Multiple VLANs on single Physical Interface in Linux

You may want to expose a Linux machine/server in your home to multiple VLANs to provide each VLAN with different services or allow access to that VLAN from the machine without having to go through the router. Here are ways in which you can do that on a machine with a single physical interface.

• On ProxMox, you can update your /etc/network/interfaces file to add interfaces for each VLAN and a bridge corresponding to them which you can then use to connect network interfaces for your containers and VMs. Here’s an example below where enp4s0.1 is the VLAN interface for the Default VLAN, enp4s0.100 is the VLAN interface for the trusted VLAN, vmbr0 is the bridge interface that VMs and containers will connect to if they want a network interface connected to the default VLAN and vmbr2 is the bridge interface that VMs and containers will connect to if they want a network interface connected to the trusted VLAN:

auto lo
iface lo inet loopback

iface enp4s0 inet manual

iface enp4s0.1 inet manual

iface enp4s0.100 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.11.2/24
        bridge-ports enp4s0.1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 1

auto vmbr2
iface vmbr2 inet static
        address 192.168.2.2/24
        gateway 192.168.2.1
        bridge-ports enp4s0.100
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

• On Ubuntu or Linux Desktop machines, if you want to experiment having a single physical interface support multiple VLANs, you can use a version of this script (must be run as root). Here enp6s0 is the physical interface and we get access to VLANs the default VLAN 1 and trusted VLAN 100 through br1 and br2 bridges on the host:

#!/bin/bash

# Create VLAN-aware bridges
ip link add name br1 type bridge
ip link add name br2 type bridge

# Create VLAN interfaces on the Ethernet port
ip link add link enp6s0 name enp6s0.1 type vlan id 1
ip link add link enp6s0 name enp6s0.100 type vlan id 100

# Add the VLAN interfaces to their respective bridges
ip link set enp6s0.1 master br1
ip link set enp6s0.100 master br2

# Configure VLANs on the bridges
bridge vlan add vid 1 dev br1 self
bridge vlan add vid 100 dev br2 self

# Bring up the interfaces
ip link set br1 up
ip link set enp6s0.1 up
ip link set br2 up
ip link set enp6s0.100 up

• If you want to persist this on a Ubuntu or other netplan based distributions, here’s an example netplan yaml file that sets the same thing up, also preferring to route things through the trusted VLAN and only allowing the default VLAN as an access path to the VLAN subnet itself:

network:
  version: 2
  renderer: NetworkManager
  ethernets:
    enp6s0:
      match:
        macaddress: AA:AA:AA:AA:AA:AA
      dhcp4: no
      dhcp6: no
      networkmanager:
        uuid: "99999999-9999-9999-9999-999999999999"
        name: "Ethernet"

  vlans:
    enp6s0.1:
      id: 1
      link: enp6s0
      dhcp4: no
      dhcp6: no

    enp6s0.100:
      id: 100
      link: enp6s0
      dhcp4: no
      dhcp6: no

  bridges:
    br0:
      interfaces:
        - enp6s0.1
      dhcp4: yes
      dhcp6: yes
      dhcp4-overrides:
        use-routes: false
        route-metric: 1000
      routes:
        - to: 192.168.11.0/24
          via: 192.168.11.1
          metric: 100
      ipv6-address-generation: "stable-privacy"
      networkmanager:
        uuid: "99999999-9999-9999-9999-999999999999"
        name: "Default VLAN"

    br1:
      interfaces:
        - enp6s0.100
      dhcp4: yes
      dhcp6: yes
      dhcp4-overrides:
        route-metric: 10
      dhcp6-overrides:
        route-metric: 10
      ipv6-address-generation: "stable-privacy"
      networkmanager:
        uuid: "99999999-9999-9999-9999-999999999999"
        name: "Trusted VLAN"