How To Create VLANs in Proxmox For a Single NIC

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
when you first install proxmox the setup process only sets up a single management interface for your computer now that's a bit of a problem if your computer only has one interface because the typical hypervisor needs access to multiple vlans and so do the actual virtual machines and it will be running so if you've only got one interface on your computer how do you set up proxmox to support vlans well if that's something you're interested in finding out then stick around and watch this video because that's what we'll be going over [Music] now unless you're going to be running everything within proxmox itself and this is just a standalone server then proxmox is going to need access to different vlans through a network switch and that means that the network switch needs to be a manageable network switch in other words one that you can configure to support vlan tagging or 802.12 as it's known as so what i'm going to do in this video is to put in a timeline and break it up into sections because we need to configure a switch and we need to configure proxmox itself to be able to support this feel and tagging now i can't actually cover every different type of vendor out there and all the different ways to configure an actual switch but hopefully i can give you some idea as to how you configure a switch to be able to support this feel i'm tagging and if this is not a type switch that you're using at least you should be able to get some ideas to how to configure your own switch now i'm going to make an assumption that you've already installed proxmox and that you've got more management access to it in which case the first thing we need to do is to reconfigure the networking on proxmox itself so i'm going to click on the server over here in the left hand pane and then i'm going to go down to where it says network load system and this gives us a graphical representation of how the network's been set up so during the initial installation it basically picks out one of your network cards assuming you've got more than one and it then creates this bridge called vmbr0 and it assigns the ip addressing as part of that installation process to the actual linux bridge so in my case i've got a network card called enp0s25 that's what's been assigned to the bridge as you can see here and that's the ip addressing that was set up now if i click on the bridge and click on edit i can make it vlan aware but i can't start carving this up so that the hypervisor has got access to different vlans it's just got one management interface and there's no vlan tagging going on at all but i actually want to give this hypervisor access to multiple vlans so to do that i'm going to have to go into the actual console or terminal if you will and i'm going to have to make changes to the underlying operating system now proxmox is running on debian linux so it's if you're familiar with that it's pretty straightforward to do what i'm going to do is i'm going to click on shell and that'll open up a shell into debian linux but you could also just gain access to it through ssh if you wanted to the good thing i like about this proxmox version is that it allows me to actually copy and paste now vmware's esxi for example wouldn't let me do that hence without one i would usually go in through ssh but this is just uh just makes life a bit easier so now that we're in the actual terminal we need to swap over to the folder which is slash etsy network because there's a file in here which is the configuration file for interfaces so i'm going to copy that file called interfaces to another file just to give me a backup copy and then i'm going to edit that file so you can see here's our interface here's our bridge configuration here as well now the auto bit if you're curious that just means to automatically start the interface and down here we've got the reference to the interface to say yep this bridge port is enp0s25 so the physical interface is part of the bridge and the ip addressing is assigned to the bridge now what i'm going to do is i'm just going to make a bit of space here because i'm going to copy in a section that i've already got created just to make my life easier so what i've done is i've created a sub interface on that bridge that was created and i've got the ip addressing assigned so that that part looks pretty much the same as it does here except this is a sub interface this is one that's basically saying this is a sub interface that belongs to vlan 100 so this is our interface which will be in vlan 100 now i now need to take the actual ip addressing out of the bridge itself so i'm just going to move the cursor down to that line hold down the shift key and then press the arrow twice and it highlights both of those lines hold down the control key press k and it'll cut those two lines out so essentially what i've done is i've created a new sub interface which is an interface that plugs basically into vlan 100 when the hypervisor starts sending traffic out this interface if you will here um it's going to be tagged as belonging to vlan 100 whereas before there was no tagging going on at all so that's the reason why we're having to come into the the actual terminal session and edit the actual configuration file because this is an option that wasn't available through the gui but now that i've done that i also need to make this vlan aware so i'm just going to hit return and i'm going to add in two lines here so the first line is to say that the bridge is v unaware and the second line is to set the range of vlans that can be used on the uh actual physical interface really because the the bridge sits as an overlay between the physical interface and the hypervisor and so what we're actually doing here is setting the vlans that we're allowing on the bridge but ultimately these are going to determine sort of vlan tags that either get sent out from the the actual hypervisor or will be accepted by the hypervisor now what we've got here is a range of two to four thousand ninety two if you look at the documentation example before proxmox they go from two to four thousand ninety four typically with other hypervisors you'll see 4095 gets dropped because it's a special vlan you also started vlan 2 because vlan 1's a special vlan it's just a security best practices don't use vlan 1 on your network when you get a switch usually every port is assigned to vlan 1. so that's one reason to do it the idea is if you've got a fresh switch and hasn't been configured by not using vlan 1 it means if somebody comes along and plugs a computer into a port they can't get access to any other computer on your network as everything else is in something other than vlan one and when it comes to cisco switches um vlan one's especially important because it's also a system vlan it's what their switches use to communicate and so when it comes to cisco switches they tell you don't use vlan 1 for that very reason that way none of your computers can get access to that sensitive information that the switches are exchanging so in any case that's the example that proxmox gave you but i'm going to drop two vlans from the end because i want to reserve one vlan for unused ports and that's another best practice when you are managing a switch a network switch the idea is that you want a port assigned to an unused vlan if it isn't in use same reason you don't want computers being able to be plugged in and getting access to vlan 1 for example you don't want those sort of mistakes from happening so you're always the same ports that aren't in use to an unused vlan so i'm dropping one vlan for that reason another vlan that i need is for the native vlan so this is a vlan that gets used for untagged traffic now a security best practice is tag all of your traffic any traffic that isn't going to be tagged gets assigned to the native vlan and the idea is then don't use the native vlan on your servers either so that way if something's untagged on a physical switch for example the traffic gets put into this native vlan and it never gets sent to the actual hypervisor like this for example because the hypervisor's just going to ignore it it's not on the allowed vlan list so entirely up to you what vlans you want to use for your native vlan your unused vlan or whether you just want to stick with proxmox's own settings but that's the way i like to set it up so just to summarize we've created a sub interface for me vlan 100 is the management vlan and it's why i've created a sub interface in vlan 100 we've moved the ip addressing from the actual bridge itself across to this sub interface now and we've added that two lines in one to make the bridge aware of vlan so that'll support vlan tagging and to give it a range of acceptable vlans so that's vlans that it'll can actually send out to the switch and vlans that it'll receive from the switch so now that we've made those changes i'm just going to save them and then the next thing we need to do is to actually reboot our actual server here so the actual changes will take place well once proxmox has been rebooted and it's back up and running if you leave it long enough what you're going to find is that your web browser is going to then show something like this meaning the actual connection is timed out so you can see that's the error message connection tagged out it's basically because your computer cannot connect to proxmox anymore and the reason for that is because proxmox is expecting tagged traffic now whereas the switch is configured for untapped traffic so we actually need to reconfigure the switch to send tag traffic going forward now how you actually do that depends on your switch manufacturer depending on the your version of your operating system maybe it all varies depending on the switches so i'll just go over the principles of how this all works to give you some idea so you'll know how to configure your switch now this particular one is a very old switch they don't even make it anymore but it's a cisco small business switch now with some manufacturers you have what's called an access port and an an actual trunk port an access port is for end devices that do not support vlan tagging a trunk port is for devices that do support vlan track air tagging now in this particular case this switch doesn't do that everything's just a trunk but whether you have to change this port from being an access port to a trunk port depends on how you originally configured it whether it supports or not or so on but once you've actually got this set up as a trunk port on port one we need to change what is the default vlan the primary vlan id or the native vlan it depends on the manufacturer because that's going to adjust the behavior of that port so to give you an example what's happening at the moment is that when this was originally set up the computer doesn't support tagging and proxmox didn't either so port 1 and port 8 were set up to belong to vlan 100 so the idea was neither device support tagging so we're not going to send tags to the computer we're not going to expect tags from the computer and that worked perfectly fine but now that we've reconfigured proxmox and it supports tagging and it expects tagging it stopped working what's actually happening is that the computer is sending untagged traffic to port 8 so the switch is assigning vlan 100 to the traffic that traffic then gets sent through the actual switch gets to port one and then there's an actual check made what is the primary vlan id for this port in this case it's 100 because there's a match what's then happening is that the actual switch then removes the vlan id so proxmox is actually receiving untagged traffic for vlan 100 and it doesn't know what to do with it it's actually expecting traffic to be tagged with vlan 100 so that's why it's broke so what we've got to do is we've got to change this to something else basically now what you use is entirely up to you but what i've done is i've reserved vlan 4093 for my native vlan so this is a vlan that gets used for untagged traffic basically it really should be a vlan that you're not going to use in your network so for me i just picked out 4093 and that's what we're going to assign as the primary vlan id pv default vlan native vlan whatever they happen to call it another thing i'm going to do is i'm going to change this setting here now this is more of a security feature because at the moment what's happening is the switch is willing to accept any type of traffic doesn't matter whether it's tagged or untagged it'll accept it because we've set this up as a trunk report we do not want tagged traffic at untagged traffic rather we only want tag traffic so i'm going to tick that box now and say i only want tag traffic to be coming in and going forward again it's another security feature and it'll vary depending on your switch now one final thing i need to do for this particular switch is disable this feature which basically just forces all traffic that goes out to the actual um computer to be untagged in this case they have to be tagged traffic that's what proxmox is expecting so it's a case if i now have to disable this originally these were actually disabled by default but because when it comes to access ports they don't expect them i was enabling all these for every access port as a security feature but now i've changed this over to a trunk port i've got to take that feature away so i'm going to click on save so now what's going to happen is that when this computer sends its traffic untagged that hit polly it the switch is going to say well okay this is untagged traffic so your vlan's now 100 and it attaches vlan id 100 to the traffic sends it over to port 1. it has a look at the primary vlan id for this port and says well that's not 100 and it retains the the actual tag so it goes out now proxmox will actually get that 100 attack so if we go over to our web browser and hit refresh it may or may not work the the mileage varies so what i'm going to do is do a bit of a check here let's even at least ping it okay so i'm getting a ping response which case what i'm going to do is i'm just going to stop that try again there that's better so i find that sometimes happens maybe it's just this microsoft edge i don't know sometimes i find it needs a bit of a push but in any case we've now got remote access to proxmox so if we go to the network settings what's changed is that we've now got this sub-interface so this is something we configured through a terminal session or a shell depending on how you did it the key point is that the ip addressing is now moved down to here and the management interface therefore supports vlan tagging and in my case it's the vlan 100 but you know what vlans you use are entirely up to you the reason i did it that way is because there must be some sort of parser going on within this graphical user interface it's it's typical for computers you can't have two interfaces in the same network it causes problems the switch wouldn't know the computer rather wouldn't know what to do which interface to send traffic out of so typically it doesn't let you configure two interfaces in the same subnet so that happens within the gui which meant even though i could have created an actual interface in vlan 100 i wouldn't have been able to assign this ip address to the sub interface while it was still assigned to this one and it's kind of a chicken and egg i can't take it away from this one and then add it to this one because well you need an ip address in the first place to connect to so that's why i went through the console oh and shell i should say to be able to make a change within the actual interfaces file that it doesn't take effect until you actually apply the change and that's how i can i can do it through the console but again just bear in mind that once you reboot the computer now you're supporting vlan tagging which means you've then got to go into the switch and reconfigure your switch to be a trunk port so that you're now supporting vlan tagging on proxvox and on your switch now the reason that we've reconfigured proxmox like this is it's a case of we want access to multiple networks more specifically vlans but we've only got one physical interface on the computer although to be honest when it comes to high-end computers you would have bound the interfaces together anyway and still be setting up these sub-interfaces in different vlans anyway but the key point is that going forward we can now start adding more interfaces to proxmox just by creating more vlan interfaces so let's say for example you've got a dedicated storage network we don't want to send traffic to our san or nas through a firewall because it would slow it down we want high throughput the best we can get in which case we want to give our hypervisor here direct access into vlan 200 for instance now we could go back into the shell for example and we could reconfigure that interfaces file but we can also make a change within the actual gui here so i'm going to click on the create button here and i'm going to select linux vlan now instead of that default name of vlan 0 i'm going to give it a name of vmbr0 because that's the name of the bridge and we're creating a sub interface in there we'll use a dot because it's going to be a sub interface and then we're going to type in 200 now 200 is the vlan number and you can see here it's automatically populated the vlan tag field is 200 and then you need to give it an ip address so i'll keep things consistent here because this this particular computer it's got an ip address of 10 in each interface that's the idea it's got a it ends as 10 for this vlan and i'm going to give it a 10 for the next fail and every vlan because it just makes life a whole lot easier if the computer's ip address or at least that last octet is always the same now what i happen to have done here when it comes to the actual numbering of the vlans is i'm keeping the third octet in line with the vlan number now that isn't it's just literally not practical if you've got you know thousands of vlans but when it's a small number of vlans just makes life a bit easier if i look at this ip address for instance for instance i know it belongs to vlan 200 likewise so i need to set up a vlan an interface in vlan 200 i know to set the third octet 200. now when it comes to the gateway we do want to give this a gateway ip address for one thing this is an interface that's for access to direct storage there's nothing beyond this vlan so it's a case there's no point setting one but you wouldn't really want to set one anywhere because if you've got a computer and it's got multiple gateways it means it has multiple default routes and things will just fall apart if you've got a firewall in your network it just won't work so typically what you do is you pick out one interface and you give that interface a default um gateway ip address that's to get access to various networks the internet and so on for instance but every other interface you leave that entry blank so now that we've set that up we're going to click on create we now need to apply the actual change so we're going to click apply configuration and click yes and then that's it it's actually set up the interface now we don't need to do anything more for proxmox itself because when we set up the configuration and made this bridge vlan aware we gave it a range of vlans from two to four thousand ninety two so we don't need to make any further changes to proxmox but we do need to make a change on the switch so if we go back to the switch it's it's going to vary depending on your switch manufacturer with some switches you reconfigure the actual port and add a vlan to it in the case of this switch you modify the vlan and you assign the vlan 2 ports so in my case i want to allow vlan 200 on that trunk interface to proxmox so i'm selecting vlan 200 i'll click modify and then i'm going to assign that vlan to port 1 then i'm going to click on save now go over to my vlan port settings and click on this drop down menu you can see we've now got access to vlan 200 on this interface now i wouldn't recommend configuring a trunk port on your switch to allow access to all vlans this gives you a bit of added security by being restrictive by all means leave that big range on the server because it makes life a lot easier when it comes to the administration if i want to set up proxmox for example and give it access to uh to vlan 300 unless i configure vlan 300 on this interface then it doesn't matter whether you know i've configured proxmox in advance if the server would have sent traffic tagged with vlan 300 but 300 is not on this interface it'll get dropped likewise if there's a computer on the network that's sending traffic to vlan 300 it won't get sent out this interface unless it allows vlan 300 so that's a security feature and by just doing it on the switch it just saves a bit of extra admin work but the key point is we just needed to add the vlan to the actual switch port and that's it so if i go over to the command port uh command prompt here and i'll try now ping vlan at ping 200 instead uh we're now getting a reply back so the reason i can do this just happens to be the way i've configured this up this particular computer it's got one interface plugged into port 8 and that's assigned to 100 and i've got another interface plugged into port 7 so it's got access to 200 so proxmox it's got interfaces in both of these and that's why the computer can basically get a response back from either one but it's pretty straightforward to set up really uh once you've made that initial change within the interfaces file going forward you can just keep adding more and more vlan interfaces like this and then it's just a matter of going back to the switch and then assigning the vlan to the trunk port and now that's it you'll be able to give your hypervisor access to multiple vlans through the single physical interface now because we've actually set up proxmox to support vlan tagging it means that any virtual machine that already exists on proxmox and any virtual machine going forward needs to be vlan aware as well and that means we need to configure the actual network interface to support vlan tagging so in this case i've already configured some virtual machines and i'm just going to pick this one as an example what i need to do is edit its network interface now it might actually have multiple network interfaces in which case we put them into different vlans in this particular case i've only got one so i'm just going to select that one interface i'm going to click on edit now this virtual machine was actually put into network 192 168 100 0 when this is all set up with untagged vlans in which case i need to put this into vlan 100 so obviously you know what vlan you use is entirely up to your own uh settings but in my case it has to be the vlan that was originally set to i could put it in another one but i then have to start changing the ip addressing and so on but it's it's pretty easy to do you just pick the actual network interface and assign the relevant vlan add the vlan tag field click ok and then power it on and what it'll mean going forward is that what this virtual machine will be able to do is be able to reach not just other virtual machines that are in vlan 100 on proxmox itself but any machine that's actually accessible through vlan 100 on your physical network switches so if we select the console prompt here and it's booted up already on i'm just testing out this xor linux operating system out of here you'll see to see what it's like but what i'm going to do is i'm going to log in and i'm just going to basically see if i can get access to the physical network from this computer and whether i can get access to this computer from the physical network so it looks as though it's just about logged in so i'll just click on the menu option and try to filter this out to terminal session so i'm gonna ping 192.168.100. well for example so that's the ip address of the switch so it is getting a response back now have a look and see what its ip was so this has got an ip of 192 168 100.50 that's why i've had to put it into vlan 100 so if i go um looking at the command prompt again on my windows computer if i ping one to 168.100. i'm now getting a reply from that virtual machine so the virtual machine can go out and talk to devices on the physical network and devices on the physical network can reach this virtual machine one thing i'll point out is i haven't gone from this virtual machine to the windows computer because the windows computer's got a built-in software firewall so if i try to ping the ip address of the computer it will fail the windows computer will block it i can ping the virtual machine that i've got here because we don't have ufw for example installed on here but anyway it's pretty straightforward to set up i mean i could add multiple um interfaces to this virtual machine to give it access to multiple networks i could have virtual machines that are in the same vlan and they'll just talk directly to each other through the software bridge if they need to get out to the physical network then that traffic will go out physical interface and then it'll go out to the um you know whatever the devices are reachable on the physical and network that we've got all pretty straightforward when it comes to the virtual machines though it's just a case of once you've got proxmox set up to support vlans and you've got support on the physical network interface for those vlans you can just send traffic backwards and forwards between the virtual environment and the network environment all pretty straightforward really well thanks for making it to the end of this video i really do hope you found it useful if so then do click the like button and share because that encourages youtube's algorithm to suggest it to other people who might find it useful as well if you're new to the channel and you'd like to see more content like this then yeah do subscribe just remember to click the little bell icon though that way you'll get notifications when i send new content out if you've got any comments any suggestions if you want to leave any feedback at all please post that in the comments section below and if you'd like to support the channel i've left links to both patreon and paypal in the description below but above all thanks very much for watching i'll see you in the next video [Music]
Info
Channel: Tech Tutorials - David McKone
Views: 77,248
Rating: undefined out of 5
Keywords: proxmox vlan tagging, proxmox vlan aware, proxmox vlan bridge, proxmox vlan trunk, proxmox vlan aware linux bridge, proxmox vlan single nic, proxmox vlan interface, proxmox single nic vlan, proxmox networking, proxmox networking tutorial, proxmox networking vlan, proxmox, proxmox ve, virtualization, proxmox tutorial
Id: ljq6wlzn4qo
Channel Id: undefined
Length: 28min 34sec (1714 seconds)
Published: Fri Apr 08 2022
Related Videos
How To Bond NICs In Proxmox That Support VLANs
Tech Tutorials - David McKone
24K
Proxmox NETWORKING: VLANs, Bridges, and Bonds!
apalrd's adventures
86K
Subnets vs VLANs
PowerCert Animated Videos
398K
What is a VLAN??? - How to setup VLANs in your Home Network and WHY YOU NEED THEM
Raid Owl
258K
Converting a Physical system to a Proxmox VM
ElectronicsWizardry
56K
Network Virtual LANs (VLANs), Explained Simply (VLANs, Part 1)
Doug Johnson Productions
82K
Turning Proxmox Into a Pretty Good NAS
apalrd's adventures
144K
Let's talk about VLANs
Craft Computing
101K
Proxmox VLAN Configuration: Linux Bridge Tagging, Management IP, and Virtual Machines
VirtualizationHowto
4.1K
Virtual Network in Proxmox for MPTCP Test lab
OneMarcFifty
54K
How to structure networks with VLANs
Christian Lempa
99K
pfSense Firewall - pfSense Administration Full Course
Knowledge Power
314K
10 tips to get the most out of your Proxmox server
ElectronicsWizardry
36K
A Homelabbers Networking Playground with Opnsense, Proxmox, VLANs and Tailscale
Tailscale
11K
I'm Done With Windows ...
Michael Horn
77K
Microsoft Intune From Zero to Hero
Andy Malone MVP
64K
Inexpensive Budget Switch: TP Link TL-SG108E HW Rev. 3.0 With VLANS & pfsense Review
Lawrence Systems
460K
Configuring VLANs, Firewall Rules, and WiFi Networks - UniFi Network Application
Techno Tim
135K
Proxmox Networking Tutotrial // Interfaces & linux bridge - Home Lab Setup
syncbricks
19K
Configuring Proxmox Basic Promox Network Settings
Viatto
53K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.