[SOLVED] How do you set up ipv6 with ipv4 nat?

[blucobalt]

auto eth0
iface eth0 inet static
        address --
        gateway --

auto eth0
iface eth0 inet6 static
        address --/64
        gateway fe80::1

auto vmbr0
iface vmbr0 inet static
        address 10.0.0.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o eth0 -j MASQUERADE
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.2:80
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.2:80
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.0.0.2:443
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to 10.0.0.2:443
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10000 -j DNAT --to 10.0.0.2:10000
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 10000 -j DNAT --to 10.0.0.2:10000
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20000 -j DNAT --to 10.0.0.2:20000
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 20000 -j DNAT --to 10.0.0.2:20000
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 10.0.0.2:25
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 10.0.0.2:25
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to 10.0.0.2:587
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 587 -j DNAT --to 10.0.0.2:587
        post-up iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to 10.0.0.2:993
        post-down iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to 10.0.0.2:993

This is how I currently have my network set up on a contabo vps. From contabo, I have a single ipv4 and a /64 ipv6 block to do as I please. How can I set up ipv6 for my vms? I don't really care if it's an ip per vm or if its the ::1 (public ip of the host) just nat'd to each vm like it is with ipv4 currently.

 

[gurubert]

How is that /64 routed to your host?

 

[blucobalt]

This is the information i have:

• The IP
• The fact that it is /64 and i have that range to do with as i please
• The upstream gateway is fe80::1

 

[gurubert]

The "upstream gateway" needs to route the /64 that is assigned to you.
What is the nexthop IP of the /64 there?
Do you have any other IP address on your "external" gateway facing interface? The config only shows "--/64" which is not a valid IPv6 address.

 

[blucobalt]

Besides the public ipv6 of the host, it has a link local address as well. The --/64 was only for a little bit of privacy; in the interface file I have the actual ip written out.
Running a traceroute6 to google.com it looks like the first hop is 2605:a141::b.

 

[gurubert]

the public ipv6 of the host,

Is this IPv6 address within the /64 network you got assigned or is the /64 routed via that address?

In the second case you just can configure the /64 on vmbr0 and have your VMs take addresses from that network. Proxmox is then acting as router, when "net.ipv6.conf.all.forwarding" is set to 1. You can change that in /etc/sysctl.conf and apply it with sysctl -p /etc/sysctl.conf.

You should also enable the Proxmox firewall and have IPv6 rules there.

 

[blucobalt]

Yes, the ip on the interface is the ::1 of the /64.

 

[gurubert]

the ip on the interface is the ::1 of the /64

Then your /64 is just routed to the external network. You need another bridge on eth0 so that the VMs can have an interface in the IPv6 /64 network.

 

[blucobalt]

The problem is that I don't have any bridges on eth0, as I only have one public ipv4 address. In the config I posted, I just routed all the traffic to and from the internal 10.0.0.0/24 network on vmbr0. If I try to add a bridge on eth0, I can't because it already has an address assigned.

 

[gurubert]

You can move the IP addresses from eth0 to the new bridge where eth0 will become a port. The activation of that config change should run seamlessly.

 

[blucobalt]

this is how I was able to get it working yesterday:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet manual

auto vmbr0
iface vmbr0 inet static
        address [PUBLIC IP]/[NET]
        gateway [PUBLIC IP GATEWAY]
        address 10.0.0.1/24
        bridge-ports eth0
        bridge-stp off
        bridge-fd 0

        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o vmbr0 -j MASQUERADE
        post-up iptables -t nat -A PREROUTING -d [PUBLIC IP] -p tcp --dport [FORWARDED PORT] -j DNAT --to [VM]:[FORWARDED PORT]
        post-down iptables -t nat -D PREROUTING -d [PUBLIC IP] -p tcp --dport [FORWARDED PORT] -j DNAT --to [VM]:[FORWARDED PORT]
     

iface vmbr0 inet6 static
        address [PUBLIC IPV6]/[IPV6 NET]
        gateway [IPV6 GATEWAY]
        bridge-ports eth0
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Now, with this, I was able to give each vm/container a 10.0.0.0/24 address (setting the gateway as 10.0.0.1) and a publically routable ipv6 address from the net on the host (setting the gateway as the public ipv6 of the host). After setting all the firewall rules, I know have each vm with proper ipv4 nat and a public ipv6.