mephistopoa
Enthusiast
Enthusiast

how to hand over VLAN traffic untagged to VMs?

I'm trying to find a way to use VLANs to isolate networks for my VMs. I'm using pfsense as a VM as well as a firewall, then my idea was to create VLANs on it, get that vlan tag to a portgroup and then the portgroup would strip that VLAN ID off the packet and hand it over to the VMs connected to that virtual network as untagged, so I don't need to configure VLANs on the VMs virtual network cards.

I found on the documentation that ESXi doesn't do native VLANs, so I'm wondering here how people do with a multitenant infra-structure? My idea is to use the physical switches to pass frames as they are regardless if they have VLAN ID traffic or not, and then control the traffic in/out on virtual networks using the VLAN tagging, which then should be stripped and handed over to the VMs in that network.

Is it possible to do that?

Tags (2)
5 Replies
daphnissov
Immortal
Immortal

my idea was to create VLANs on it, get that vlan tag to a portgroup and then the portgroup would strip that VLAN ID off the packet and hand it over to the VMs connected to that virtual network as untagged, so I don't need to configure VLANs on the VMs virtual network cards.

Yes, this is exactly how that works. 802.1q tags are stripped once the traffic gets passed to the vNIC.

I found on the documentation that ESXi doesn't do native VLANs

Don't know what this means. Native VLANs are concepts on the physical infra, which ESXi certainly handles (because it's not a function of ESXi, really).

so I'm wondering here how people do with a multitenant infra-structure?

VLANs, just like you're doing with port groups. Not sure what else your question is here, but VLANs are what are used (or VxLAN/GENEVE in the case of overlays with NSX-V/T).

mephistopoa
Enthusiast
Enthusiast

I thought that native vlan meant something that doesn;t have 802.1q tag or has it got it stripped?

I must confess I'm a bit confused, let's say pfsense VM and another guest VM are running on the same host, I configure one interface on pfsense with vlan50 and on esxi portgroup I configure also port50, but the guest VM has no vlan configured on its nic. Will the tagged from pfsense hit the vswitch, and then go to the portgroup and the vlan tag is removed? What happens when the guest VM sends traffic back to the same portgroup? I don't understand how this would work.

My understating is that something needs to strip vlan tag on one side from pfsense and hand over to the guest vm, then the other way around it would need to add a vlan tag and hand over to pfsense

0 Kudos
Dashers
Enthusiast
Enthusiast

The virtual networking switch/stack will take care of tagging.  But arguably pointless if you're doing everything internally.

A virtual switch will segregate all your traffic on that switch.  Guests with nics on that vswitch, like a real switch, can only communicate with other devices on that vswitch.  If you're using this exclusively for internal networking, then there is no benefit from using a vlan.

When you add a physical nic to the switch, vlan becomes useful, any traffic that goes out that nic will be tagged/detagged as appropriate.

You can influence this though, if you don't want the vswitch to detag your traffic and want to leave that to the guest to do, then set your vswitch to use a vlan of 4095, which essentially makes your vswitch a "trunk" and it will capture all traffic sent to it.

You have two real options with pfsense.  Either set it up on a trunk connection and setup the vlan's in pfsense, or setup vswitches for each vlan and create corresponding nics at the guest level.  The end result is the same, it's just a preference on how you want to manage it.  Personally, I use a combination because I can't make up my mind which I prefer! Smiley Happy

mephistopoa
Enthusiast
Enthusiast

I'll have more hosts added later on so I need it done this way.

I've resolved the problem by having pfsense connected to a portgroup that works as a trunk ports passing all VLANs to pfsense, and then on pfsense I crate an interface with the VLAN number I want. On the same virtual switch I create another port group that has only the specific VLAN I want to use for the VMs. That way I can have untagged vlan traffic arriving at the VM.

So if I pass all VLANs on a virtual switch, if works like a trunk port and packets are forward with vlan tag on, if I select just one VLAN for a virtual switch then the vlan tag is removed and handed over to the VMs.

I wanted something in between, having specific VLANs passed to pfsense on a trunk port, but not all VLANs, just a few, but if I do that, then the virtual switch will strip the vlan tag off.

for now, as long PFsense doesn't get compromised there is a certain levle of security having it receiving all VLANs but just using the VLANs configured on it. The better scenario would be trunk ports that pass only the required VMs down to of psense.

I guess I can't achieve that.

0 Kudos
Dashers
Enthusiast
Enthusiast

Just because it's a trunk connection, doesn't mean it will get all traffic: it's still a switch after all.

You can disable promiscuous mode on the virtual switch, so the guests will only get eligible traffic: stuff directed to the guest mac and broadcasts.  But yes, absolutely, if you want to lock it down, then do it at the port-group level, and add a port group per vlan.