How to enable port forwarding for IPv6

Hi,
That's good news! regarding the host being reachable via ipv4 and ipv6.

For the guest - I think a dual approach would work best:
For IPv6:
* add an interface to the container, which is connected to vmbr0
* configure an ip from 2001:bc8:3cc6:101::/64
* set the same gateway as you have on the host itself
For IPv4:
* add a second bridge (vmbr1) to the node, without any bridge_ports
* configure a rfc1918 address on it e.g.192.168.1.1/24
* add an interface to the container connected to vmbr1
* configure an ip from 192.168.1.0/24 on the container
* set 192.168.1.1 as gateway
* add fitting MASQUARADE rules for ipv4 on the node

Test ipv6 first - once this works try ipv4

Hope this helps!
There's a strange behavior: any time I try to set the same ipv6 gateway on the Container it won't take the change and the field stay blank.

I tried to remove the Container interface from Proxmox GUI then add it again but with no success. I tried also to manually edit Container interfaces file to add the gateway but, after reboot, the change revert. So I tried to lock the interfaces file (chattr +i /etc/network/interfaces) and, once rebooted, this is the result trying to ping google:
Code:
nginx  ⌁ root  /etc/nginx  2   ping6 ipv6.google.com
ping: ipv6.google.com: Temporary failure in name resolution

The ipv6 I set on the Container is 2001:bc8:3cc6:101::100/64. I'm able to ping ipv6 on the Container from Proxmox and viceversa.

Where am I wrong?
 
ping: ipv6.google.com: Temporary failure in name resolution
seems there's a problem with DNS - try pinging an ipv6 address:
Code:
;; ANSWER SECTION:
ipv6.google.com.    86399    IN    CNAME    ipv6.l.google.com.
ipv6.l.google.com.    299    IN    AAAA    2a00:1450:4016:808::200e

as for the rewrite of the interfaces file - that happens when you start the container - you need to set both settings in the container config (can be done via GUI) - alternatively you can disable the editing by the PVE-stack by touching the appropriate `.ignore` file - see the reference documentation:
https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_guest_operating_system_configuration
 
I've been able to set the ipv6 gateway on the Container (when it's off it takes the changes) but this is the result:
Code:
 nginx  ⌁ root  /etc/nginx   ping6 2a00:1450:4016:808::200e
PING 2a00:1450:4016:808::200e(2a00:1450:4016:808::200e) 56 data bytes
From 2001:bc8:2bb7:101::100 icmp_seq=1 Destination unreachable: Address unreachable
From 2001:bc8:2bb7:101::100 icmp_seq=2 Destination unreachable: Address unreachable
From 2001:bc8:2bb7:101::100 icmp_seq=3 Destination unreachable: Address unreachable

I also tried to put (as for the Proxmox interfaces file) this:
Code:
pre-up/sbin/sysctl -w net.ipv6.conf.enp1s0f0.accept_ra=2
but nothing changed.
 
Destination unreachable: Address unreachable
seems your routing table does not have a default route - check the output of
* `ip -6 r`
* `ip -6 r get 2001:bc8:2bb7:101::100`

inside the container
 
seems your routing table does not have a default route - check the output of
* `ip -6 r`
* `ip -6 r get 2001:bc8:2bb7:101::100`

inside the container
ip -6 r
Code:
 nginx  ⌁ root  /etc/nginx   ip -6 r
2001:bc8:2bb7:101::/64 dev eth0 proto kernel metric 256  pref medium
fe80::/64 dev eth0 proto kernel metric 256  pref medium
default via fe80::2c8:8bff:fee2:6c45 dev eth0 metric 1024  pref medium

ip -6 r get 2001:bc8:2bb7:101::100
Code:
 nginx  ⌁ root  /etc/nginx   ip -6 r get 2001:bc8:2bb7:101::100
local 2001:bc8:2bb7:101::100 from :: dev lo table local proto kernel src 2001:bc8:2bb7:101::100 metric 0  pref medium
 
sorry - I misread the ping output - the output of:
`ip -6 r get 2a00:1450:4016:808::200e` was what I was looking for
* can you ping the default-gateway:
`ping6 fe80::2c8:8bff:fee2:6c45` or
`ping6 fe80::2c8:8bff:fee2:6c45%eth0`
?

EDIT:
If this doesn't work - try setting the PVE-host as default-gateway -
`2001:bc8:2bb7:101::` - IIRC
 
sorry - I misread the ping output - the output of:
`ip -6 r get 2a00:1450:4016:808::200e` was what I was looking for
* can you ping the default-gateway:
`ping6 fe80::2c8:8bff:fee2:6c45` or
`ping6 fe80::2c8:8bff:fee2:6c45%eth0`
?

EDIT:
If this doesn't work - try setting the PVE-host as default-gateway -
`2001:bc8:2bb7:101::` - IIRC
Code:
ip -6 r get 2a00:1450:4016:808::200e
2a00:1450:4016:808::200e from :: via fe80::2c8:8bff:fee2:6c45 dev eth0 src 2001:bc8:2bb7:101::100 metric 1024  pref medium
I already tried to set the PVE-host as default-gateway ( 2001:bc8:2bb7:101:: ) but it didn't work.
Code:
 nginx  ⌁ root  /etc/nginx   ping6 fe80::2c8:8bff:fee2:6c45
connect: Invalid argument

Code:
 nginx  ⌁ root  /etc/nginx  2   ping6 fe80::2c8:8bff:fee2:6c45%eth0
PING fe80::2c8:8bff:fee2:6c45%eth0(fe80::2c8:8bff:fee2:6c45%eth0) 56 data bytes
From fe80::480e:55ff:fe83:e6e9%eth0 icmp_seq=1 Destination unreachable: Address unreachable
From fe80::480e:55ff:fe83:e6e9%eth0 icmp_seq=2 Destination unreachable: Address unreachable
From fe80::480e:55ff:fe83:e6e9%eth0 icmp_seq=3 Destination unreachable: Address unreachable

My provider confirmed I can use all IPs of the block from 2001:bc8:3cc6:101::0 to 2001:bc8:3cc6:102:ffff:ffff:ffff:ffff (but they say they didn't test it).
 
Last edited:
hmm - right fe80::480e:55ff:fe83:e6e9 is link-local - so probably does not traverse over the bridge)

hm - to rule out that 2001:bc8:3cc6:101::0 cannot be used, since it's the network-address (as in the ipv4 case) - please configure
2001:bc8:3cc6:101::1/64 on the PVE-node and put 2001:bc8:3cc6:101::1 as default gateway in your container.
 
hmm - right fe80::480e:55ff:fe83:e6e9 is link-local - so probably does not traverse over the bridge)

hm - to rule out that 2001:bc8:3cc6:101::0 cannot be used, since it's the network-address (as in the ipv4 case) - please configure
2001:bc8:3cc6:101::1/64 on the PVE-node and put 2001:bc8:3cc6:101::1 as default gateway in your container.

Thanks, but suddenly Proxmox ipv6 connection quit to work. My server don't support SLAAC, therefore it seems to be a not "fast and easy" operation as I thought. So at the moment I decided to give up.
 
Last edited:
I'm here again because my provider solved his issue on IPv6 internal network. Now it should work but my problem persist. How can I configure my Proxmox server for IPv6?

Here's my Proxmox /etc/network/interfaces:
Bash:
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage part of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

auto lo
iface lo inet loopback

auto enp1s0f1
iface enp1s0f1 inet dhcp

auto enp1s0f0
iface enp1s0f0 inet manual

## Failover IP #1
auto enp1s0f0:0
iface enp1s0f0:0 inet static
        address  52.210.147.20
        netmask  255.255.255.0
        gateway  52.210.147.1

## Failover IP #2
auto enp1s0f0:1
iface enp1s0f0:1 inet static
        address  52.210.147.21
        netmask  255.255.255.0
        gateway  52.210.147.1

auto vmbr0
iface vmbr0 inet static
        address  192.168.1.1
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
        address  192.168.2.1
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0

post-up echo 1 > /proc/sys/net/ipv4/ip_forward

Here's an LXC /etc/network/interfaces:
Bash:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.2.110
        netmask 255.255.255.0
        gateway 192.168.2.1

Here's my iptables roles for IPv4:
Bash:
#############################################################################################
*filter
#############################################################################################
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
####################

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m limit --limit 400/minute --limit-burst 1600 -j ACCEPT
-A INPUT -p icmp -m limit --limit 400/minute --limit-burst 1600 -j ACCEPT
-A INPUT -p tcp --syn -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset
-A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 2000/second --limit-burst 2010 -j ACCEPT

### PROXMOX
-A INPUT -p tcp -m tcp --dport 8006 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 68 -j ACCEPT
-A INPUT -p udp -m udp --dport 68 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
####################
COMMIT

#############################################################################################
*nat
#############################################################################################
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
####################

-A POSTROUTING -s 192.168.1.0/24 -o enp1s0f0 -j SNAT --to-source 52.210.147.20
-A POSTROUTING -s 192.168.2.0/24 -o enp1s0f0 -j SNAT --to-source 52.210.147.21

-A PREROUTING -p tcp -m tcp -d 52.210.147.20 -i enp1s0f0 --dport 80 -j DNAT --to-destination 192.168.1.100:80
-A PREROUTING -p tcp -m tcp -d 52.210.147.20 -i enp1s0f0 --dport 443 -j DNAT --to-destination 192.168.1.100:443

-A PREROUTING -p tcp -m tcp -i enp1s0f0 --dport 22210 -j DNAT --to-destination 192.168.2.110:22

####################
COMMIT

How can I obtain the same IPv4 result for IPv6?
 
Usually you don't NAT with IPv6 (you do get at least /64 addresses - so there is no need) - try:
* configuring a static IP on your PVE-node
* configuring a static IP on the container
* enable ipv6 forwarding
* try pinging the default gateway - it depends on whether your ISP provides you with one, which is reachable from the container as well, or if they route your network to your main ip-address - that sadly is something that only they can answer

I hope this helps!
 
Usually you don't NAT with IPv6 (you do get at least /64 addresses - so there is no need) - try:
* configuring a static IP on your PVE-node
* configuring a static IP on the container
* enable ipv6 forwarding
* try pinging the default gateway - it depends on whether your ISP provides you with one, which is reachable from the container as well, or if they route your network to your main ip-address - that sadly is something that only they can answer

I hope this helps!

So, then how can I route ports on Containers?

Talking about gateway, my providers says that it will assign by DHCPv6 as written here (https://documentation.online.net/en/dedicated-server/network/ipv6/prefix ) but my server doesn’t support SLAAC.

I’m a little bit confused...
 
You would get better results using an router.

Since Proxmox isnt built to be the router, you can create a VM to act as one.

Im doing this, running routerOS inside Proxmox let me do all this routing stuff and much more!
 
You would get better results using an router.

Since Proxmox isnt built to be the router, you can create a VM to act as one.

Im doing this, running routerOS inside Proxmox let me do all this routing stuff and much more!

I was thinking about that. Do you think it's the best option? I don't know routerOS, why did you choose that? What about IpCop?
 
  • Like
Reactions: Bruno Garcia

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!