Mgmt Lan with SLAAC from a delegate prefix

P

pxm0x

New Member
Oct 25, 2022
22
0
1
I am trying to assign a IPv6 address to my management Interface.

Code: 
iface enp111s0 inet manual
#i210-AT (NO VLAN support)

auto vmbr0
iface vmbr0 inet static
        address 192.168.199.4/24
        gateway 192.168.199.1
        bridge-ports enp111s0
        bridge-stp off
        bridge-fd 0
iface vmbr0 inet6 static
        address fdee::4/64
        accept_ra 2
        bridge-ports enp111s0
        bridge-stp off
        bridge-fd 0
#Mgmt LAN

with this config I can only get an fe80 address and the statid fdee ipv6 addresses. The SLAAC which is working on the network segment for other PCs doesn't get actived.
What can I do to assign SLLAC IPv6 to my LAN mgmt address?

I also tried various variants like
Code: 
iface vmbr0 inet6 auto
but with no success!
 
Hi,
I'm currently working to implement support in ifupdown2,
as currently it don't work with "inet6 static", only "inet6 dhcp".

should be ready in 1 or 2 week.

as workaround for now, you can do a "pre-up sysctl -w net.ipv6.conf.vmbr0.accept_ra=2"
 
  • Like
Reactions: pxm0x
spirit said:
Hi,
I'm currently working to implement support in ifupdown2,
as currently it don't work with "inet6 static", only "inet6 dhcp".

should be ready in 1 or 2 week.

as workaround for now, you can do a "pre-up sysctl -w net.ipv6.conf.vmbr0.accept_ra=2"
Click to expand...
has this been addressed now in any current release?
 
spirit said:
It's fixed in ifupdown2 3.2 for coming proxmox8. (I don't known if it's be backported to proxmox7)

I can provide .deb for proxmox7 if you want.
Click to expand...
Yes that would be nice. However I can probably not test it until mid June. If Proxmox 8 is out by then it's probably a waste of time.
thx!
 
I've now upgraded to 8.0.4 but still can't get SLAC to work.
What is the proper config of the interfaces file?
thanks!
 
Obviously I've not yet tried this updated version but I came accross another case that should be considered in the network config.

I have to first give a bit of background to make this clear:
I have a box with 6 NICs which obviously runs PVE.
1 NIC port is unused
1 NIC port is linked to vmbr0 which in turn has a static IPv4 address. This interface shall get a SLAAC address. (the previous issue).
4 NIC ports are linke to 4 vmbr(10-13). Originally I had no config setup on these (through the GUI).

However now I found that all of those 4 ports do automatically get SLAAC adresses which is unwanted!

This leads me to the conclusion that SLAAC is most likely only useful if we can assign it per interface. At least in my case the 4 NIC ports are dedicated to VM running a firewall. So having auto assigned IP addresses by my ISP on any of those interfaces is definetly unwanted (either through SLAAC, PD or DHCPv6).

I realize it's a bit complicated but I struggle now to find the proper /etc/network/interfaces config for this use case.

As a quick an ugly hack I've now used the GUI to asign an fd:: address to those 4 NIC ports to avoid them getting SLAAC or other IPv6.


I've done some tests and can say for sure that in my setup with /etc/network/interfaces having this statement, I still get a SLAAC IP address!

Code: 
iface vmbr10 inet manual
        bridge-ports enp111s0
        bridge-stp off
        bridge-fd 0

and I think that should NOT be the case, right?
 
Last edited:
in proxmox8, currently slaac is working on physical interface but not vmbr bridge. (this is what this patched versionn is fixing)


slaac is only working if accept_ra=1 && autoconf=1 is set in sysctl.

AFAIK, it's not the default

sysctl -a|grep accept_ra|grep default
net.ipv6.conf.default.accept_ra = 0
sysctl -a|grep accept_ra|grep autoconf
net.ipv6.conf.default.autoconf = 0


slaac should only be enabled with
Code: 
iface eth0 inet auto

or
Code: 
iface eth0 inet manual
     accept_ra 1
     autoconf 0


can you send your /etc/network/interfaces ?

and you last ifupdown2 logg from
/var/log/ifupdown2/network_config_ifupdown2_*/
 
If you have been referring to physical interfaces only then I think we have missed each others point. My config at the top of the thread has my /etc/network/interfaces file shown, which was referencing vmbr bridge.

I still believe from my observations that version 8 behaving a bit inconsistent when it comes to vmbr interfaces and IPv6. If they are not supposed to be working (at all) then there would be a warning or statement in documentation helpful.

In my setup it was the default config (by the version 7 installer) to map a physical NIC card interface to a vmbr and then assign the IP address to that vmbr interface. I used this suggested config also for the other 4 interfacing (which anyways should only receive an IP withing the VM that they are exclusivly assigned to).

if the vmbr is set to manual like this
Code: 
iface vmbr10 inet manual
I still get an IPv6 address via SLAAC on that vmbr10 which I think should not be the case, right?
 
pxm0x said:
If you have been referring to physical interfaces only then I think we have missed each others point. My config at the top of the thread has my /etc/network/interfaces file shown, which was referencing vmbr bridge.

I still believe from my observations that version 8 behaving a bit inconsistent when it comes to vmbr interfaces and IPv6. If they are not supposed to be working (at all) then there would be a warning or statement in documentation helpful.

In my setup it was the default config (by the version 7 installer) to map a physical NIC card interface to a vmbr and then assign the IP address to that vmbr interface. I used this suggested config also for the other 4 interfacing (which anyways should only receive an IP withing the VM that they are exclusivly assigned to).

if the vmbr is set to manual like this
Code: 
iface vmbr10 inet manual
I still get an IPv6 address via SLAAC on that vmbr10 which I think should not be the case, right?
Click to expand...
as I said, if the default sysctl are 0

sysctl -a|grep accept_ra|grep default
net.ipv6.conf.default.accept_ra = 0
sysctl -a|grep accept_ra|grep autoconf
net.ipv6.conf.default.autoconf = 0

you shouldn't receive slaac.

(basicaly, the /etc/network/interfaces is doing sysctl in background to enable/disable the value.
but if the default value is configured to 1, and no config is present in /etc/network/interfaces, slaac be be enabled.)

ifupdown2 log should show if accept_ra && autoconf are changed or not by ifupdown2.

you can add in /etc/sysctl.conf:

net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.autoconf = 0

to be sure to disable slaac everywhere. (and then enable it on specific interface in /etc/network/interfaces if needed)
 
First, thanks for the update above. It made me rethink the approach and as you suggested makes total sense.
So I disabled IPv6 by default by putting
Code: 
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.autoconf = 0
into /etc/sysctl.conf

and then manually enabled IPv6 SLAAC only on the one interface where I wante it using
Code: 
iface vmbr0 inet static
in /etc/network/interfaces

The above works perfectly fine now!


However I did check on both of my Proxmox installations (where one is almost untouched) and both had by default autoconf and accept_ra set to 1 not 0 so by default it seems enabled!

I think this is worth cross checking with others or on a clean version 8 installation because if SLAAC is on by default (as on my systems) and you don't set any IP in the GUI it may still get public IPv6 addresses which may be a security risk that people don't even notice!
 
However I did check on both of my Proxmox installations (where one is almost untouched) and both had by default autoconf and accept_ra set to 1 not 0 so by default it seems enabled!

I think this is worth cross checking with others or on a clean version 8 installation because if SLAAC is on by default (as on my systems) and you don't set any IP in the GUI it may still get public IPv6 addresses which may be a security risk that people don't even notice!
Click to expand...
I have verify, it seem to be enable by default in linux kernel. (I'm disable it manually with sysctl in my production for security)

Maybe it could make sense to disable it by default in sysctl, it should be discussed with proxmox developper.
 
spirit said:
Maybe it could make sense to disable it by default in sysctl, it should be discussed with proxmox developper.
Click to expand...
Ok, but I have no contact to anybody there. Are they reading or how would we highlight the issue?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back