Skip to main content

802.1q on VMs in VLAN-aware Networks

Network Diagram


                   igb0 -- WAN
                [FIREWALL]
                   igb1 -- LAN
                     |   igb1.25
                     |   igb1.80
                     |   igb1.148
                     |   igb1.666
                     |   igb1.999
                     |
              [MANAGED_SWITCH]
                |   |   |   |                 ,----- [VM] VLAN 148
       ,--------'   |   |   '--- [PVE Node] --|----- [VM] VLAN 25
       |            |   |                     '----- [VM] VLAN 666
       |            |   |                     ,----- [VM] VLAN 999     
[Ethernet Dock]     |   '-- [PVE Node] -------|----- [VM] VLAN 148
       |            |                         '----- [VM] VLAN 25
 [Windows PC]       |                         ,----- [VM] VLAN 80
       |            '------ [PVE Node] -------|----- [VM] VLAN 999
VMware Wrkstn Pro                             '------[VM] VLAN 148
,---------------.               
| VLAN 666 [VM] |
'---------------'

Requirements

Firewall

Firewall support 802.1q VLANs

Managed Switches

Allows tagging switch ports with VLANs per interface

Windows PC (VMware Workstation Host)

  • Bridged to Ethernet
  • Windows Settings > Network Settings > Advanced > Configure Ethernet adapter
    • Priority & VLAN = Disabled

If Priority & VLAN setting are not disabled, this strips 802.1q tags from the Ethernet frames coming from the guest.

Configure Guest

Kali Linux (NetworkManager)

RESTORE=$(echo -en '\033[0m')
RED=$(echo -en '\033[00;31m')
GREEN=$(echo -en '\033[00;32m')
LRED=$(echo -en '\033[01;31m')
LGREEN=$(echo -en '\033[01;32m')

INTERFACE="eth0"
VLAN_TAG=666
MTU=1496
CONNECTION_NAME='Wired connection 1'
ACTION=$(echo "$1" | tr '[:upper:]' '[:lower:]')

if [ "$ACTION" != "add" ] && [ "$ACTION" != "remove" ] ; then
    echo "Usage: $0 add/remove"
elif [ "$ACTION" == "add" ] ; then

    if sudo nmcli connection show --active | grep "$INTERACE.$VLAN_TAG" > /dev/null 2>&1 ; then
      echo -e "${RED}Interface: ${INTERFACE}.${VLAN_TAG} already active${RESTORE}\n"
    else
    
      sudo nmcli connection add type vlan ifname "$INTERFACE.$VLAN_TAG" dev $INTERFACE id $VLAN_TAG con-name "$INTERFACE.$VLAN_TAG" ipv4.method auto
      sudo nmcli connection modify "$INTERFACE.$VLAN_TAG" 802-3-ethernet.mtu $MTU
      sudo nmcli connection modify "$CONNECTION_NAME" ipv4.method disabled ipv6.method disabled
      sudo nmcli connection down "$CONNECTION_NAME"
      sudo nmcli connection down "$INTERFACE.$VLAN_TAG" && sudo nmcli connection up "$INTERFACE.$VLAN_TAG"
      echo -e "${GREEN}Interface: ${INTERFACE}.${VLAN_TAG} successfully created${RESTORE}\n"
      
    fi
    
    ip addr show "$INTERFACE.$VLAN_TAG"
    
else

    if ! sudo nmcli connection show --active | grep "$INTERACE.$VLAN_TAG" > /dev/null 2>&1 ; then
      echo -e "${RED}Interface: ${INTERFACE}.${VLAN_TAG} already removed${RESTORE}\n"
    else
    
      sudo nmcli connection delete "$INTERFACE.$VLAN_TAG"
      sudo nmcli connection modify "$CONNECTION_NAME" ipv4.method auto ipv6.method auto
      sudo nmcli connection up "$CONNECTION_NAME"
      echo -e "${GREEN}Interface: ${INTERFACE}.${VLAN_TAG} successfully removed${RESTORE}\n"
      
    fi
    
    ip addr show "$INTERFACE"
    
fi

manage_vlan_interface.sh

bash ./manage_vlan_interface.sh add

Configures the interface with your VLAN tag

bash ./manage_vlan_interface.sh remove

Restores the default settings

Back to top