NAT + IPv6 for containers on OVH Host with 1 Public IPv4 + IPv6/64

batonac

Renowned Member
Aug 2, 2015
15
5
68
York, PA, USA
avu.nu
Hi, I have a Proxmox host running a dedicated server from OVH. They provide both a single public IPv4 address, and a IPv6/64 block. I'd like to route all the IPv4 traffic from containers on my host through NAT, but set a proper public IPv6 for direct access.

I've succeeded in getting the IPv4 NAT working on a Open-v-switch bridge through an OVS IntPort that's dedicated to the IPv4 traffic, but I can't get the IPv6 addresses working.

Here's what I've done so far.
  1. Configure sysctl with the following settings:
    Code:
    net.ipv4.ip_forward=1
    net.ipv4.conf.nat0.forwarding=1
    net.ipv6.conf.nat0.forwarding=1
    net.ipv6.conf.all.autoconf=0
    net.ipv6.conf.all.accept_ra=0
  2. Set up a custom network configuration file as follows (with public IPs removed):
    Code:
    # network interface settings; autogenerated
    # Please do NOT modify this file directly, unless you know what
    # you're doing.
    #
    # If you want to manage parts of the network configuration manually,
    # please utilize the 'source' or 'source-directory' directives to do
    # so.
    # PVE will preserve these directives, but will NOT read its network
    # configuration from sourced files, so do not attempt to move any of
    # the PVE managed interfaces into external files!
    
    auto lo
    iface lo inet loopback
    iface lo inet6 loopback
    
    auto enp66s0f0
    iface enp66s0f0 inet manual
        ovs_type OVSPort
        ovs_bridge vmbr0
    
    iface enx46b874ef8c98 inet manual
    
    auto nat0
    iface nat0 inet static
        address 10.0.0.1/16
        ovs_type OVSIntPort
        ovs_bridge vmbr0
    
    auto vmbr0
    iface vmbr0 inet static
        address ...
        gateway ...
        ovs_type OVSBridge
        ovs_ports enp66s0f0 nat0
        post-up iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
        post-up iptables -A FORWARD -i nat0 -j ACCEPT
        post-up iptables -t nat -A POSTROUTING -o vmbr0 -j MASQUERADE
    
    iface vmbr0 inet6 static
        address ...
        gateway ...
  3. Add firewall rules to allow all incoming traffic to nat0 and vmbr0.
  4. Setup dnsmasq to assign IPv6 addresses to the containers based on the OVH IPv6 block.
As I said, IPv4 works in the containers, IPv6 works on the host, but not the containers. What am I doing wrong?
 
Last edited:
  • Like
Reactions: noko
As it turns out, I'm still struggling with getting the Firewall to allow traffic to the containers with this setup. I'm afraid my solution wasn't a "fresh install" but rather simply neglecting to configure the firewall the second time.
 
Last edited:
Any update related with this?
**This is marked as "SOLVED" but seems it is not solved.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!