Proxmox - VLAN Setup

The Basics

Virtual Local Area Networks (VLANs) in Proxmox VE (Virtual Environment) function similarly to VLANs in traditional networking environments. VLANs are used to segment network traffic, allowing you to create separate networks within the same physical network. This is particularly useful in virtualized environments like Proxmox for organizing and securing network traffic of different virtual machines (VMs) or containers.

In Proxmox, VLANs can be configured on network interfaces to allow VMs and containers to communicate on these segregated networks. Here's a basic overview of how they work:

1. Creating VLANs: You can create VLANs in Proxmox by assigning a VLAN ID to a network interface. This VLAN ID distinguishes the traffic of one VLAN from another.
2. Assigning VLAN to VMs/Containers: Once the VLANs are created, you can assign each VM or container a specific VLAN. This is done by attaching the virtual network interface of the VM or container to the VLAN.
3. Network Segmentation: VLANs ensure that traffic is logically separated even though it may traverse the same physical network. This enhances security and can be used to implement network policies.

Terminology

1. Network Interface: The physical or virtual network ports on the Proxmox server. Physical interfaces are usually named like eth0, ens33, etc., while virtual interfaces are named vmbr0, vmbr1, and so on.
2. Virtual Bridge (vmbr): A virtual bridge (vmbr) in Proxmox acts like a network switch, connecting different network interfaces. It is used to bridge the physical network with the virtual network interfaces of VMs and containers.
3. VLAN Tagging: The process of assigning a VLAN ID to network traffic. In Proxmox, VLAN tagging is done at the network interface level or at the VM/container level.
4. Tagged and Untagged Ports: In the context of VLANs, a tagged port can carry traffic from multiple VLANs, while an untagged port is assigned to a single VLAN. In Proxmox, this relates to how network interfaces handle VLAN traffic.
5. VLAN ID: A numerical identifier (typically between 1 and 4094) used to distinguish VLANs from each other. In Proxmox, VLAN IDs are assigned to virtual network interfaces or directly to VMs/containers.
6. Bonding: This is the combination of multiple network interfaces into a single interface for redundancy and increased bandwidth. Bonding interfaces can also be configured with VLANs in Proxmox.
7. OVS (Open vSwitch): An alternative to the standard Linux bridge, OVS is a multilayer virtual switch used for network automation and supports advanced network features, including VLANs.
8. VLAN-aware Bridge: A special type of bridge in Proxmox that can handle VLAN tagging internally, allowing VMs/containers attached to it to be on different VLANs without configuring VLAN tagging on each virtual interface.
9. Sub-interface: Sometimes used in VLAN configurations, a sub-interface (like eth0.100 for VLAN ID 100) is a virtual interface associated with a physical interface but designated for a specific VLAN.
10. Network Model: In Proxmox, the network model refers to the configuration of networking in your virtual environment, including the use of standard Linux bridges, OVS, or even more advanced configurations like VLAN-aware bridges.

When configuring VLANs in Proxmox, it's crucial to have a clear understanding of your network layout and requirements. Each VLAN should be assigned a unique VLAN ID, and network interfaces on your Proxmox host need to be configured to handle the VLAN traffic appropriately. Additionally, your network switch (if used) should be configured to support VLAN tagging.

Set up a Proxmox VLAN

Configuring the router

Before configuring the VLAN in Proxmox, it needs to be configured within the network router. This example uses a Unifi UDM Pro. Most prosumer and enterprise routers will feature the ability to configure VLANs. Google "VLAN setup <router model>" and follow the steps specific to your model.

• Sign in to UDM Pro and navigate to Settings > Network > New Virtual Network.
• Complete the fields as follows:
  • Advanced: Manual
  • Gateway IP/Subnet: Specify the host address and CIDR.
  • VLAN ID: Specify any VLAN IDs to differentiate the VLAN from the default LAN (VLAN 1)
• Click "Add" to save it.
• Configure security, such as segmentation and other firewall rules specific to this VLAN under Settings > Security > Traffic & Firewall Rules.

Setting up the Proxmox VLAN

• Sign in to your Proxmox instance and navigate to Node > System > Network > Select the default network bridge or the network bridge. If not sure, select vmbr0 and click Edit.
• Make the network VLAN aware and save it.

Assigning a VM to the VLAN

• Within Proxmox, click the target VM > Hardware > Network Device.
• Add the VLAN Tag and click "OK" to save it.

The VM will now join the tagged VLAN.