OVH how can I add IPv6 through vRACK vmbr1

[harmonyp]

I use the following configuration connected to vmbr1 to get IPv4 working through OVH vRACK

network:
    version: 2
    ethernets:
        eth0:
            addresses:
            - 51.195.1xx.89/28
            - 2001:41d0:802:8xxx::3/128
            gateway4: 51.195.1xx.94
            gateway6: fe80::1
            match:
                macaddress: ce:bf:ed:79:2c:99
            nameservers:
                addresses:
                - 213.186.33.99
                search: []
            set-name: eth0

vmbr1 is set up with the following on the Proxmox node

auto vmbr1
iface vmbr1 inet static
        address 192.168.0.122/16
        bridge-ports bond1
        bridge-stp off
        bridge-fd 0

An OVH has quoted the following

vRack is a plain l2 network, so nothing special to get IPv6 to work. You however don't have a publicly routable range given to you, so 2 choices for IP addressing: either autconfiguration or use you own addressing in private ULA (fd00::/8)

But how do I configure that exactly so I can use other IPv6 blocks allocated to my other servers. There is no option to add a IPv6 block in OVH vRACK.

 

[harmonyp]

Still trying to get this to work

Node1

IPv4: 51.195.234.xxx/32
IPv6 Block: 2001:41d0:802:4e00::/56
IPv6 Gateway: fe80::1

Node2

IPv4: 51.195.235.xxx/32
IPv6 Block: 2001:41d0:802:4h00::/56
IPv6 Gateway: fe80::1

Inside Node1 the network configuration looks like this

auto lo
iface lo inet loopback


auto enp193s0f0
iface enp193s0f0 inet manual


auto enp133s0f0
iface enp133s0f0 inet manual


auto enp133s0f1
iface enp133s0f1 inet manual


auto enp193s0f1
iface enp193s0f1 inet manual


iface enp9s0f3u2u2c2 inet manual


auto bond0
iface bond0 inet manual
    bond-slaves enp193s0f0 enp193s0f1
    bond-miimon 100
    bond-mode 802.3ad
    bond-xmit-hash-policy layer2+3


auto bond1
iface bond1 inet manual
    bond-slaves enp133s0f0 enp133s0f1
    bond-miimon 100
    bond-mode 802.3ad
    bond-xmit-hash-policy layer2+3


auto vmbr0
iface vmbr0 inet static
    address 51.195.234.xxx/24
    gateway 51.195.234.254
    bridge-ports bond0
    bridge-stp off
    bridge-fd 0
post-up ip route add IPv4 Block/27 dev vmbr0
    post-up echo 1 >/proc/sys/net/ipv4/ip_forward


iface vmbr0 inet6 static
    address 2001:41d0:802:4e00::1/128
    gateway fe80::1
    up ip -6 route add 2001:41d0:802:4e00::/56 dev vmbr0


auto vmbr1
iface vmbr1 inet static
    address 192.168.0.122/16
    bridge-ports bond1
    bridge-stp off
    bridge-fd 0

vmbr0 is my nodes public IP address and vmbr1 represents OVH vRACK. IPv4 blocks are working through vmbr1 vRACK with live migration.

The issue I have so far is

1) IPv6 blocks are not currently working/routed to work through vmbr1
2) IPv6 does work through vmbr0 but only on the machine that block is already routed to. If I assign a virtual machine on Node1 2001:41d0:802:4e00::2/128 IP and then live migrate it to Node2 it will stop pinging

Maybe I could split this IPv6 block up into 256 /64 blocks and then route the /64 to each additional OVH server? Not sure what to do.

 

[hvisage]

At present (as on 9 Nov 2021) OVH does NOT provide ROUTABLE (ie. public accessible) IPv6 on the vRack as they do with the /30+ IPv4s attached to the vRack

The only way I am aware of to get IPv6 on the vRack, is to use the public interface of a server, and have that NAT/route to the other VMs/etc. sitting on the vRack side.

In short: Call your sales manager, log support tickets, ask in the community forums, complain on twitter etc. as until there aren't enough need/etc. they'll drag their feets on IPv6 on the vRacks (It is a tad bigger issue, and OVH's network are quite "limited" to be able to cater for things the way they do, so don't expect something soon ;( )

 

[harmonyp]

At present (as on 9 Nov 2021) OVH does NOT provide ROUTABLE (ie. public accessible) IPv6 on the vRack as they do with the /30+ IPv4s attached to the vRack

The only way I am aware of to get IPv6 on the vRack, is to use the public interface of a server, and have that NAT/route to the other VMs/etc. sitting on the vRack side.

In short: Call your sales manager, log support tickets, ask in the community forums, complain on twitter etc. as until there aren't enough need/etc. they'll drag their feets on IPv6 on the vRacks (It is a tad bigger issue, and OVH's network are quite "limited" to be able to cater for things the way they do, so don't expect something soon ;( )

But wont that stop working once you move the VM to another node without making any changes?

 

[hvisage]

But wont that stop working once you move the VM to another node without making any changes?

Yes and no.

The assumption here:

BBI -IPv6/64 - Node1{FireWall/NatDevice} -(vRack NAT6 or >/64 [note1])- Node2{VM}

The {VM} can be moved from Node1 to Node2 and back, as long as its on the same vRack-dot11q vlan.
The "secret sauce" is that {FireWall/NatDevice} that is listening and answering the IPv6 on the public Internet port (ie. NOT a OLA - OVH Link Aggregation - port) and then (at L3/routing layer) route it to the vRack (or the dot11q on the vRack) interface.

[Note1]:
I've not done this (yet) as the biggest issue for me is I either need to do NAT6 (not in the mood yet) OR do "strange" IPv6 subnetting/etc. AND do a NDP neighbour broadcast of the whole network (read: flooding OVH's router/switch's NDP tables) to the firewall's MAC.

In short it's actually messy to say the least.

[Note1 - continuation]:
the moment you migrate (or even do a HA fail over of ) the {FireWall/NatDevice}, you'll have to change the external IPv6 network - which means you really should be doing NAT6 to the internal VMs - that's not the pain, the pain is now you'll need to update all DNS entries to the new IPv6 addresses and inform your sticky/whitelisting partners accordingly - Ditto when you have a server upgrade