this post was submitted on 28 May 2024
36 points (90.9% liked)

Selfhosted

40246 readers
872 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
36
VLAN question (self.selfhosted)
submitted 5 months ago* (last edited 5 months ago) by peregus to c/selfhosted
 

I've finally been connected to a fiber connection 2,5/1Gbps! 🥳 Now I want to share my connection with my neighbor and so I've installed 3 PCIx dual 1GB nic (I'm out of PCIe slots 🤷‍♂️).

The connections comes from my OPNsense to the server (Proxmox) via a 10Gbps fiber connection.

I want OPNsense to take car of firewalling dividing the neighbor networks with VLANs. The OPNsense part is done and working, I need to assign to each of the 6 1Gbps NIC each VLAN.

I've tagged the traffic going into the server via the fiber connection, but now how can I assign each VLAN to each NIC? Thanks!

Edit: Proxmox has nothing to do in the equation, it just happens to be on the same server where the NICs are.

all 31 comments
sorted by: hot top controversial new old
[–] HybridSarcasm -2 points 5 months ago (1 children)

With the disclaimer that Proxmox has nothing to do with this question, I’m forced to assume this is just a networking issue that happens to use OPNsense as the router. Because of that, I must advise that you seek help from a networking-focused community. There’s no clear link to self-hosting in this post, which is required per Rule 3.

[–] peregus 1 points 5 months ago

I know that you are right...sorry, but...

[–] Glitterbomb 15 points 5 months ago (1 children)
[–] peregus 4 points 5 months ago (1 children)

Of course! But I must advice that you will be limited to 1/0,5Gbps! 😁

[–] [email protected] 5 points 5 months ago

I would take that any day!

[–] Eideen 8 points 5 months ago (1 children)

Draw us a topology drawing. Please.

[–] peregus 2 points 5 months ago (1 children)

Forget everything that I've written, I just need to assign 6 VLAN (tagged, coming in from enp2s0) to 6 NICs (untagged to: enp9s1f0, enp9s1f1, enp9s2f0, enp9s2f1, enp10s1f0, enp10s1f1).

[–] HybridSarcasm 4 points 5 months ago* (last edited 5 months ago) (1 children)

If the connections are already tagged as you come into the Proxmox server, then you need only to create interfaces for them in Proxmox (vmbr1, vmbr2, etc). EDIT: if you’re doing PCI passthrough of the physical NICs, ignore this step.

Then, in OPNsense, you just adding the individual interfaces. No need to assign a VLAN inside OPnsense because the traffic is already tagged on the network (per your earlier statement).

Whether or not the managed switch that has tagged each port is also providing VLAN isolation, you’ll simply use the OPNsense firewall to provide isolation, which it does by default. You’ll use it to allow the connections access to the fiber WAN gateway.

[–] peregus 1 points 5 months ago (3 children)

I've just edited the original post to make clear that Proxmox has nothing to do in this picture, it just is installed in the same PC where the NICs are. What I need it just assign 6 VLAN (tagged, coming in from enp2s0) to 6 NICs (untagged to: enp9s1f0, enp9s1f1, enp9s2f0, enp9s2f1, enp10s1f0, enp10s1f1).

[–] Kryesh 4 points 5 months ago* (last edited 5 months ago) (1 children)

So the PC connected to opnsense is running proxmox for it's OS? Create a bridge for each physical interface, then add a tagged interface to it for the one connected to opnsense; Eg, vmbr2 could have enp2s0.100 and enp9s1f0 as members. Just add .vlanid to the end of the interface name in the bridge settings in proxmox, and don't make the bridges vlan aware. If vmbr0 is vlan aware then just add vmbr0.100 instead of enp2s0.100 With that setup the server will switch packets between the vlans on enp2s0 and the other interfaces. Don't need to put any VMs on the bridges

Will add: this is using the PC like a switch, you're probably better off using an actual switch with vlan configuration instead

[–] peregus 1 points 5 months ago (1 children)

That's it, thanks!!! So easy!!! Thanks a lot!

I know that it would be better to use a switch, but I would need a 10Gbps (or 2,5Gbps, do they exists) switch with 2 sfp+ port (1 for Internet connection and the second one for the server). In this way I've just bought the 3 old NIC for 25€ and that's it. I know that they will consume way more than the switch, but how many years do I need to break even?

[–] [email protected] 1 points 5 months ago

Well it depends on how much you pay for power and what your pc consumes at idle (or at least idling while doing networking). I’d do an analysis and a graph with excel to make sure. Many old (used) networking components can be had for a steal and will still have many years of use still left in them. Use a kill-a-watt to get an accurate account of idle pc power.

[–] [email protected] 3 points 5 months ago (1 children)

He just told you. Assign VLAN on each individual port on your switch. Done. If your switch is unmanaged, then you need a new switch to support VLANs.

[–] peregus 1 points 5 months ago

There are no switches in play!

[–] [email protected] 4 points 5 months ago (2 children)

If all you want is to break out the VLANs to NICs using a Linux PC instead of a managed switch, create six bridge interfaces and put in each bridge the VLAN interface and the NIC.

[–] hungover_pilot 3 points 5 months ago

This is how I would do it also, assuming you aernt passing the NICs through to VMs

[–] peregus 1 points 5 months ago

I Just didn't know how to do it; @[email protected] in its post up here told me. Pretty easy!

[–] [email protected] 3 points 5 months ago (1 children)

I have no clue what you're talking about but feel your pain in this Stackoverflow-like thread. Accept this website as my condolences.

[–] Cobrachicken 2 points 5 months ago

Stolen, bookmarked. Thank you. P.s.: Can't understand the downvotes either.

[–] solidgrue 2 points 5 months ago (1 children)

If you just want each physical interface on your server to participate in a single VLAN, set the corresponding switch port as an access port in the desired VLAN, and then configure each server interface as a normal untagged interface.

You would only do tagged frames (802.1q trunking) if you wanted to support several VLANs on the switch port.

[–] peregus 1 points 5 months ago

Yes, but...how do I do that?

[–] [email protected] 1 points 5 months ago (1 children)

I understand the attraction of virtualising this, but unless you want to share more than just the ISP connection, I would be providing Internet access to your neighbour’s untrusted network using a bare-metal router. Just my two cents.

[–] peregus 1 points 5 months ago

Mmm...I'm notr trying to virtualize anything. I'll edit the post to make it clear.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago) (1 children)

Vmbr0 should be your VLAN aware bridge. You create this in the pve networking dashboard.

Then create vmbr0_101 (where 101 is your vlan). Also create vbmr0_102, and so on.

Assign those vmbr0_xxx to each of the VMs.

If you host all the VM's on the same box, create all the vmbr0_xyz in the pve dash, and in each VM/container>networking assign it.

[–] peregus 1 points 5 months ago (1 children)

I don't need to assign VLANs to VMs, I need to assign them to 6 phisical NICs (tha fact that they are installed in the same machine where there is Proxmox is irrelevant).

[–] [email protected] 3 points 5 months ago (2 children)

If Proxmox is already installed on the machine, how are you running OPNSense? If it’s not bare metal, it’s a VM, and if it’s a VM it needs Proxmox’s virtual NICs to be VLAN aware, unless you are doing PCI pass through of the entire network card.

[–] HybridSarcasm 1 points 5 months ago

Would they have to be VLAN aware if the switch port was already tagged AND if OP doesn’t care to consider untagged traffic ?

[–] peregus 1 points 5 months ago

OPNsense is in one PC (and it only works as router/firewall), Proxmox is on another PC with all the NICs and Proxmos and it will also work as switch.

[–] [email protected] 1 points 5 months ago

Some diagram would help. Are you trying to use your server as a switch?