Setting Up VLANs in Proxmox VE
Learn how to configure VLAN-aware networking in Proxmox VE to segment your virtual network traffic securely.
Why Use VLANs in Proxmox VE?
VLANs (Virtual Local Area Networks) let you logically divide a single physical network into multiple isolated segments. In a Proxmox VE environment, VLANs are invaluable for separating different types of traffic: management, VM production traffic, storage replication, guest Wi-Fi, IoT devices, and more. Instead of running separate physical cables and switches for each network, VLANs allow all this traffic to share the same physical infrastructure while remaining completely isolated at layer 2.
Common use cases for VLANs in Proxmox include:
- Isolating management traffic from VM traffic for security.
- Separating development, staging, and production environments.
- Creating a dedicated storage network for Ceph or NFS replication.
- Segmenting untrusted guest or IoT networks from your server infrastructure.
VLAN-Aware Bridges
Proxmox VE supports two approaches to VLANs. The modern and recommended method is using VLAN-aware bridges. With a VLAN-aware bridge, you configure the bridge once and then assign VLAN tags per VM network interface. This is cleaner than the traditional approach of creating separate bridge interfaces for each VLAN.
Enabling VLAN-Aware Mode
To make a bridge VLAN-aware, add the bridge-vlan-aware yes directive in /etc/network/interfaces:
auto vmbr0
iface vmbr0 inet static
address 192.168.1.100/24
gateway 192.168.1.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094The bridge-vids line specifies which VLAN IDs the bridge will accept. Setting 2-4094 allows all standard VLANs. You can restrict this to only the VLANs you actually use, such as bridge-vids 10 20 30 100.
You can also enable this through the Proxmox web GUI: navigate to your node, go to System > Network, edit the bridge, and check the VLAN Aware checkbox.
Assigning VLANs to VMs and Containers
Once your bridge is VLAN-aware, assigning a VLAN to a VM is straightforward. In the VM's hardware settings, edit the network device and enter the VLAN tag number in the VLAN Tag field.
For example, if you have a web server VM that should be on VLAN 20, set the VLAN Tag to 20 on its net0 interface. Proxmox will automatically tag all outgoing frames with VLAN 20 and only deliver frames tagged with VLAN 20 to that VM.
From the command line, you can set the VLAN tag when creating or modifying a VM:
# Set VLAN tag 20 on VM 101's network interface
qm set 101 -net0 virtio,bridge=vmbr0,tag=20
# For an LXC container
pct set 200 -net0 name=eth0,bridge=vmbr0,tag=20,ip=10.20.0.10/24,gw=10.20.0.1Untagged (Native) VLAN Traffic
VMs that do not have a VLAN tag assigned will send and receive untagged traffic. This untagged traffic belongs to the native VLAN of the bridge, which is VLAN 1 by default. If your switch trunk port uses a different native VLAN, you should match that configuration on the Proxmox side.
Traditional VLAN Configuration (Non-VLAN-Aware)
Before VLAN-aware bridges became the standard, the traditional method was to create a separate Linux VLAN interface and bridge for each VLAN. While this still works, it is more verbose and harder to manage as the number of VLANs grows.
# VLAN 10 on eno1
auto eno1.10
iface eno1.10 inet manual
auto vmbr10
iface vmbr10 inet static
address 10.10.0.1/24
bridge-ports eno1.10
bridge-stp off
bridge-fd 0
# VLAN 20 on eno1
auto eno1.20
iface eno1.20 inet manual
auto vmbr20
iface vmbr20 inet static
address 10.20.0.1/24
bridge-ports eno1.20
bridge-stp off
bridge-fd 0With this approach, each VLAN requires its own bridge, and you assign VMs to the appropriate bridge rather than using VLAN tags. For new deployments, the VLAN-aware bridge method is strongly preferred.
Switch Configuration: Trunk Ports
Your physical switch must be configured to send tagged VLAN traffic to the Proxmox host. The switch port connected to your Proxmox server should be configured as a trunk port that allows the VLANs you need.
Example configuration for common switch platforms:
# Cisco IOS
interface GigabitEthernet0/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30,100
# HP ProCurve
vlan 10,20,30,100
tagged 1
# Netgear (via web GUI)
# Set port to Trunk mode and add VLANs 10, 20, 30, 100 as taggedIf your trunk port is not configured correctly on the switch side, tagged traffic from Proxmox will be dropped. Always verify both sides of the connection.
Inter-VLAN Routing
By default, VLANs are isolated from each other at layer 2. If you need VMs in different VLANs to communicate, you have two options:
Option 1: Use the Proxmox Host as a Router
If your Proxmox host has IP addresses on multiple VLANs (via sub-interfaces or a VLAN-aware bridge), you can enable IP forwarding and let the host route between them:
# Enable IP forwarding
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -pVMs on VLAN 10 with gateway 10.10.0.1 can then reach VMs on VLAN 20 through the host, provided no firewall rules block the traffic.
Option 2: Use a Dedicated Router VM or Physical Router
For production environments, a dedicated router (pfSense, OPNsense, or VyOS running as a VM) is more flexible. Assign multiple VLAN-tagged interfaces to the router VM and let it handle inter-VLAN routing with full firewall control.
# Router VM with multiple VLAN interfaces
qm set 102 -net0 virtio,bridge=vmbr0,tag=10
qm set 102 -net1 virtio,bridge=vmbr0,tag=20
qm set 102 -net2 virtio,bridge=vmbr0,tag=30Practical Example: Three-VLAN Homelab
Here is a complete example for a homelab with three VLANs: management (VLAN 10), servers (VLAN 20), and IoT (VLAN 30).
auto lo
iface lo inet loopback
iface eno1 inet manual
auto vmbr0
iface vmbr0 inet static
address 10.10.0.100/24
gateway 10.10.0.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 10 20 30Then assign VMs to their respective VLANs via the VLAN Tag field. The Proxmox management interface itself runs on the native (untagged) network or you can assign it to VLAN 10 at the switch level.
If you manage multiple Proxmox nodes remotely, keeping track of which VMs are on which VLANs can get complex. Tools like ProxmoxR let you quickly check VM network configurations from your phone, which is handy when troubleshooting VLAN connectivity issues away from your desk.
Troubleshooting VLAN Issues
- VM cannot reach the network: Verify the VLAN tag is set correctly on the VM's NIC and that the switch trunk allows that VLAN.
- VMs on the same VLAN cannot communicate: Check that
bridge-vlan-aware yesis set and that both VMs have the same VLAN tag. - Traffic leaking between VLANs: Ensure IP forwarding is disabled on the host unless you intend to route between VLANs. Check:
sysctl net.ipv4.ip_forward. - Verify tagged traffic on the wire: Use
tcpdumpon the physical interface to see VLAN tags:tcpdump -i eno1 -e -nn vlan.
Summary
VLANs are one of the most powerful tools for organizing and securing your Proxmox VE network. Use VLAN-aware bridges for a clean configuration, ensure your switch trunk ports are set up correctly, and plan your VLAN scheme before deploying VMs. With proper VLAN segmentation, you can run multiple isolated networks over a single physical connection with confidence.
Take Proxmox management mobile
All the features discussed in this guide — accessible from your phone with ProxmoxR. Real-time monitoring, power control, firewall management, and more.