Firewall VM not reachable via IPv6 on Hetzner

simonszu

New Member
Jul 16, 2019
8
0
1
36
Hi,

i have a problem with setting up the network on one of my servers, located at Hetzner. I want to have a OPNsense VM as a firewall for the other VMs and LXC containers. There is a HAproxy running on this firewall VM as well, and i have made the web frontend reachable from WAN side for easier config.

For setting up IPv4 i have followed https://pratt.is/hetzner-und-proxmox-pfsense-als-gateway/ - this works quite reliable. This is the complete config of the interfaces on the hypervisor: https://pastebin.com/xjcSUYpU

For IPv6 config i tried Dominic Pratt's way as well, but without success. Currently i have a static IPv6 on my WAN interface, it has the first IP from the /64 subnet Hetzner gave me. On the LAN end i took another IP from this subnet, and set the interface to /64 for SLAAC. As a result, the VMs get a v6 IP and can reach the internet via IPv6.

On the other side i have a problem. Of course i have set up an AAAA-Record in the DNS to access the firwall. I have also set up some firewall rules so that one can connect to the HAproxy. The proxy itself binds to the address i have set up on WAN side. Now the problem:

I can ping the firewall via its AAAA record perfectly well from the internet. However, it is not accessible via IPv6 at all, except the pings. Neither the web frontend, nor the HAproxy. The access from the LAN side works fine.

What is strange: The firewall has an Accept-rule for IPv6 traffic from the WAN side. I can see the connection attempts in the firewall log, they are marked as "Pass". However, i do not see any connection attempts in the HAproxy log. The web frontend isn't accessible either.

Where is my error? Has my interface config a mistake somewhere?

I think it isn't HAproxy's fault, it is reachable from the inside (via its WAN IP, though).
It isn't the firewall's fault. It logs the connection as "pass".
It cannot be due to missing IP forwarding in the hypervisor's kernel, since the VMs can communicate with the internet via IPv6. Strangely they were able to do so as well, when i had forgotten to activate net.ipv6.conf.all.forwarding in sysctl.

For information: I am using proxmox 6, the LXC containers are a fresh install from a Debian 10 template.

Maybe someone has an idea.
 
Quote from a pinned thread in the german forum (https://forum.proxmox.com/threads/willkommen-im-deutschsprachigen-proxmox-ve-forum.27566/):
"Findet oder erhält ihr also im deutschsprachigen Forum keine Antwort, sucht oder postet doch bitte weiterhin im englischsprachigen Forum (natürlich auf Englisch)."

"If you do not find or get any answers in the german forum, please search or post in the english forum (in english, of course)." That's what i did here.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!