OVH - Proxmox 7 + ipv4 + ipv6 (NAT)

lps90 · Mar 29, 2023

Hello guys

I've been facing problems since always related with configuring all LXC's and VM's with ipv4 + ipv6 in OVH.
There are 5+ posts in this forum related with that, but not even a completely working tutorial so
the community users can finally configure they're machines in the correct way.
I only managed to make the ipv4 (NAT) to work in all LXC's, i didn't managed to make the LXC's / VM's to
work with both ipv4 and ipv6 at the same time (i am not talking about using different ipv4 in each vm / lxc with ovh macs,
i am talking about using the same ipv4 and different ipv6 for each machine, for example).
As you know, now OVH ipv4 are more expensive, so it would be a great alternative if we can use 1 ipv4 and the available ipv6.
If some users want to contribute and help me to create a fully working tutorial, i think the entire community will be grateful.
But ofc that failover ips need to work too, in case users want to use virtual macs from ovh and configure with failover ip.

btw, i can give access to a Proxmox 7 fully formated machine in OVH so we can test every single possibility and make it work

_gabriel · Mar 31, 2023

is VMs works in ipv4 NAT Masquering + port Forwarding ?

lps90 · Apr 1, 2023

_gabriel said:
is VMs works in ipv4 NAT Masquering + port Forwarding ?

No, only LXC is working that way.
I'm asking for anyone to help so i can make a tutorial for everyone.
I already managed to make ipv6 + ipv4 (NAT) to work at least in lxc (dind't tested with VM's), but idk why,
when i restarted proxmox, the lxc's network is not coming up.
(sometimes it comes up if i reload iptables, sometimes only if i restart networking... but if i restart the dedicated machine, when it boots,
there is no network in lxc, i do not really understand what it is happening).

My goal is:
1. LXC's / VM's working with ipv4 and ipv6 (using iptables NAT)
2. VM's working the same way as LXC's (same external ipv4 and different internal ips)
3. LXC's / VM's compatibility with failover ips, because i use multiple ips (i mean, working with ovh virtual mac)

This it was the perfect setup for me (and for all users ofc).

_gabriel · Apr 1, 2023

Have you followed the section "Proxmox VE server at hosting provider, with a single public IP address" ?
You need to setup NAT Masquering + port Forwarding => Proxmox Wiki Network_Configuration

lps90 · Apr 1, 2023

I'm not sure if you're reading everything i said with attention.
Configuring it with nat + 1 ip address is not the problem, the problem is configuring like i described.
Read it again

My goal is:
1. LXC's / VM's working with ipv4 and ipv6 (using iptables NAT)
2. VM's working the same way as LXC's (same external ipv4 and different internal ips)
3. LXC's / VM's compatibility with failover ips, because i use multiple ips (i mean, working with ovh virtual mac)

lps90 · Apr 12, 2023

So basically i managed to almost make everything work the way i want.
thanks to Maounique for helping me in part of this process.

Basically i'm using a VM as general router with different interfaces with different failover ips associated to each interface.
This VM uses iptables so i can NAT internal ips with the failover ips or default ip.

Almost everything works well with ipv4 and ipv6.
1. I can create several LXC's with the same external default dedicated server ip (using different internal ips).
2. I can create several LXC's with different failover ips (using different internal ips and OVH generated mac addresses).
3. I CAN'T create several VM's with different failover ips.
This is the only problem i have.
Maybe someone can help e solve this little problem.
I'll share the entire tutorial / configurations.
Host: OVH
System: Proxmox 7 (Latest version)

1. Install ndppd in the dedicated server:

Code:

apt install ndppd

2. Create /etc/ndppd.conf file with:

Code:

route-ttl 30000
proxy vmbr0 {
router yes
timeout 500
ttl 30000
rule 2001:41d0:303:XXXX::/64 {
static
}
}

3. Save it and start / daemonize it:

Code:

ndppd -d -c /etc/ndppd.conf

4. Dedicated server /etc/sysctl.config:

Code:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

5. Apply it with the command:

Code:

sysctl -p

6. Dedicated server /etc/network/interfaces config:

Code:

auto lo
iface lo inet loopback

iface enp1s0f0 inet manual

iface enp1s0f1 inet manual

auto vmbr0
iface vmbr0 inet static
    address 141.94.XX.199/24
    gateway 141.94.XX.254
    bridge-ports enp1s0f0
    bridge-stp off 
    bridge-fd 0
    hwaddress A8:A1:59:XX:XX:XX

iface vmbr0 inet6 static
    address 2001:41d0:303:XXXX::FFFF/128
    post-up sleep 5; /sbin/ip -6 route add  2001:41d0:303:XXff:ff:ff:ff:ff dev vmbr0
    post-up sleep 5; /sbin/ip -6 route add default via 2001:41d0:303:XXff:ff:ff:ff:ff
    pre-down /sbin/ip -6 route del default via 2001:41d0:303:XXff:ff:ff:ff:ff
    pre-down /sbin/ip -6 route del 2001:41d0:303:XXff:ff:ff:ff:ff dev vmbr0

auto vmbr46
iface vmbr46 inet static
    address 192.168.1.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j MASQUERADE
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp -m multiport --dports 1:8005,8008:65535 -j DNAT --to-destination 192.168.1.2
    post-up iptables -t nat -A PREROUTING -i vmbr0 -p udp -m multiport --dports 1:65535 -j DNAT --to-destination 192.168.1.2
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp -m multiport --dports 1:8005,8008:65535 -j DNAT --to-destination 192.168.1.2
    post-down iptables -t nat -D PREROUTING -i vmbr0 -p udp -m multiport --dports 1:65535 -j DNAT --to-destination 192.168.1.2

iface vmbr46 inet6 static
    address 2001:41d0:303:XXXX::1/64

7. I've created a Router VM (Debian 11) with this configuration:
https://gyazo.com/ade6526fc75671dde47b9953ce8df937
(4 failover ips with the ovh generated mac addresses for each one)
8. Dedicated server /etc/sysctl.config:

Code:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

9. Router VM /etc/network/interfaces config:

Code:

auto lo
iface lo inet loopback

allow-hotplug ens18
iface ens18 inet static
    address 192.168.1.2/24
    gateway 192.168.1.1
    dns-serververs 213.186.33.99
    dns-search ip-141-XX-XX.eu

auto ens19
iface ens19 inet static
    address 37.59.XXX.176/24

auto ens20
iface ens20 inet static
    address 37.59.XXX.177/24

auto ens21
iface ens21 inet static
    address 37.59.XXX.178/24

auto ens22
iface ens22 inet static
    address 37.59.XXX.179/24

10. Router VM /etc/iptables/rules.v4:

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [169616:10946560]
:INPUT ACCEPT [61972:2335680]
:OUTPUT ACCEPT [20:1520]
:POSTROUTING ACCEPT [27:2064]
##### DEFAULT IP ######
# LXC1
-A PREROUTING -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.10:22
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80
# VM1
-A PREROUTING -p tcp -m tcp --dport 23 -j DNAT --to-destination 192.168.1.11:23
-A PREROUTING -p tcp -m tcp --dport 81 -j DNAT --to-destination 192.168.1.11:81
##### FAILOVER IPS ######
# LXC2
-A PREROUTING -d 37.59.XXX.176/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.176:22
-A PREROUTING -d 37.59.XXX.176/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.176:80
# VM2
-A PREROUTING -d 37.59.XXX.177/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.177:22
-A PREROUTING -d 37.59.XXX.177/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.177:80
# LXC3
-A PREROUTING -d 37.59.XXX.178/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.178:22
-A PREROUTING -d 37.59.XXX.178/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.178:80
# VM3
-A PREROUTING -d 37.59.XXX.179/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.179:22
-A PREROUTING -d 37.59.XXX.179/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.179:80
##### DEFAULT IPS SNAT #####
-A POSTROUTING -d 192.168.1.10/32 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -d 192.168.1.11/32 -j SNAT --to-source 192.168.1.2
##### FAILOVER IPS SNAT #####
-A POSTROUTING -d 192.168.1.176/32 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -d 192.168.1.177/32 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -d 192.168.1.178/32 -j SNAT --to-source 192.168.1.2
-A POSTROUTING -d 192.168.1.179/32 -j SNAT --to-source 192.168.1.2
COMMIT

So basically all the LXC's are working as expected with failoverips or default ip and different ipv6.
The problem is the VM's, if i add the mac address of the failoverip i want to use and the internal ip i associated with
the failover ip in Router VM iptables, it is not working.

Maybe someone can help me with this problem.

_gabriel · Apr 12, 2023

i'm not expert, but as your vm router hold the mac hw, other vm must not use mac hw too. other vm just need hw address generated by pve and use internal ip with gateway/router set to 192.168.1.2.

lps90 · Apr 12, 2023

_gabriel said:
i'm not expert, but as your vm router hold the mac hw, other vm must not use mac hw too. other vm just need hw address generated by pve and use internal ip with gateway/router set to 192.168.1.2.

I do not think that's the solution, the ovh mac address for each failover ip should be used by the VM / LXC (like described in all the documentations from OVH).

_gabriel · Apr 12, 2023

not in your case as your vm is the internal router that hold your 4 ips & mac exposed to ovh.
first ip exposed to ovh is the PVE host vmbr0

lps90 · Apr 12, 2023

_gabriel said:
not in your case as your vm is the internal router that hold your 4 ips & mac exposed to ovh.
first ip exposed to ovh is the PVE host vmbr0

So why it works in all lxc?

_gabriel · Apr 12, 2023

what's your LXC1 mac hw ?

lps90 · Apr 12, 2023

The one provided by ovh to the respective failover ip i am using in that lxc.

_gabriel · Apr 12, 2023

in your rules.v4 , LXC1 use "DEFAULT IP" so LXC1 doesn't need mac of failover ip1 to work.
try to set LXC1 to random mac hw to confirm.

lps90 · Apr 12, 2023

_gabriel said:
i'm not expert, but as your vm router hold the mac hw, other vm must not use mac hw too. other vm just need hw address generated by pve and use internal ip with gateway/router set to 192.168.1.2.

This seems to work, but the VM (centos 7) is with problems.
I try to curl api.ipify.org to be sure about my external ip and the result is: No route to host.
(I can ping google.com)

_gabriel said:
in your rules.v4 , LXC1 use "DEFAULT IP" so LXC1 doesn't need mac of failover ip1 to work.
try to set LXC1 to random mac hw to confirm.

If i put a random mac address the external ip assigned to the LXC will be the default one and not the failover ip.
So yeah, i always need to use the mac address assigned to the failover ip.

_gabriel · Apr 12, 2023

sorry I'm not expiremented and not english ! (même si en français je ne crois pas pouvoir faire mieux ...)
I don't understand all the setup (even skipping ipv6) , but afaik VM/LXC can't use same hw address
and if LXC ip is set to a failover ip and hw address, it doesn't need VM router because it use the defautt ipv4 route of the PVE host.

lps90 · Apr 12, 2023

yeah, as far as i can see you're not checking all my configs with attention, so yeah, you will not be able to provide the correct solution.
thanks anyway.

_gabriel · Apr 13, 2023

to sum up, for ipv4 part, your LXC can works without NAT because they use the route of the PVE host, same as your first post.
They didn't need a router if their ip are set directly to failover/additionnal ip & hw address.
If their ip are set to an internal ip and random hw address, they need NAT.
This is two differents methods.
For the VM part, NAT is required so you need a router (can be your PVE host direclty as described in Proxmox Wiki or a VM router).

lps90 · Apr 13, 2023

I know how to configure everything with zero problems without using the router vm (using only dedicated server iptables + nat).
But a few persons that understand well about network related things told me that using NAT on the vmbr0 interface
it is not secure at all and sugested me to create a router vm for this kind of work.
That's why i am doing this.
Like i said before, the main goal is to use a VM Router for everything and not the dedicated server iptables + nat.
Currently the only problem i have is with VM's using failover ips (not LXC's... LXC's are ok!)
Using the failoverip mac address + internal ip + gateway 192.168.1.2 like you suggested it works, but the machine route it is not ok.
I try to curl api.ipify.org to be sure about my external ip and the result is: No route to host.

_gabriel · Apr 13, 2023

there is nothing to configure for LXC in ipv4 with failover ip & hw address, no need iptables and NAT.
For VM "No route to host" from curl , but ping ok, try with wget
wget -qO - icanhazip.com

lps90 · Apr 13, 2023

" there is nothing to configure for LXC in ipv4 with failover ip & hw address, no need iptables and NAT "
You continue insisting in things that are not the problem here.
So explain me how can i specify the internal ip, ports and rules for each failover ip?
I use iptables + nat because i can choose what rules to apply for each failover ip.

"wget -qO - icanhazip.com"
nothing happens...

OVH - Proxmox 7 + ipv4 + ipv6 (NAT)

Active Member

Renowned Member

Active Member

Renowned Member

Active Member

Active Member

Renowned Member

Active Member

Renowned Member

Active Member

Renowned Member

Active Member

Renowned Member

Active Member

Renowned Member

Active Member

Renowned Member

Active Member

Renowned Member

Active Member