VLANs with KVM guests on Ubuntu 18.04 / netplan

There is a frustrating lack of information on how to set up multiple VLAN interfaces on a KVM host out there. I made my way through it in production today with great applications of thud and blunder; here’s an example of a working 01-netcfg.yaml with multiple VLANs on a single (real) bridge interface, presenting as multiple bridges.

Everything feeds through properly so that you can bring KVM guests up on br0 for the default VLAN, br100 for VLAN 100, or br200 for VLAN 200. Adapt as necessary for whatever VLANs you happen to be using.

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eno1:
      dhcp4: no
      dhcp6: no
    eno2:
      dhcp4: no
      dhcp6: no
  vlans:
    br0.100:
      link: br0
      id: 100
    br0.200:
      link: br0
      id: 200
  bridges:
    br0:
      interfaces:
        - eno1
        - eno2
      dhcp4: no
      dhcp6: no
      addresses: [ 10.0.0.2/24 ]
      gateway4: 10.0.0.1
      nameservers:
        addresses: [ 8.8.8.8,1.1.1.1 ]
    br100:
      interfaces:
        - br0.100
      dhcp4: no
      dhcp6: no
      addresses: [ 10.0.100.1/24 ]
    br200:
      interfaces:
        - br0.200
      dhcp4: no
      dhcp6: no
      addresses: [ 10.0.200.1/24 ]

Published by

Jim Salter

Mercenary sysadmin, open source advocate, and frotzer of the jim-jam.

6 thoughts on “VLANs with KVM guests on Ubuntu 18.04 / netplan”

  1. Just wanted to say thank you for posting this! I’ve been banging my head on this for past few hours and this help me sort out my issues. 🙂

  2. Thanks for sharing this! I’ve been a little puzzled as to how to configure netplan with VLANs for my KVM box in 18.04, and this did the trick.

  3. Thanks a lot for sharing this. Agree it is very difficult to find useful info on netplan.
    This was exactly what I needed to setup my pfSense(guest) on Ubuntu(host) with KVM. Below is my config.

    vlans:
    vlan10:
    accept-ra: no
    id: 10
    link: br-lan0
    bridges:
    br-wan:
    interfaces: [eth1]
    dhcp4: no
    dhcp6: no
    parameters:
    stp: false
    br-lan0:
    interfaces: [eth0]
    dhcp4: no
    dhcp6: no
    parameters:
    stp: false
    br-lan10:
    interfaces: [vlan10]
    addresses: [192.168.10.10/24]
    gateway4: 192.168.10.1
    nameservers:
    addresses: [192.168.10.1]
    parameters:
    stp: false

  4. Hey Jim, I always have trouble in Ubuntu using KVM, with bridge network, the problem is that the VM’s can’t reach the network, only the host, they don’t get DHCP, etc.

    To fix it I have to set the following configuration on sysctl.

    net.bridge.bridge-nf-call-ip6tables = 0
    net.bridge.bridge-nf-call-iptables = 0
    net.bridge.bridge-nf-call-arptables = 1

    From my understanding this make bridge incoming and outgoing packet skip iptables, the problem is that if y set this values in the sysctl configuration. It doesn’t work, because at boot, when sysctl is loaded, the bridge hasn’t been created and therefore it ignores that part of the configuration. To solve this, everytime the host boots, I have to call `sysctl -p /etc/sysctl.d/bridge.conf` and then it works.

    So I wanted to ask you how do you deal with this, I’m guessing I’m configuring something wrong.

    Here’s an article that talks about it https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

    One recommended solution is a udev rule, to call sysctl once the bridge device shows, up.

    Any Help appreciated, I enjoy all JupyterBroadcasting podcast you show up! And now 2.5 Admins!

  5. Hi,

    thanks for posting.
    Is it possible to leave br0 without ip because I am connecting server to switches with dot1q trunk so default vlan will not work.

    bridges:
    br0:
    interfaces:
    – eno1
    – eno2

  6. Thank you for this. It is very useful.

    So, if I understood this correctly, Everything that is on br0 only (10.0.0.2/24) is untagged or part of a native VLAN and everything which comes in as br0.100(10.0.100.1/24) or br0.200(10.0.200.1/24) is VLANs 100 and 200 respectively, correct?
    Will the guests see the three bridges as three separate interfaces which are available?
    And my last question is, does the host need to have IPs in all the VLANs, or could the address fields be left empty for the guests to get their own IPs, in these VLANs, but not the host?

Leave a Reply

Your email address will not be published. Required fields are marked *