About IPset and limiting IP use not working for IPv6

[lll]

Hi, currently one of my vlan is having IPv6 /48. I am currently assigning VM a /64 subnet and set that subnet to the IPset field. But when I add another IP outside that /64 (but within the same /48) to the guest os. It's still able to use that and I could ssh into the VM. Is it possible to fix that VM to only use the /64 I've assigned? Am I missing anything?

Here's the screenshot of the settings.

IP assigned by cloud-init:


IPset settings:


IP able to use (qemu guest agent output):


*P.s. no worries on the IP exposure, it's just a testing vm.

 

[spirit]

simply use the 2001:470:f809::/48 in ipset ?

 

[lll]

simply use the 2001:470:f809::/48 in ipset ?

Thanks for the reply, but I'm hoping that the VM should only able to access its own /64. As example, the image one is assigned 2001:470:f809::54/64. I want it to only access this IP. But currently it's able to get access to 2001:470:f809::64/64 by manually setting that IP in the guest OS

 

[spirit]

oh ok.

can you send the result of "ipset save" ?

 

[lll]

oh ok.

can you send the result of "ipset save" ?

You mean in the console? Nothing is showing after entering ipset save

 

[spirit]

You mean in the console? Nothing is showing after entering ipset save

yes, on the proxmox host. if you don't have result for ipset-save or iptables save , that mean than firewall rules are not generated.

do you have enabled firewall ? (at datacenter level && on vm firewall options)

# pve-firewall status ?

 

[lll]

yes, on the proxmox host. if you don't have result for ipset-save or iptables save , that mean than firewall rules are not generated.

do you have enabled firewall ? (at datacenter level && on vm firewall options)

# pve-firewall status ?

The response is kind of confusing

 

[spirit]

service is running, but firewall is disabled. (you need to enable firewall in datacenter firewall options)