IPv6 SLAAC (autoconfig) for "management" only ?

[vom513]

Kind of hard to make a succinct title for what I'm trying to ask.

I have my PVE with vmbr0 and a static IPv4. I use this for management. None of my other vmbr*'s have any IPs at all (they are pure layer 2 for guests). I do have RAs coming in these VLANs as I have multiple segments here.

I see in the config, there doesn't seem to be a way to say auto/SLAAC. It seems like the GUI just wants a static address for IPv6.

I do know how to set this in /etc/network/interfaces. However with setting nothing, I noticed a random vmbr interface was configuring a SLAAC address from that VLAN.

Is there a way to lock this down to just SLAAC on vmbr0 ? So far the behavior of IPv6 on PVE itself seems kind of all over the place.

Should I manually put:

iface vmbr0 inet6 auto ??

Or do I need to fool with sysctl and turn off RA reception on all except vmbr0 ?

Thanks in advance for any info.

 

[encryptedserver]

You are right about using iface vmbr0 inet6 auto in your interface file and you have to accept RA net.ipv6.conf.vmbr0.accept_ra=2 in your sysctl.conf file

I wrote a blog post for using IPv6 in Proxmox. https://saudiqbal.github.io/Proxmox/proxmox-IPv6-interface-setup-DHCPv6-or-static.html

 

[vom513]

You are right about using iface vmbr0 inet6 auto in your interface file and you have to accept RA net.ipv6.conf.vmbr0.accept_ra=2 in your sysctl.conf file

I wrote a blog post for using IPv6 in Proxmox. https://saudiqbal.github.io/Proxmox/proxmox-IPv6-interface-setup-DHCPv6-or-static.html

Thanks for the reply. After posting this I also found this:

https://forum.proxmox.com/threads/ipv6-address-on-all-interfaces.122790/

Seems like the same thing I'm hitting as well.

Edit: the sysctls didn't seem to work for me. I appreciate your blog post but it seems that's for static and DHCP only (not SLAAC).

Also accept_ra=2 is really only for if your machine is also a router (ipv6 forwarding). A value of 1 should work in this case.

For now I just have it disabled on everything except loopback.

I tried disabling ipv6 globally (i.e. via GRUB config) but It seems like there is a constant spam in the logs about ip6tables with this config:

Feb 18 11:32:29 pve01 pve-firewall[1294]: status update error: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Feb 18 11:32:40 pve01 pve-firewall[1294]: status update error: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Feb 18 11:32:49 pve01 pve-firewall[1294]: status update error: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Feb 18 11:32:59 pve01 pve-firewall[1294]: status update error: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Feb 18 11:33:09 pve01 pve-firewall[1294]: status update error: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Feb 18 11:33:19 pve01 pve-firewall[1294]: status update error: iptables_restore_cmdlist: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

So I reverted that and am just using the sysctls. Seems like the log spam has stopped now.

I'm guessing multiple vmbr's receiving RAs from different subnets/segments isn't something the Proxmox team has tested. Hopefully one day there will be some knobs to more elegantly control this.