Proxmox intermediate

Proxmox Networking: VLANs, Bridges, and Best Practices

A practical reference guide to configuring networking on Proxmox VE — Linux bridges, VLAN-aware bridges, bonds, and common patterns for homelab and production.

May 30, 2026

Proxmox VE networking is built on Linux bridges. Understanding bridges and VLANs is critical before deploying VMs and containers — a wrong bridge config can isolate VMs from your network or expose them unintentionally.

This reference covers the networking models you’ll actually use, with /etc/network/interfaces examples for each.

The Default Bridge (vmbr0)

A fresh Proxmox install creates one bridge (vmbr0) attached to your physical NIC. It bridges VMs directly onto your LAN:

Physical NIC (enp2s0) → vmbr0 → VMs (MAC addresses appear on LAN)

# /etc/network/interfaces — default
auto lo
iface lo inet loopback

auto enp2s0
iface enp2s0 inet manual

auto vmbr0
iface vmbr0 inet static
    address 192.168.1.10/24
    gateway 192.168.1.1
    bridge-ports enp2s0
    bridge-stp off
    bridge-fd 0

When to use: Single subnet, no VLANs. VMs get IPs from your LAN’s DHCP or static assignments.

VLAN-Aware Bridge

Enable VLAN filtering on a bridge so it tags and untags traffic. A single bridge can serve multiple VLANs without creating separate bridge interfaces per VLAN.

auto vmbr0
iface vmbr0 inet static
    address 192.168.1.10/24
    gateway 192.168.1.1
    bridge-ports enp2s0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

Then, on each VM, set the VLAN Tag in the Proxmox web UI (under VM → Hardware → Network Device). The bridge handles the tagging.

Per-VLAN Management IP

Proxmox can have an IP on each VLAN for management:

auto vmbr0.10
iface vmbr0.10 inet static
    address 10.0.10.1/24
# VLAN 10 management interface

This creates a VLAN interface on the host itself for admin access to that VLAN.

Dedicated Bridge per VLAN (Non-VLAN-Aware)

Some environments prefer separate bridges per VLAN. This is explicit and easy to read but creates more interfaces:

# Management VLAN (10)
auto vmbr10
iface vmbr10 inet static
    address 10.0.10.1/24
    bridge-ports enp2s0.10
    bridge-stp off
    bridge-fd 0

# DMZ VLAN (20)
auto vmbr20
iface vmbr20 inet static
    address 10.0.20.1/24
    bridge-ports enp2s0.20
    bridge-stp off
    bridge-fd 0

# IoT VLAN (30)
auto vmbr30
iface vmbr30 inet static
    address 10.0.30.1/24
    bridge-ports enp2s0.30
    bridge-stp off
    bridge-fd 0

When to use: Mixed environments where some VMs should not share a bridge. More explicit — but more config to maintain.

Internal-Only Bridge (No Physical NIC)

For container-to-container communication without touching the physical network:

auto vmbr99
iface vmbr99 inet static
    address 172.16.0.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

VMs on this bridge can communicate with each other and with the host, but not with the LAN. Useful for database backends, Redis, or microservice isolation.

Bonding (LACP / Round Robin)

If your server has multiple NICs, bonding provides redundancy and increased throughput:

auto bond0
iface bond0 inet manual
    bond-slaves enp2s0 enp3s0
    bond-mode 802.3ad        # LACP (requires switch support)
    bond-miimon 100
    bond-downdelay 200
    bond-updelay 200
    bond-xmit-hash-policy layer2+3

auto vmbr0
iface vmbr0 inet static
    address 192.168.1.10/24
    gateway 192.168.1.1
    bridge-ports bond0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

Bond Modes

Mode	Name	Description
`0`	balance-rr	Round robin across all slaves
`1`	active-backup	One slave active; failover if it dies
`4`	802.3ad	LACP — requires switch support; best for throughput
`5`	balance-tlb	Outgoing load balance; no switch support needed
`6`	balance-alb	Receive + transmit load balance

802.3ad (LACP) is the go-to for managed switches. For unmanaged switches, active-backup (mode 1) is the safest.

Applying Changes

After editing /etc/network/interfaces:

ifreload -a    # Applies changes without reboot (ifupdown2 required)

Or the traditional way:

ifreload vmbr0

Wait for connectivity to return before closing your SSH session. Proxmox ships ifupdown2 by default.

Common Patterns

Homelab with VLAN Segmentation

                ┌─────────┐
                │ Router  │
                │ (VLANs) │
                └────┬────┘
                     │ Trunk (all VLANs)
                ┌────┴────┐
                │ Proxmox │ vmbr0 (VLAN-aware)
                │  Host   │
                └─────────┘
        ┌─────────┬─────────┬─────────┐
     VLAN 10   VLAN 20   VLAN 30   VLAN 99
   Management   DMZ      IoT       Internal

auto vmbr0
iface vmbr0 inet static
    address 10.0.10.2/24
    gateway 10.0.10.1
    bridge-ports enp2s0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 10,20,30,99

Proxmox as Router (OPNsense/pfSense VM)

# WAN bridge — passes through to OPNsense
auto vmbr1
iface vmbr1 inet manual
    bridge-ports enp3s0
    bridge-stp off
    bridge-fd 0

# LAN bridge — managed by OPNsense
auto vmbr2
iface vmbr2 inet manual
    bridge-ports none
    bridge-stp off
    bridge-fd 0

The OPNsense VM gets both bridges — vmbr1 as WAN, vmbr2 as LAN. Other VMs connect to vmbr2 and get routed through OPNsense.

Isolated Lab Environment

auto vmbr100
iface vmbr100 inet static
    address 10.99.99.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0

# Enable NAT so lab VMs can reach internet through the host
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s 10.99.99.0/24 -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 10.99.99.0/24 -o vmbr0 -j MASQUERADE

Troubleshooting

# View bridge members
bridge vlan show
bridge link show

# Check VLAN config per bridge
cat /proc/net/vlan/config

# Verify firewall isn't blocking (Proxmox firewall runs at bridge level)
iptables -L -n -v | grep vmbr

# Check switch port VLAN config (if using physical switches)
# Ensure the switch port is a trunk, not an access port

Common issues:

Switch port is in access mode not trunk → VLAN tags get stripped
bridge-vids doesn’t include the VLAN ID you’re using
Forgetting to set VLAN on the VM’s network device in Proxmox UI
Proxmox firewall blocking inter-VLAN traffic (check Datacenter → Firewall)

Summary

Scenario	Bridge Type
Single LAN, no VLANs	Standard `vmbr0`
Multiple VLANs on one NIC	VLAN-aware `vmbr0`
Complex VLAN setup, per-VLAN isolation	Dedicated bridges (`vmbr10`, `vmbr20`…)
Internal communication only	`bridge-ports none`
High availability	Bond + VLAN-aware bridge
Proxmox as router (OPNsense VM)	Separate WAN/LAN bridges
Isolated lab	Internal bridge + NAT

Apply with ifreload -a, test connectivity before logging out, and always keep a spare out-of-band access path (console, IPMI) when experimenting with networking changes.

Need help designing your Proxmox network? Contact us — we’ll help you plan a secure, scalable layout.