Proxmox Pulse
Networking, VLANs & Security Hardening

Proxmox SDN: Configure Zones, VNets, and Subnets

Master Proxmox VE Software Defined Networking to build cluster-wide virtual networks with zones, VNets, and built-in DHCP — no manual bridge editing required.

Proxmox Pulse Proxmox Pulse
8 min read
proxmox SDN networking VNet DHCP
Glowing futuristic network topology with hexagonal zones and flowing data streams
On this page

Proxmox VE's Software Defined Networking (SDN) has quietly become one of the most powerful — and underutilized — features in the platform. If you're still creating Linux bridges and manually editing network configs on each node, SDN will fundamentally change how you think about VM networking.

Introduced as stable in Proxmox VE 7.3 and significantly improved through VE 8 and 9, SDN lets you define virtual networks at the datacenter level and push them cluster-wide from the web interface. No more SSH-ing into individual nodes to add bridges. No more inconsistent configs across a multi-node setup.

What Is Proxmox SDN and Why Should You Use It?

Traditional Proxmox networking is node-local — you create a bridge like vmbr0 on each node separately, and VMs attach to it. This works fine for a single node, but becomes a maintenance headache in a cluster.

SDN abstracts network definitions to the datacenter level. You define a Zone, create VNets inside it, optionally configure Subnets with integrated DHCP, and Proxmox provisions the correct bridge on every node in your cluster automatically when you apply the config.

Key benefits include:

  • Cluster-wide consistency — define once, applied everywhere
  • Integrated DHCP server — automatic IP assignment without a separate DHCP box
  • Multiple zone types — Simple, VLAN, QinQ, VXLAN, and EVPN
  • No manual bridge management — Proxmox creates and removes bridges automatically
  • Web UI driven — full configuration from the Proxmox interface, no CLI required

For homelab and small cluster setups, the Simple and VLAN zone types cover 95% of use cases. VXLAN and EVPN are designed for multi-site overlays and advanced datacenter scenarios.

Prerequisites: Enabling SDN on Proxmox

SDN requires a couple of packages that may not be present on older Proxmox installations, particularly the ifupdown2 package that replaces traditional ifupdown.

Install Required Packages

SSH into your Proxmox node or use the Shell in the web UI:

apt update
apt install -y libpve-network-perl ifupdown2

The ifupdown2 package is what enables SDN's hot-reload capability — it applies network config changes without requiring a full reboot. After installation, verify it's active:

ifupdown2 --version

Find SDN in the Web UI

SDN configuration lives under Datacenter → SDN in the left sidebar. If you don't see this menu after installing the packages, do a hard refresh in your browser (Ctrl+Shift+R).

You'll see three tabs: Zones, VNets, and Subnets.

Understanding SDN Zone Types

A Zone defines the underlying network technology. Choosing the right zone type is the most important decision in your SDN setup.

Zone Type Best For
Simple Isolated L2 networks with no VLAN tagging
VLAN Mapping to VLANs on your physical switch
QinQ Double-tagged VLANs for ISP/provider scenarios
VXLAN Overlay networks spanning multiple physical sites
EVPN BGP-based distributed L3 routing across sites

For most homelab and small business setups, you'll work with Simple zones for isolated networks (like a dev sandbox or DMZ) and VLAN zones when you need VMs to sit on specific VLANs that exist on your physical switches.

Creating a Simple Zone

A Simple zone creates isolated bridge networks that don't touch your physical network — perfect for internal VM-to-VM communication, test environments, or air-gapped networks.

Via the Web UI:

  1. Go to Datacenter → SDN → Zones
  2. Click Add → Simple
  3. Fill in the fields:
    • ID: homelab-simple (alphanumeric, no spaces)
    • Nodes: Select all nodes that should have this network
    • IPAM: Set to PVE if you want built-in DHCP; None to manage IPs manually
  4. Click Create

Via the CLI:

pvesh create /cluster/sdn/zones \
  --type simple \
  --zone homelab-simple \
  --nodes pve1,pve2

Creating a VLAN Zone

If your physical switches have VLANs configured, a VLAN zone maps those VLANs to VMs across your entire cluster. Every node only needs the physical uplink bridge — Proxmox handles the tagged sub-interfaces.

  1. Go to Datacenter → SDN → Zones → Add → VLAN
  2. Configure:
    • ID: vlan-zone
    • Bridge: vmbr0 (your uplink bridge — must exist on all nodes)
    • Nodes: All cluster nodes
  3. Click Create

The VLAN zone uses your existing vmbr0 as the physical uplink. Proxmox automatically creates tagged sub-interfaces for each VNet you define within this zone.

Creating VNets

A VNet is a virtual network attached to a zone — think of it as a virtual switch segment. VMs connect to VNets exactly like they connect to a bridge, so the workflow is familiar.

Creating a VNet for a Simple Zone:

  1. Go to Datacenter → SDN → VNets → Add
  2. Configure:
    • Name: internal-net
    • Zone: homelab-simple
    • Tag: Leave empty for Simple zones
    • Alias: Optional human-readable label
  3. Click Create

Creating a VNet for a VLAN Zone:

For VLAN zones, the Tag field is what maps this VNet to a specific VLAN ID on your physical switch:

# Create a VNet for VLAN 20 (IoT network)
pvesh create /cluster/sdn/vnets \
  --vnet iot-net \
  --zone vlan-zone \
  --tag 20

# Create a VNet for VLAN 30 (services network)
pvesh create /cluster/sdn/vnets \
  --vnet services-net \
  --zone vlan-zone \
  --tag 30

Configuring Subnets and Built-In DHCP

This is where SDN really pulls ahead of manual bridge management. Proxmox includes an integrated DHCP server powered by dnsmasq — define a Subnet and VMs on that VNet get IP addresses automatically.

Enable IPAM on the Zone First

IPAM (IP Address Management) must be enabled before you can create subnets with DHCP. Edit your zone:

  1. Datacenter → SDN → Zones → select zone → Edit
  2. Set IPAM to PVE
  3. Save

Create a Subnet:

  1. Go to Datacenter → SDN → Subnets → Add
  2. Configure:
    • Subnet: 192.168.100.0/24
    • VNet: internal-net
    • Gateway: 192.168.100.1
    • DHCP ranges: 192.168.100.100-192.168.100.200
    • DNS server: 1.1.1.1 or your local resolver
  3. Click Create
# CLI equivalent
pvesh create /cluster/sdn/vnets/internal-net/subnets \
  --subnet 192.168.100.0/24 \
  --gateway 192.168.100.1 \
  --dhcp-range start-address=192.168.100.100,end-address=192.168.100.200

Proxmox automatically configures dnsmasq on each node in the zone. VMs requesting DHCP on internal-net receive addresses from the defined range — no separate DHCP server required.

Applying SDN Configuration

Every change to zones, VNets, or subnets is staged until you explicitly apply it. This push-to-nodes step is what actually reconfigures the network interfaces across your cluster.

In the web UI, click the Apply button at the top of the SDN section and watch the task log to confirm it completes on all nodes.

# Apply via CLI
pvesh set /cluster/sdn --apply

Verify the bridges were created on the node:

ip link show | grep vnbr
# You'll see entries like vnbr100 created automatically by Proxmox

Connecting VMs and Containers to VNets

Once SDN is applied, your VNets appear in the same Bridge dropdown you already know from normal VM and LXC creation — no new workflow to learn.

New VMs:

  1. During VM creation, go to the Network tab
  2. In the Bridge dropdown, select your VNet (e.g., internal-net)
  3. Click Add

Existing VMs:

  1. Select the VM → Hardware tab
  2. Double-click the network device
  3. Change the Bridge to your SDN VNet

The process is identical for LXC containers — the Network tab in container settings shows the same VNet options.

A Real-World SDN Layout for Homelabs

Here's a practical SDN structure that gives you solid network segmentation without over-engineering:

Zones:
├── vlan-zone (VLAN, uplink: vmbr0)
│   ├── VNet: home-lan    (VLAN 10 → 192.168.10.0/24)
│   ├── VNet: iot-net     (VLAN 20 → 192.168.20.0/24)
│   └── VNet: services    (VLAN 30 → 192.168.30.0/24)
└── isolated-zone (Simple)
    └── VNet: dev-sandbox  (10.0.0.0/24, no gateway)

This gives you:

  • home-lan: Main LAN VMs, same segment as your trusted devices
  • iot-net: Isolated IoT devices, blocked from reaching home-lan at the switch level
  • services: Self-hosted services accessible from home-lan
  • dev-sandbox: Completely isolated lab — no internet, no cross-talk

Troubleshooting Common SDN Issues

VNet doesn't appear in the VM bridge dropdown:

  • Confirm you clicked Apply after creating the VNet
  • Check that the zone has the current node listed under Nodes
  • Restart the proxy: systemctl restart pveproxy

DHCP not handing out addresses:

  • Verify dnsmasq is running: systemctl status dnsmasq
  • Confirm the zone has IPAM set to PVE, not None
  • Check that the gateway IP doesn't conflict with an existing interface

Apply fails with a network error:

  • Confirm ifupdown2 is installed on all nodes in the zone
  • Check /var/log/syslog for the specific error
  • For VLAN zones, verify the uplink bridge exists on all nodes

Cluster nodes show different SDN state:

# Force apply on a specific node
pvesh set /cluster/sdn --apply
pvecm status

Conclusion

Proxmox SDN is one of those features that sounds complex but makes your life significantly simpler once you understand the three-layer model: Zones define the technology, VNets are the virtual switches, and Subnets handle IP management. Once that clicks, the whole system is intuitive.

Start with a single Simple zone and one VNet — create it, configure a subnet with DHCP, apply, and connect a test VM. Once you've done that once and seen it work, you'll immediately see how to build out a full network segmentation strategy without touching a single bridge config file manually.

Share
Proxmox Pulse

Written by

Proxmox Pulse

Sysadmin-driven guides for getting the most out of Proxmox VE in production and homelab environments.

Related Articles

View all →