How to reattach VM tap interfaces to SDN bridges in Proxmox VE

    When an ifdown/ifup operation is performed on a Proxmox SDN bridge, all member interfaces — including VM tap devices — are removed from the bridge. When the bridge comes back up with ifup, only interfaces defined in /etc/network/interfaces.d/sdn are re-added (such as VXLAN tunnels). VM tap interfaces are added dynamically by the pve-bridge script when a VM starts, not by the SDN configuration. If VMs remain running during the operation, their tap interfaces become orphaned and the VMs lose network connectivity.

    This article describes how to identify the issue and reattach tap interfaces to their corresponding bridges without restarting the virtual machines.

    Symptoms

    • All VMs on the node lose network connectivity simultaneously.
    • VMs are still running (not stopped or crashed).
    • Tap interfaces exist but are not associated with any bridge.
    • The issue occurs immediately after an ifdown/ifup or ifreload operation on SDN bridges.

    Diagnosis

    Verify that the tap interfaces exist but have no bridge assigned:

    ip link show | grep tap

    Verify that the SDN bridge has no tap interfaces as members:

    bridge link show

    If the output of the second command shows no tap interfaces (such as tap100i0, tap101i0, etc.) associated with the bridge, the interfaces are orphaned.

    Solution

    Run the following command as root on the affected Proxmox node. The command iterates all running VMs, reads each VM's network configuration, and reattaches its tap interface to the corresponding bridge:

    for vmid in $(qm list | awk 'NR>1 {print $1}'); do
  bridge=$(qm config "$vmid" 2>/dev/null | grep "^net0" | grep -o "bridge=[a-z0-9]*" | cut -d= -f2)
  iface="tap${vmid}i0"
  if [ -n "$bridge" ] && ip link show "$iface" &>/dev/null; then
    ip link set "$iface" master "$bridge"
  fi
done

    Warning: This command only reattaches the net0 interface of each VM. If VMs use multiple network interfaces (net1, net2, etc.), the command must be extended to iterate those additional interfaces.

    After running the script, verify that tap interfaces appear again as bridge members:

    bridge link show

    Prevention

    Avoid running ifdown/ifup directly on SDN bridges when VMs are running on the node. Consider the following alternatives:

    • Use ifreload -a: This command is designed to preserve member interfaces where possible, reducing the risk of disconnection.
    • Migrate VMs before reconfiguring: For planned changes, live-migrate VMs to another node before modifying the bridge configuration.
    • Prepare the reattach command: If ifdown/ifup is unavoidable, have the command ready to run immediately after the operation.
    Published