lxc container IPv6, how to ensure eui-64 (privext 0)?

[olivluca]

I just activated IPV6 on my network and I see than, in spite of not configuring IPv6 (i.e leaving IPv6 as static with IPv6/Cidr None) my containers (debian 13) still get IPv6 addresses with SLAAC and it seems they use eui-64.
I like that because my ISP assigns a dynamic prefix (so I cannot use static IPv6 addresses) and this way I can just allow traffic to the static suffix (the router being opewrt running in a virtual machine) and change the dns to point to the new address (using the ddns service of openwrt), however I'd like that to be by design and not by chance.
Toggling between IPv6 static/none and SLAAC only removes or adds the line "iface eth0 inet6 auto" to /etc/network/interfaces (I guess debian uses SLAAC even without this line) but I don't know how to add the line "privext 0" so I'm sure the suffix only depends on the (static) mac address.
Forgive me if it's a stupid question, I'm still trying to familiarize myself with IPv6

 

[Khensu]

Hey

If you set it to 'Static' in the GUI, you have to manually enter an address, and Proxmox writes exactly that into the interfaces file. Otherwise, if left blank or set to SLAAC, Debian's kernel just handles it automatically using Router Advertisements from OpenWrt.

Example for static entry:
iface eth0 inet6 static
address 2003:f6...::10/64

So you can set it to SLAAC in the GUI, or just leave IPv6 set to None (which leaves the config blank, but Debian's kernel will still pick up the Router Advertisements on its own)

You sadly cant edit the /etc/network/interfaces directly, as it gets reset on every reboot

But as long as you do not edit the MAC, the IPv6 will update with the ISP prefix automatically (SLAAC).
It is predictable, with eui-64:

- Take the MAC: bc:24:11:f6:f0:3d
- Split it in the middle: bc:24:11 and f6:f0:3d
- Insert ff:fe in the gap: bc:24:11:ff:fe:f6:f0:3d
- Flip that 7th bit: be:24:11:ff:fe:f6:f0:3d

Result: XXXX:XX:XXX:XXXX:be24:11ff:fef6:f03d
XXXX:XX:XXX:XXXX: => ISP Prefix

But you can also use the link local address for such things.
This will be generated anyway, regardless what mode you pick.
Basically the same as before but the ISP prefix is always fe80:: => which you should use in a local network anyway.

Alternatively, if you want a setup that survives MAC address changes and handles DNS automatically, I'd strongly recommend using a DHCPv6 server instead. If you combine that with OpenWrt's "Register hostname in DNS" setting, you can always access your containers by their hostnames. Because let's be honest... remembering IPv6 addresses sucks!

 

[olivluca]

Thank you, I'm fine with SLAAC as long as it's guaranteed to use eui-64. I couldn't find where it is documented, actually I think I read somewhere that by default debian uses the privacy extension. Edit: I read it here: A solution to this are IPv6 privacy extensions (which Debian enables by default if IPv6 connectivity is detected during initial installation).
In the internal dns I already put the ULA so resolution inside my network doesn't depend on the isp, but I also need to update the external dns (this is my mail server) and that's why I need it to be stable: I have a firewall rule that only matches the suffix and the ddns service uses the prefix (detected when it changes) plus the stable prefix. I prefer to manage the ddns on the router so I don't need to be constantly polling in the container to check if the address changed.

 

[Khensu]

Not sure if the privacy extension applies for Containers. It says that it activates it automatically during initial installation, containers are being deployed over the template, so no installer could configure it (except the templates contains it).

At least for me the suffix always stayed the same, before I answered I checked on a few of my debian containers and they all stayed the same after reboots.