Multi-VLAN Trunking: Connecting MikroTik to Proxmox for Kubernetes

Setting up a home lab or a production environment for Kubernetes often requires network segmentation. Using VLANs (Virtual LANs) allows you to isolate your K8s traffic from your general house or office traffic.

In this guide, we will configure a MikroTik Router to trunk two VLANs (100 and 300) over a single cable to a Proxmox host, specifically optimized for automated provisioning and security.

Why Isolate Kubernetes Traffic?

Isolating Kubernetes into its own VLAN (like VLAN 300) isn’t just about tidiness; it’s a security and operational necessity:

• Broadcast Storm Prevention: Kubernetes clusters (and the CNI plugins like Calico or Flannel) generate significant internal traffic. Isolation ensures this doesn’t slow down your “Home” or “Work” devices.
• Security (Blast Radius): If a container is compromised, a dedicated VLAN acts as a firewall boundary, preventing an attacker from easily scanning your personal devices on other VLANs.
• PXE Booting Requirements: PXE relies on DHCP broadcasts to find a boot server. In a “flat” network, your K8s nodes might catch a “normal” IP from your home router instead of the specialized PXE instructions meant for cluster deployment.

Part 1: MikroTik Configuration

1. Create the VLAN and DHCP (with PXE)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Create the VLAN interface
/interface vlan add interface=ether2 name=vlan300-k8s vlan-id=300

# Set the Gateway IP
/ip address add address=192.168.30.1/24 interface=vlan300-k8s

* **MTU Consistency:** If you use a CNI like Calico with VXLAN, you may need to adjust your MTU settings to account for overhead.
# DHCP with PXE Options (next-server is your TFTP/PXE boot server)
/ip pool add name=k8s-pool ranges=192.168.30.10-192.168.30.200
/ip dhcp-server network add address=192.168.30.0/24 boot-file-name=pxelinux.0 dns-server=1.1.1.1 gateway=192.168.30.1 next-server=192.168.30.5
/ip dhcp-server add address-pool=k8s-pool interface=vlan300-k8s name=dhcp-k8s disabled=no

2. Firewall Isolation (Best Practices)

We want a “One-Way Mirror” effect: You can manage the K8s nodes from your PC, but the K8s nodes cannot touch your PC or the Router’s settings.

1
2
3
4
5
6
7
8
9

/ip firewall filter
# 1. Allow established/related traffic (so the nodes can get replies from the internet)
add action=accept chain=forward connection-state=established,related

# 2. Block K8s VLAN from reaching other internal subnets (Management VLAN 100)
add action=drop chain=forward in-interface=vlan300-k8s out-interface-list=all out-interface=!ether1-WAN

# 3. Block K8s VLAN from accessing the Router's Login Page/SSH
add action=drop chain=input in-interface=vlan300-k8s dst-port=22,80,443,8291 protocol=tcp

3. Configure the Bridge Trunk

1
2
3

/interface bridge vlan
add bridge=bridge tagged=ether2,bridge vlan-ids=300
set [find vlan-ids=100] tagged=ether2,bridge

Part 2: Proxmox Configuration

1. Enable VLAN Awareness

1. Navigate to System > Network on your Proxmox node.
2. Edit vmbr0.
3. Check the VLAN Aware box and Apply Configuration.

2. Assigning VLANs to VMs

In the Hardware tab of your VM, edit the Network Device and set the VLAN Tag to 300.

Best Practices for K8s Nodes

• Static Leases: Use the “Make Static” feature in MikroTik for your Control Plane nodes. K8s components like etcd are sensitive to IP changes.
• MAC Pinning: When using PXE, ensure your Proxmox VM has a manually assigned MAC address so your deployment server consistently identifies the node.

Summary Table