Hmm. I thought this would be pretty simple. And maybe it is. But all the information is cloudy and unclear.
My home network is set up as my "main LAN" is VLAN 100. These are real routed IPs, and on some physical ports are untagged/retagged at the port (so the device connected is not VLAN aware). Then I have an IOT VLAN on 107 and a Guest VLAN on 666.
My "infrastructure" is VLAN 1 and/or untagged? Is that a sensible thing to say?
My plan was to have my proxmox's web UI on the infrastructure VLAN only, then use VLAN bridging to point (where needed) individual VLANs to specific VMs on the box. And probably to add another VLAN (maybe 123) for "hosting", which is publicly accessible ingress [w/firewalling naturally).
But I cannot get the proxmox to "sit" on VLAN 1 for its admin UI, with VLAN bridging on.
And all the docs just cloudily say "avoid VLAN 1". No further explanation.
I've now gotten access to the ProxMox web UI, by simply forcing
auto vmbr0
iface vmbr0 inet dhcp
and setting that switchport to an access port on my "real IP" VLAN 100.
This has then picked up an address via DHCP successfully. But there seems to be no obvious way of even inspecting network config from within the web interface.
This is, yet again, a pain of "self hosting". And to go back to @neil 's point ... it is never, ever, "*JUST*" self host.
Well a bit more progress.
I have two VMs running on my Proxmox (whose web interface is still accessible on its VLAN1 RFC1918 address hard coded).
The two VMs: One is an HAOS, running on my "real" IPv4 network accessible internally.
And the other is a Debian VM, DHCPing on VLAN123 from a pool explicitly only for public hosting purposes. I have not setup routing on that block yet, but it's DHCPing on the real block (numerically).
So that is ... some progress. Might pause now for sleep.
It occurs to me that this evening I have poked/altered config on :
My main router (FB6000)
My main switch (Ubiquiti)
My main desktop (Mac, installed Balena Etcher)
My BeeLink mini PC (installed proxmox)
A VM on the above (HAOS)
A second VM also (Debian)
All in a short few hours, all to get a proxmox sitting on a VLAN aware port, with differing VLANs/subnets to different VMs, retaining management on VLAN1.
Have not even started configuring HA or Debian for mastodon hosting duties yet.
@bloor I've never really trusted VLANs, there's no real separation.
Yes, I'm old.
@bloor @neil vlan 1 is almost always advised against for the simple reason that so many devices capable of dot1q assume their default vlan is 1. This makes for all manner of fuckery when adding new devices.
I use 1001 for mgmt, then got caught out by Cisco's reservation is 1002-4 for legacy stuff. Having coded up everything for automation I had to go back and rejig everything manually to 1012,3,4 etc.
I think my home network may be too complicated!
@bloor Oh! The โavoid VLAN 1โ had me scratching my head, too.
The best explanation I could come to is that it's the default that unconfigured devices will use.
Meaning that any new device you (or anyone) add to your network will be... in your management VLAN?
@bloor vlan 1 is not untagged vlan; it really depends on the switch implementation and most get it wrong.
If you want to use vlans, ensure you donโt try to use vlan1 anywhere; either use tagged traffic for all vlans or untagged traffic and mark the port as โnativeโ to whatever vlan you need (eg 100)
๐
David Penfold 
Greem (Graeme. Not Graham!)
Olivier Mehani
Fran Garcรญa