Best practice in Proxmox VE 9 is one VLAN-aware bridge (e.g., vmbr0) as a trunk, then tag each VM NIC with the VLAN it should use.

Why one VLAN-aware bridge? • Simplicity & scale: One trunked bridge carries many VLANs; you just set the VLAN Tag on each VM’s NIC. • Fewer moving parts: Easier to manage bonding/LACP and switch configs. • Works great with Proxmox firewall/ipfilter for per-VM IP enforcement.

Recommended setup 1. Make the main bridge VLAN-aware (UI: Datacenter → Node → Network → vmbr0 → check VLAN Aware). 2. Trunk the switchport facing your Proxmox NIC/bond (allow required VLANs). 3. On each VM NIC, set VLAN Tag to the right VLAN ID.

one VLAN-aware bridge (vmbr1) is enough for all my tagged containers:

What makes it work • Binding to 445: Inside an LXC, “root” has the capability CAP_NET_BIND_SERVICE by default, which allows binding to ports <1024 (like 445) even when the container is unprivileged. • Network isolation: The container gets its own network namespace and IP, so it can listen on 445 without conflicting with the host—as long as they don’t share the same IP.

Gotchas & fixes 1. Port already in use / same IP • You cannot have both the host and the container listen on 445 on the same IP. Give the container its own IP (bridge + VLAN tag is fine), or use NAT with a DNAT rule to forward 445.

/etc/network/interfaces

auto vmbr0

iface vmbr0 inet manual bridge-ports bond0 bridge-stp off bridge-fd 0 bridge-vlan-aware yes

auto vmbr0.10 iface vmbr0.10 inet static address 192.168.10.2/24 gateway 192.168.10.1 # if this is your mgmt VLAN

bridge vlan show port vlan-id
enp116s0 1 PVID Egress Untagged enp117s0 1 PVID Egress Untagged vmbr0 1 PVID Egress Untagged vmbr1 1 PVID Egress Untagged 30 tap101i0 100 PVID Egress Untagged 172.30.100.20

INitial configs

This file describes the network interfaces available on your system

and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

The loopback network interface

auto lo iface lo inet loopback

The primary network interface

allow-hotplug ens18 iface ens18 inet dhcp

This is an autoconfigured IPv6 interface

iface ens18 inet6 auto

auto lo iface lo inet loopback

source /etc/network/interfaces.d/*

Physical NIC, no IP here

allow-hotplug enp117s0 iface enp117s0 inet manual

VLAN-aware bridge

auto vmbr0 iface vmbr0 inet manual bridge-ports enp117s0 bridge-stp off bridge-fd 0 bridge-vlan-aware yes

Host management on VLAN 100

auto vmbr0.100 iface vmbr0.100 inet static address 192.168.248.2/24 # <– pick your host’s IP gateway 192.168.248.1 vlan-raw-device vmbr0