Introduction
In a virtualized environment, VLANs (Virtual LANs) play a crucial role in network isolation and segmentation.
Within Proxmox VE (PVE), VLANs can be managed through Linux bridges (e.g., vmbr0) combined with VLAN tagging, allowing multiple VMs to share a single physical NIC while staying securely separated across different subnets.
This article summarizes my hands-on experience configuring VLANs in Proxmox, serving as a practical reference for future use.
1. The Basics of VLAN
- VLAN (Virtual LAN) is a Layer 2 technology that uses 802.1Q tags to logically separate traffic across the same physical network.
- Each VLAN has its unique VLAN ID, such as:
- VLAN 1: Management network
- VLAN 2: Production network
- VLAN 3: Testing network
- VLAN 4: IoT / Camera network
- VLAN 5: Office internal network
By setting physical switch ports to Trunk mode, multiple VLANs can pass through a single interface.
This allows a single Proxmox NIC (e.g., enp3s0) to handle all tagged VLAN traffic.
2. Network Model in Proxmox
Proxmox uses Linux Bridge as its virtual switch.
When you create vmbr0, it acts like a virtual network switch — both VMs and physical NICs can connect to it.
Example configuration:
auto lo
iface lo inet loopback
iface enp3s0 inet manual
auto vmbr0
iface vmbr0 inet static
address 10.0.100.2/24
gateway 10.0.100.1
bridge-ports enp3s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 1-5
bridge-pvid 1
🔹 Explanation:
bridge-vlan-aware yes→ Enables VLAN tagging on this bridge.bridge-vids 1-5→ Allows VLAN IDs 1 to 5.bridge-pvid 1→ Default VLAN is 1 (untagged traffic goes into VLAN 1).
3. Assigning VLAN Tags to VMs
Each VM network interface (e.g., net0) can have its own VLAN tag.
When the VM sends traffic through vmbr0, Proxmox automatically adds the proper 802.1Q tag.
Example command:
qm set 100 --net0 virtio=52:54:00:65:35:46,bridge=vmbr0,tag=5
Or via the web GUI:
- Edit VM → Hardware → Network Device
- Bridge:
vmbr0 - VLAN Tag:
5 - Model:
VirtIOorE1000
This means that the VM’s traffic will be tagged as VLAN 5.
4. VLAN 1 and Untagged Traffic
In most switches and Linux bridges, VLAN 1 is the default untagged VLAN.
If you don’t specify a VLAN tag (or omit tag=1), traffic automatically belongs to VLAN 1.
That’s why management interfaces like the Proxmox Web GUI or SSH usually stay on VLAN 1.
Example:
qm set 101 --net0 virtio=52:54:00:AA:BB:01,bridge=vmbr0
This VM’s traffic is untagged → belongs to VLAN 1.
5. Checking VLAN Configuration
View current VLAN mapping:
bridge vlan show
Example output:
port vlan-id
enp3s0 1 PVID Egress Untagged
2
3
4
5
vmbr0 1 PVID Egress Untagged
2
3
4
5
tap100i0 5 PVID Egress Untagged
Interpretation:
- The physical NIC
enp3s0allows VLAN 1–5. - VM interface
tap100i0uses VLAN 5.
6. Common Problems and Fixes
| Issue | Cause | Solution |
|---|---|---|
| VM cannot reach the network | VLAN tag mismatch or switch doesn’t allow VLAN | Check the trunk port VLAN list on the switch |
| PVE lost connection | VLAN-aware bridge misconfigured and management VLAN blocked | Keep VLAN 1 accessible for management |
| VLAN tags not working | bridge-vlan-aware missing | Add bridge-vlan-aware yes to vmbr0 |
7. Best Practices
| Type | Configuration | Recommendation |
|---|---|---|
| Management VLAN | No tag (default VLAN 1) | Keep untagged for stable management access |
| Multi-VLAN on same NIC | Use bridge-vlan-aware yes | One bridge can handle multiple VLANs |
| Isolated VM networks | Use tagged VLANs (e.g., tag=5) | Separate office, IoT, or testing networks |
| Physical switch setup | Set port to Trunk mode | Allow tagged VLANs through |
8. Conclusion
Proxmox’s VLAN implementation is highly flexible.
By combining Linux Bridges and VLAN tagging, you can achieve enterprise-grade network segmentation with minimal hardware.
When paired with a managed switch (like Unifi or Juniper), Proxmox becomes a powerful foundation for secure and scalable network architectures.
“One physical NIC, multiple virtual networks — VLANs bring flexibility and isolation together.”