eno4
• The Linux bridge is called vmbr0

You can look at the low-level configuration in the following file:

/etc/network/interfaces

Make the default Proxmox VE Linux bridge VLAN-aware

One of the easiest configurations to implement Proxmox VLANs is called bridge VLAN aware. With this configuration, you are simply enabling VLANs on the default vmbr0 interface.

To do this, open the properties of the vmbr0 interface under your proxmox host properties Network > vmbr0 > Edit.

You will see this by default. The VLAN aware setting will be unchecked. The bridge port is assigned with the interface that is uplinked.

Now, to make our bridge VLAN-aware, place a check in the VLAN aware box. Click OK.

After you make the change, reboot your Proxmox VE host:

reboot

How does this change the /etc/network/interfaces file?

You will see the configuration change and add the VLAN stanzas in the configuration, as you can see in my configuration.

iface lo inet loopback

iface eno3 inet manual

iface eno1 inet manual

iface eno2 inet manual

iface eno4 inet manual

auto vmbr0
iface vmbr0 inet static
address 10.3.33.14/24
gateway 10.3.33.1
bridge-ports eno3
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

By default, Proxmox will enable the Linux bridge with a “trunk port” configuration that accepts all VLANs from 2-4094. You can remove all the VLANs aside from specific VLANs you want to tag, using the following configuration:

auto vmbr0
iface vmbr0 inet static
address 10.3.33.14/24
gateway 10.3.33.1
bridge-ports eno3
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 10,149,222

Below, I have removed the IP from the default bridge, but you can see the restricted bridge-VIDs to specific VLANs.

Physical network switch tagging

One point to note at this point is that you need to make sure your physical network switch plinking your Proxmox host is tagged for all the VLANs you want the Proxmox bridge to communicate with. If we are tagging frames from the Proxmox side with VLAN IDs that the physical network switch does not have configured, the frames will be discarded.

Below is a screenshot of VLANs configuration and VLAN setup on my Ubiquiti 10 GbE switch. You can see the VLANs tagging and trunking configured on the switch. The T stands for “tagged”. As you can see below, I have VLANs 10, 19, and 30 tagged on all ports. 

Setting the Proxmox Management interface IP on a different VLAN

What if we want to change the management interface IP and set the management interface IP on a different VLAN? We can do that with the following configuration. As we can see, I have removed the address and gateway configuration lines from the vmbr0 configuration.

Instead, I have created a VLAN tagged interface, tagged with VLAN 149 for the management interface.

iface eno3 inet manual

iface eno1 inet manual

iface eno2 inet manual

iface eno4 inet manual

auto vmbr0
iface vmbr0 inet manual
bridge-ports eno3
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

auto vmbr0.149
iface vmbr0.149 inet static
address 10.1.149.14/24
gateway 10.1.149.1

Save your configuration. You can reboot to make the configuration take effect, or you can run the command:ifup -a

Once you have rebooted or ran the ifup command, you should be able to run the ip address command to see the IP address and interfaces:ip a

We can also verify the configuration in the Proxmox VE GUI, looking at the properties of the Proxmox host > Network.

We can also check external connectivity with a simple ping of the new management IP address we have placed on the new VLAN.

Change Proxmox VE host file reference to old IP

If you change your Proxmox VE management IP address, you will want to go into your /etc/hosts file and change the IP reference for the Proxmox host.nano /etc/hosts

Configuring VLANs in Proxmox VE web interface

To configure VLANs in Proxmox VE on the default bridge using the web interface, we can follow the below.

Web Interface Configuration

The Proxmox VE web interface simplifies VLAN configuration through its GUI.

Create a new Linux VLAN:

• Go to the Network section in the web interface.
• Click on Create and select Linux VLAN.
• Enter a VLAN ID and a Name.
• Optionally, you can configure other settings, such as the bridge and the VLAN tag.
• Click on Create to save the changes.

Advanced Configurations

Now that you understand the basics of VLAN configuration in Proxmox VE, we can explore some advanced topics:

Trunk Ports

A trunk port is a network interface that can carries multiple VLANs traffic. It is a useful configuration for connecting multiple VLANs and VMs to multiple VLANs. To configure a trunk port on Proxmox VE, you need to:

• Make the bridge VLAN aware
• Add the VLAN ID to the bridge configuration. By default it will be a trunking configuration when you make it VLAN aware. Proxmox automatically configures VLAN 2-4094 on the default bridge.
• Configure the VM network interface with the right VLAN tag

VLAN Aware Bridges

The VLAN bridge is a network type in Proxmox that comes from LInux networking and it allows the Proxmox VE host to be able to understand VLAN tags and forward traffic to the correct VLAN. This is required for communicating between VMs on different VLANs. To configure a VLAN-aware bridge on Proxmox VE, you need to:

• Enable the vlan_filtering option in the bridge configuration.
• Add the VLAN ID to the bridge configuration.

Routing between VLANs

When you setup new VLANs, devices on one VLAN can’t talk to the devices on the other subnet by default. Generally, according to best practice, a VLAN will house 1 subnet. So it means your devices on each VLAN will have different IP addresses on different subnets. You will need to configure a router or firewall that can do routing (like pfSense) between the devices on different VLANs/subnets so these can communicate.

Troubleshooting

What if you have issues with your Proxmox VLANs?

• Check the syntax you have used in the /etc/network/interfaces file
• Make sure there isn’t a mismatch between the VLAN tagging in Proxmox and the untagged VLAN on the Switch port. This could result in double-tagging frames (meaning your host is tagging a VLAN, and the Switch is also trying to tag it via untagged traffic)
• If you are restricting specific VLANs in your bridge VIDS configuration, make sure you have allowed the VLANs you are expecting to be tagged
• Make sure your network switch is tagged with all the VLANs on the physical uplink(s) for your Proxmox VE host
• If you are having trouble with one VLAN subnet talking to another VLAN subnet, make sure the appropriate routes are in place to make this happen

Wrapping up

Creating and configuring VLANs in Proxmox is not too difficult. Once you understand the concepts and where to implement the configuration, it is actually quite simple. Adding VLANs to your Proxmox VE host will allow you to connect your virtualized workloads to the various networks that may be running in your network environment and enable traffic to flow and connect as expected.