[SOLVED] How do you set up ipv6 with ipv4 nat?

blucobalt

New Member
Jun 2, 2023
6
1
3
Code:
auto eth0
iface eth0 inet static
        address --
        gateway --

auto eth0
iface eth0 inet6 static
        address --/64
        gateway fe80::1

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.2:80
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.2:80
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.0.0.2:443
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.0.0.2:443
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10000 -j DNAT --to 10.0.0.2:10000
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 10000 -j DNAT --to 10.0.0.2:10000
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20000 -j DNAT --to 10.0.0.2:20000
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 20000 -j DNAT --to 10.0.0.2:20000
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 10.0.0.2:25
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 10.0.0.2:25
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to 10.0.0.2:587
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to 10.0.0.2:587
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to 10.0.0.2:993
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to 10.0.0.2:993

This is how I currently have my network set up on a contabo vps. From contabo, I have a single ipv4 and a /64 ipv6 block to do as I please. How can I set up ipv6 for my vms? I don't really care if it's an ip per vm or if its the ::1 (public ip of the host) just nat'd to each vm like it is with ipv4 currently.
 
This is the information i have:
  • The IP
  • The fact that it is /64 and i have that range to do with as i please
  • The upstream gateway is fe80::1
 
The "upstream gateway" needs to route the /64 that is assigned to you.
What is the nexthop IP of the /64 there?
Do you have any other IP address on your "external" gateway facing interface? The config only shows "--/64" which is not a valid IPv6 address.
 
Besides the public ipv6 of the host, it has a link local address as well. The --/64 was only for a little bit of privacy; in the interface file I have the actual ip written out.
Running a traceroute6 to google.com it looks like the first hop is 2605:a141::b.
 
the public ipv6 of the host,
Is this IPv6 address within the /64 network you got assigned or is the /64 routed via that address?

In the second case you just can configure the /64 on vmbr0 and have your VMs take addresses from that network. Proxmox is then acting as router, when "net.ipv6.conf.all.forwarding" is set to 1. You can change that in /etc/sysctl.conf and apply it with sysctl -p /etc/sysctl.conf.

You should also enable the Proxmox firewall and have IPv6 rules there.
 
The problem is that I don't have any bridges on eth0, as I only have one public ipv4 address. In the config I posted, I just routed all the traffic to and from the internal 10.0.0.0/24 network on vmbr0. If I try to add a bridge on eth0, I can't because it already has an address assigned.
 
this is how I was able to get it working yesterday:
Code:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address [PUBLIC IP]/[NET]
        gateway [PUBLIC IP GATEWAY]
        address 10.0.0.1/24
        bridge-ports eth0
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
        post-up iptables -t nat -A PREROUTING -d [PUBLIC IP] -p tcp --dport [FORWARDED PORT] -j DNAT --to [VM]:[FORWARDED PORT]
        post-down iptables -t nat -D PREROUTING -d [PUBLIC IP] -p tcp --dport [FORWARDED PORT] -j DNAT --to [VM]:[FORWARDED PORT]
     

iface vmbr0 inet6 static
        address [PUBLIC IPV6]/[IPV6 NET]
        gateway [IPV6 GATEWAY]
        bridge-ports eth0
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Now, with this, I was able to give each vm/container a 10.0.0.0/24 address (setting the gateway as 10.0.0.1) and a publically routable ipv6 address from the net on the host (setting the gateway as the public ipv6 of the host). After setting all the firewall rules, I know have each vm with proper ipv4 nat and a public ipv6.
 
  • Like
Reactions: gurubert

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!