[TUTORIAL] - Proxmox OPNsense VLAN (2024)

Hello,

Here is a tutorial to create with the graphical interfaces 2 Vlans between 1 Proxmox server and 1 OPNsense router.
Do not hesitate to make remarks for improvement or correction.
So our starting infrastructure is this (Boths hosts are physicals):

+------------+ +-----------------+| | | || | | || | NetCard: ProxmoxVlans | || OPNsense +-----------------------------------------------+ Proxmox || | NetCard: enp35s0f0 | || | | || | | |+------------+ +-----------------+

On OPNsense:

1. Go to "Interfaces" -> "Other Types" -> "VLAN"
2. Click on the "Add" button at the top right
3. Choose the information below by clicking on "Save"
   • Parent interface: choose your "ProxmoxVlans" NetCard, for me is "re1 (xx‑xx‑xx‑xx‑xx‑xx) [ProxmoxVlans]"
   • VLAN tag: your VLAN ID, by exemple "10" (do not use id "0" is the default VLAN id)
   • VLAN priority: some QOS, I let : "Best Effort (0,default)"
   • Description: "VLAN10 for Proxmox"
4. Create a 2nd VLAN
   • Parent interface: "re1 (xx‑xx‑xx‑xx‑xx‑xx) [ProxmoxVlans]"
   • VLAN tag: "20"
   • VLAN priority: "Best Effort (0,default)"
   • Description: "VLAN20 for Proxmox"
5. Go to "Interfaces" -> "Assignments" -> at the bottom, where it says "New interface". We’ll create a virtual interface that will be one of our VLANs.
   1. choose one of the VLANs you have created. "vlan 10 on re1 (VLAN10 for Proxmox)"
   2. In "Description", put the name of the interface that you will see in the list of interrfaces. "PVLAN10"
6. same with the other VLAN (20 for me)
   1. "vlan 20 on re1 (VLAN20 for Proxmox)"
   2. "PVLAN20"
7. Go to "Interfaces" -> you first VLAN "PVLAN10"
   1. Enable Interface
   2. set the ip configuration, for exemple
      • IPv4 Configuration Type: Static IPv4
      • Static IPv4 configuration: 192.168.10.1/24
8. same with the other VLAN
9. For activate the DHCP (optional) Go to "Services" -> "DHCPv4" -> your vlans interfaces (PVLAN10)
   • Enable DHCP server on the PVLAN100 interface
   • Save

On Proxmox:
pve-admin-guide-> 3.3.8. VLAN 802.1Q

"traditional" VLAN on the Linux bridge: In contrast to the VLAN awareness method, this method is not transparent and creates a VLAN device with associated bridge for each VLAN. That is, creating a guest on VLAN 5 for example, would create two interfaces eno1.5 and vmbr0v5, which would remain until a reboot occurs.

+----------------------------+ +------------------------------------------------------------------------+| | | || | | Vnetcard: enp35s0f0.10 || OPNsense | | +--- VLAN 10 ----- Bridge vmbr010 --+ || | | | | +--------------+ || | | | | | VMtest | || VNetCard: PVLAN10 ----+ | | | | | | || | | | | Proxmox +---+-eth0 | || | |PNetCard: ProxmoxVlans | | | | || +--+--------------------------------------------+-+ +---+-eth1 | || | | NetCard: enp35s0f0 | | | | | || | | | | Vnetcard: enp35s0f0.20 | +--------------+ || VNetCard: PVLAN20 ----+ | | +--- VLAN 20 ----- Bridge vmbr020 --+ || | | |+----------------------------+ +------------------------------------------------------------------------+

1. Go to your PVE -> Network -> Create -> Linux VLAN
   1. Name: enp35s0f0.<your VLAN id>; for exemple for VLAN 10: enp35s0f0.10
   2. "Vlan raw device" and "VLAN Tag" are automatically filled
2. The same with enp35s0f0.20
3. Create now a Linux Bridge
   • Name: vmbr010
   • Bridge ports: enp35s0f0.10
4. And a other bridge with enp35s0f0.20
5. Create a VM with 2 network cards on "Hardware"
   1. the fisrt with Bridge vmbr010
   2. the second with Bridge vmbr020
6. • If you not use Cloud-Init :
     1. Start the VM
     2. list the correct name of your VMs networks cards execute cat /proc/net/dev
     3. and go to modify the file /etc/network/interfaces (for Debian OS family) for add the second network interface (See below for an example)
     4. reboot
     5. execute ip a to check
   • If you use Cloud-Init:
     1. Set the IP by the menu Cloud-Init
     2. Start VM
     3. execute ip a to check

 #/etc/network/interfacesallow-hotplug ens18iface ens18 inet dhcp# second interfaceallow-hotplug ens19iface ens19 inet dhcp# or for set ip manualyallow-hotplug ens19iface ens19 inet static address 192.168.20.2/24 gateway 192.168.20.1

VLAN awareness on the Linux bridge: In this case, each guest’s virtual network card is assigned to a VLAN tag, which is transparently supported by the Linux bridge. Trunk mode is also possible, but that makes configuration in the guest necessary.

+----------------------------+ +------------------------------------------------------------------------+| | | || | | Proxmox Bridge vmbr0.10 || OPNsense | | +--- VLAN 10 --+ || | | | | +--------------+ || | | | | | VMtest | || VNetCard: PVLAN10 ----+ | | | | | | || | | | +-----------+ +---+-eth0 | || | |PNetCard: ProxmoxVlans | | | | | || +--+--------------------------------------------+- Bridge vmbr0 -+ | +---+-eth1 | || | | NetCard: enp35s0f0 | | | | | || | | | | Bridge vmbr0.20 | +--------------+ || VNetCard: PVLAN20 ----+ | | +--- VLAN 20 --+ || | | |+----------------------------+ +------------------------------------------------------------------------+

1. Go to your PVE -> Network -> Create -> Linux Bridge
   • Name: vmbr0
   • Set "Vlan aware"
   • Bridge ports: enp35s0f0
2. Create a VM with 2 network cards on "Hardware"
   1. the first
      • Bridge: vmbr0
      • VLAN Tag: 10
   2. the second
      • Bridge: vmbr0
      • VLAN Tag: 20
3. • If you not use Cloud-Init :
     1. Start the VM
     2. list the correct name of your VMs networks cards execute cat /proc/net/dev
     3. go to modify the file /etc/network/interfaces (for Debian OS family) for add the second network interface (See example above)
     4. reboot
     5. execute ip a to check
   • If you use Cloud-Init:
     • Set the IP by the menu Cloud-Init
     • Start VM
     • execute ip a to check

For all the reasons we might want to use VLANs.

In short, Vlans make it possible to use several networks on the same physical link. VMs with a network card on the VLAN 10 will not be able to join the VMs of the VLAN 20. Unless you add a route to them

Personally I use it to have a VLan that will serve as DMZ, another will serve for my cluster K8S.

PS: Another option is to use OPNsense or PFsense as a VM.

My vlan implementation is a little different.

I'm using sophos utm (instead of __sense), and only have a single linux bridge (vmbr0) interface assigned for lan. Another interface is used in passthrough for wan. UTM was previously a vm under esxi.

UTM is configured with 3 vlans - default (van1, untagged), vlan3 (voip, tagged), vlan4 (IoT, also tagged). All of these exit on to the vmbr0 interface and further down the line get split as untagged vlans to the various devices by a semi-smart switch (rt-ac68u w/ merlin's firmware using robocfg vlan config tool). UTM handles all the housekeeping (firewall, dhcp, dns, nat, etc) for all devices on all vlans.

I recall reading (https://pve.proxmox.com/wiki/Network_Configuration#_vlan_802_1q) that by default, a bridge interface can carry a number of vlans (or all of them, 4095). It wasn't exactly clear if this needed to be specified or just works that way out of the box. Rather than try to make sense of the documentation I just experimented. Turns out that was the case. Without specifying any vlans in the network bridge config, or the guest vm network config, all vlans are passed.

The benefit is simplicity and fewer interfaces. It's my understand using your method you can limit it to only those vlans specified and none others. This may be preferred in a none home environment.

I think my confusion was why define multiple vlans in proxmox when ___sense can handle it all internally with a single interface.

das1996 said:

Turns out that was the case. Without specifying any vlans in the network bridge config, or the guest vm network config, all vlans are passed.

Click to expand...

I don't understand, you have set manually a ip (from vlan3) on your VM and it's OK ?
utm does not say: everything that is not tagged is vlan1?

Here's the interface assignment.
eth0 - virtio interface for main lan
eth1 - virtio interface internal to proxmox only (does not bind to any physical nic), for nextcloud vm
eth2 - wan, pcie passthrough for i211 nic
samdung is a guest wifi ssid

Disregard the physical port -x comments, that's a carry over from when I was using the quad port nic. There are now only 2 physical nics present. You are correct in your statement, nothing vlan is defined in proxmox, everything is configured in guest vm.

Santized ip's go something like this

eth0 - 192.168.1.0/24 (primary lan subnet)
eth0.3 192.168.3.0/24 (voip)
eth0.4 192.168.4.0/24 (guest wifi)
eth1 192.168.100.0/24 (nextcloud subnet)
eth2 {Public IP}

If I recall correctly,vlan1 is considered default or native vlan, untagged by convention. That's why one should never assign a tagged vlan1 (or 0, or 4095).