IPv6-address on all interfaces

S

SnejPro

New Member
Feb 28, 2022
15
3
3
Olching, Germany
Hi,

I have a proxmox-machine with six NICs, each with its vmbr.

I have set IPv4/6-addresses only on one vmbr because this is the managing vmbr. The other NICs/vmbrs are only for VMs with different networks.

IPv4: Everything worked as expected - none of the other vmbrs got an ipv4-address.
IPv6: Here, all vmbrs got IPv6 addresses, even if I did not set ipv6-addresses in System > Network. This is a problem because the hypervisor must not be reachable on other networks than the management network.

I solved this via sysctl:

Code: 
# /etc/sysctl.d/80-local.conf


# Disable IPv6 and RA on all interfaces
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.accept_ra = 0

# Enable IPv6 on Loopback/vmbr0 and RA on vmbr0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.vmbr0.disable_ipv6 = 0
net.ipv6.conf.vmbr0.accept_ra = 1

Suggestion: It would be great if it's possible to disable IPv6 for the host per interface.
 
  • Like
Reactions: Gogolathome
If you mean the fe80::.... (macaddress + fffe in the middle) That is non-usable address meant for the network access layer.
It is strictly non-routable, link-local and ALL interfaces have them.

To use them you need to be on the same segment as that interface (mostly a router) and use it like: curl https://[fe80:......%interface-on-localsystem]:8006/ ....

Did you consider the on PVE firewall (in the cluster) to only allow access on port 8006 on the vmbr0?
 
Last edited:
proxnoci said:
If you mean the fe80::.... (macaddress + fffe in the middle) That is non-usable address meant for the network access layer.
It is strictly non-routable, link-local and ALL interfaces have them.

To use them you need to be on the same segment as that interface (mostly a router) and use it like: curl https://[fe80:......%interface-on-localsystem]:8006/ ....

Did you consider the on PVE firewall (in the cluster) to only allow access on port 8006 on the vmbr0?
Click to expand...
No, all interfaces got IPv6-Adresses via Router Advertisment. And the hypervisor should not be reachable in all subnets he is providing for the VMs.
Yes, using the firewall is a possible solution. But I feel better when the hypervisor only gets the IPs he really needs.
 
Hi,
what you could do is globally disable IPv6 via your sysctl configs and only on the bridge where you want IPv6 addresses to be assigned allow it via post-up hooks. Although, this does not very much differ from what you already did. It just moves it to the network config.

Same for possible firewall rules. Filter IPv6 ICMP and IPv6 traffic and create exceptions for the interfaces where you actually want to allow it.

Do you have suggestions for how to improve handling for this?
 
  • Like
Reactions: proxnoci
Chris said:
Hi,
what you could do is globally disable IPv6 via your sysctl configs and only on the bridge where you want IPv6 addresses to be assigned allow it via post-up hooks. Although, this does not very much differ from what you already did. It just moves it to the network config.

Same for possible firewall rules. Filter IPv6 ICMP and IPv6 traffic and create exceptions for the interfaces where you actually want to allow it.

Do you have suggestions for how to improve handling for this?
Click to expand...
Yeah for me, I'm fine with my config above.
But it would be great if the settings I made (or other settings with a similiar effect) could be done in the web interface.

For example: With this config, my server should be reachable only via vmbr0. Right now the server does not receive an IPv4-address on the other interfaces, but an IPv6-address if router advertisment is active.
1676558937979.png

What I like with my config is that the other interfaces don't even bind link-local addresses. So these interfaces are completely unavailable for other devices in the same network.
 
Last edited:
  • Like
Reactions: proxnoci
SnejPro said:
Yeah for me, I'm fine with my config above.
But it would be great if the settings I made (or other settings with a similiar effect) could be done in the web interface.

For example: With this config, my server should be reachable only via vmbr0. Right now the server does not receive an IPv4-address on the other interfaces, but an IPv6-address if router advertisment is active.
View attachment 46905

What I like with my config is that the other interfaces don't even bind link-local addresses. So these interfaces are completely unavailable for other devices in the same network.
Click to expand...
Might be an interesting feature, although some details probably need clarification, like how to handle already assigned addresses when disabling IPv6.

Would you be willing to open a feature request on https://bugzilla.proxmox.com/ for this?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back