After getting the basic Proxmox cluster running, the next step was network segmentation. Running everything on a flat network is fine until you have IoT devices, a NAS with sensitive data, and guest WiFi all sharing the same broadcast domain.
Why VLANs
VLANs give you logical separation without extra hardware. One physical NIC can carry multiple isolated networks. A managed switch tags the traffic, and Proxmox’s Linux bridge handles the rest.
The Layout
I settled on four VLANs:
- VLAN 10 — Management (Proxmox UI, SSH, IPMI)
- VLAN 20 — Services (Traefik, Gitea, monitoring)
- VLAN 30 — IoT (sensors, smart home devices)
- VLAN 40 — Guest (WiFi guests, no access to internal services)
Proxmox Bridge Configuration
The key insight: you create a VLAN-aware bridge, not separate bridges per VLAN. In /etc/network/interfaces:
auto vmbr0
iface vmbr0 inet static
address 10.0.10.1/24
bridge-ports enp1s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 10 20 30 40
Each VM or container gets assigned a VLAN tag in its network config. No extra bridges needed.
Firewall Rules
pfSense sits at the gateway and handles inter-VLAN routing. The rules are simple:
- VLAN 10 can reach everything (management)
- VLAN 20 can reach the internet and VLAN 10 for DNS
- VLAN 30 can reach the internet only (no lateral movement)
- VLAN 40 can reach the internet only, rate-limited
Gotchas
The biggest mistake was forgetting that the management interface itself needs to be on a tagged VLAN. I locked myself out of the Proxmox UI for 20 minutes until I connected a monitor directly.
Also: make sure your switch actually supports 802.1Q. Some “smart” switches only support port-based VLANs, which is not the same thing.
Result
Four isolated networks, one physical NIC per node, no performance penalty. The IoT devices can’t see the NAS, guests can’t see anything internal, and I can still manage everything from VLAN 10.