Proxmox und routed IPv6 für VMs (with OVH)

Nov 25, 2019
8
0
6
23
Hallo,

ich versuche aktuell IPv6 auf meinen Proxmox Server bei OVH einzurichten. IPv4 funktioniert bereits als routed setup. Ich habe bereits versucht die Einrichtung nach diversen Anleitungen vorzunehmen, dies hat jedoch nicht funktioniert.

Subnetz:
2001:41d0:2:xxxx::/64
Gateway bei OVH:
2001:41d0:2:xxff:ff:ff:ff:ff


Ich versuche das Setup ähnlich wie bei IPv4 einzurichten. Daher soll die VM zum interface vmbr0 des Hosts verbunden werden. Dieses soll dort auch als Gateway eingetragen werden. Daher ist das Setup ohne proxy_ndp, wobei ich es damit auch nicht hinbekommen habe.

Der aktuelle Stand ist folgender:
Host ist über IPv6 erreichbar. VM kann IPv6-Addresse vom Interface vmbr0 des Hosts pingen und ungekehrt. VM kann nicht von außerhalb erreicht werden, und kann auch keine Verbindung nach außerhalb aufbauen. Ein Ping von VM zum Gateway bei OVH (2001:41d0:2:xxff:ff:ff:ff:ff) ist nicht möglich.


Host:
Code:
auto lo
iface lo inet loopback

auto eno1
iface eno1 inet static
        address  188.x.x.54
        netmask  255.255.255.0
        gateway  188.x.x.254
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/eno1/proxy_arp
auto vmbr0
iface vmbr0 inet static
        address  178.x.x.249
        netmask  255.255.255.248
        bridge-ports none
        bridge-stp off
        bridge-fd 0
iface eno1 inet6 static
        address 2001:41d0:2:xxxx::1
        netmask 128
        post-up /sbin/ip -f inet6 route add 2001:41d0:2:xxFF:FF:FF:FF:FF dev eno1
        post-up /sbin/ip -f inet6 route add default via 2001:41d0:2:xxFF:FF:FF:FF:FF
        pre-down /sbin/ip -f inet6 route del 2001:41d0:2:xxFF:FF:FF:FF:FF dev eno1
        pre-down /sbin/ip -f inet6 route del default via 2001:41d0:2:xxFF:FF:FF:FF:FF
iface vmbr0 inet6 static
        address 2001:41d0:2:9b36::2
        netmask 64
        up ip -6 route add 2001:41d0:2:9b36::/64 dev vmbr0

Die Post-up und post-down befehle sind hier notwendig, da das Gateway sich außerhalb des Netzes befindet. Entspricht der anleitung von OVH:
https://docs.ovh.com/gb/en/dedicated/network-ipv6/

Routingtable des Hosts:
Code:
Destination                    Next Hop                   Flag Met Ref Use If
2001:41d0:2:xxxx::1/128        [::]                       U    256 1     0 eno1
2001:41d0:2:xxxx::/64          [::]                       U    256 1     0 vmbr0
2001:41d0:2:xxxx::/64          [::]                       U    1024 1     0 vmbr0
vss-3-6k.fr.eu/128             [::]                       U    1024 2     1 eno1
vss-3-6k.fr.eu/128             [::]                       U    1024 2     0 vmbr0
fe80::/64                      [::]                       U    256 1     0 eno1
fe80::/64                      [::]                       U    256 1     0 vmbr0
[::]/0                         vss-3-6k.fr.eu             UG   1024 9    92 eno1
[::]/0                         vss-3-6k.fr.eu             UG   1024 9   182 vmbr0
ip6-localhost/128              [::]                       Un   0   9    40 lo
2001:41d0:2:xxxx::/128         [::]                       Un   0   2     0 vmbr0
2001:41d0:2:xxxx::1/128        [::]                       Un   0   7   196 eno1
2001:41d0:2:xxxx::2/128        [::]                       Un   0   7     5 vmbr0
fe80::/128                     [::]                       Un   0   2     0 eno1
fe80::/128                     [::]                       Un   0   2     0 vmbr0
fe80::40e6:56ff:fef9:6879/128  [::]                       Un   0   2     0 vmbr0
fe80::4e72:b9ff:feb0:f75b/128  [::]                       Un   0   3     4 eno1
ip6-mcastprefix/8              [::]                       U    256 3   225 eno1
ip6-mcastprefix/8              [::]                       U    256 9    20 vmbr0
[::]/0                         [::]                       !n   -1  1     1 lo


Dabei ist vss-3-6k.fr.eu das gateway von OVH:

Code:
nslookup 2001:41d0:2:xxff:ff:ff:ff:ff
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
f.f.0.0.f.f.0.0.f.f.0.0.f.f.0.0.f.f.x.x.2.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa        name = vss-3-6k.fr.eu.

Host ausgabe von sysctl -p:
Code:
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1


VM:
Code:
allow-hotplug ens18
iface ens18 inet static
        address 178.x.x.251/29
        gateway 178.x.x.249
iface ens18 inet6 static
        address 2001:41d0:2:xxxx::3
        netmask 64
        gateway 2001:41d0:2:xxxx::2

Würde mich freue, wenn mir jemand beim lösen meines Problems helfen würde!
 
Last edited:
Sorry, for posting in English in the german subforum, but the replys are in English so I think it is besser that way.

Sadly, the Proxmox Forum wasn't helpfull at all for me.

I managed to get a working configuration. Please be aware that this is , more or less, specific to the hoster OVH (or their subsidiarys kimsufi and SoYouStart). Other hosters should work fine with the other configurations provided in the proxmox wiki.

However, it seems like OVH requires the use of virtual MAC-addresses to have a proxmox setup which is fully working with ipv6 and ipv4. That was, what I wanted to avoid with using the routed configuration but I wasn't able to make it work with any other configuration / tutorial I could find.

Also, I didn't really thought this would work, because you can only configure OVHs virtual MAC-addresses for ipv4 addresses. However, as soon as you assigned it to a ipv4 address you can use it for any address in your ipv6 subnet as well.
 
Sorry, for posting in English in the german subforum, but the replys are in English so I think it is besser that way.

Sadly, the Proxmox Forum wasn't helpfull at all for me.

I managed to get a working configuration. Please be aware that this is , more or less, specific to the hoster OVH (or their subsidiarys kimsufi and SoYouStart). Other hosters should work fine with the other configurations provided in the proxmox wiki.

However, it seems like OVH requires the use of virtual MAC-addresses to have a proxmox setup which is fully working with ipv6 and ipv4. That was, what I wanted to avoid with using the routed configuration but I wasn't able to make it work with any other configuration / tutorial I could find.

Also, I didn't really thought this would work, because you can only configure OVHs virtual MAC-addresses for ipv4 addresses. However, as soon as you assigned it to a ipv4 address you can use it for any address in your ipv6 subnet as well.

Just made it works perfectly with OVH. Please, follow my thread here. I'll post the working configuration in few hours.
 
Like I said, the most important thing about this is, that you have to give the container / Vm a virtual MAC address generated in your OVH customer panel.

The rest was some testing and adaption from the OVH page in the proxmox wiki.

Be aware that the usual network configuration during the OS install probably won't work, since special configuration is needed for OVH.

You also need to adapt the ipv6 gateway, post-up and post-down rules to match your ipv6 subnet. Like this:
Your subnet:
2001:1234:1234:0123::1/64
Your Gateway (also for post-up and post-down):
2001:1234:1234:01ff:ff:ff:ff:ff

Host configuration:

Code:
auto lo
iface lo inet loopback

auto eno1
iface eno1 inet manual
iface eno1 inet6 manual

auto eth0
iface eth0 inet static
        address 1.2.3.9
        netmask 255.255.255.255
        post-up ip route add 4.3.2.254 dev eth0
        post-up ip route add default via 4.3.2.254
        pre-down ip route del default via 4.3.2.254
        pre-down ip route del 4.3.2.254 dev eth0
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

iface vmbr0 inet6 static
        address 2001:1234:1234:0123::1
        netmask 64
        post-up /sbin/ip -f inet6 route add 2001:1234:1234:01ff:ff:ff:ff:ff dev #you must adapt the interface name (eth0) here to the name of your interface
        post-up /sbin/ip -f inet6 route add default via 2001:1234:1234:01ff:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del default via 2001:1234:1234:01ff:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del 2001:1234:1234:01ff:ff:ff:ff:ff dev #you must adapt the interface name (eth0) here to the name of your interface

Host configuration sysctl:
Code:
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.accept_ra = 0

VM / LXC Container configuration:


Code:
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 4.3.2.5 # VM ip address. You MUST generate a virtual MAC address to THIS IP in the OVH web pannel, and give this VM the generated virtual MAC address via proxmox.
        netmask 255.255.255.248 # your subnet mask
        gateway 1.2.3.9 #should be host ip address, but works for me whatever I put in there

iface eth0 inet6 static
        address 2001:1234:1234:0123::5 # some ip within your ipv6 subnet. You do not need to (and cannot) assign a virtaul MAC address to this ipv6 address. However, you need do need have the virtual MAC address assigned to the ipv4 address.
        netmask 64
        post-up /sbin/ip -f inet6 route add 2001:1234:1234:01ff:ff:ff:ff:ff dev eth0 #you must adapt the interface name (eth0) here to the name of your interface
        post-up /sbin/ip -f inet6 route add default via 2001:1234:1234:01ff:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del default via 2001:1234:1234:01ff:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del 2001:1234:1234:01ff:ff:ff:ff:ff dev eth0 #you must adapt the interface name (eth0) here to the name of your interface
 
Thank you very much. I'm using a reverse proxy in front of all my LXC Containers with a IPv4 routed configuration so apply this would mean overturn my whole setup. I'll try a little bit to make it work. I think I'm very close to the solution to use an IPv4 routed configuration with IPv6... IPv4 works, using IPv6 host and guest can ping each other, host can connect to internet but guest cannot. When you tried, did you get stuck at the same point?
 
Yes I got stuck at the same point. IPv6 would not work ouside of proxmox. All the guides for proxmox ipv6 didn't works out for me and a friend of mine, which is also hosting at OVH, told me that because OVH changed theire network setup you have to use virtual MAC addresses to get IPv6 working.

So I'm rather sure that you have to do the same as well, since you got stuck at the exact same point.



I did try to avoid vMACs myself, but changin the network setup like this isn't actually that much work and it certently is less work than trying to get a setup which just - to my beat knowledge - not working with OVH. However, you can simply ask OVH yourself if this setup should work like this or if vMACs are required.
 
Why did you use a netmask 64 for your vmbr0 IPv6 interface? In OVH example you should use 128.
Because I don't see a reason for it. I think they only use /128 in the OVH setup because they only use one address anyway (no containers / VMs).

It is a /64 subnet and they are interconnected "directly". They don't need to be routed over the gateway, so that is the right subnet mask.

It also is like that in the Proxmox documentation for OVH.
https://pve.proxmox.com/wiki/OVH
 
Yes I got stuck at the same point. IPv6 would not work ouside of proxmox. All the guides for proxmox ipv6 didn't works out for me and a friend of mine, which is also hosting at OVH, told me that because OVH changed theire network setup you have to use virtual MAC addresses to get IPv6 working.

So I'm rather sure that you have to do the same as well, since you got stuck at the exact same point.



I did try to avoid vMACs myself, but changin the network setup like this isn't actually that much work and it certently is less work than trying to get a setup which just - to my beat knowledge - not working with OVH. However, you can simply ask OVH yourself if this setup should work like this or if vMACs are required.

What about IPv4 and IPv6 Firewalls? Have you been forced to enable it on every LXC container?

Another thing I find annoying it's the fact not all providers offer IPs for "free" (you pay only the setup actually), so this bond me tight to OVH...
 
What about IPv4 and IPv6 Firewalls? Have you been forced to enable it on every LXC container?

Another thing I find annoying it's the fact not all providers offer IPs for "free" (you pay only the setup actually), so this bond me tight to OVH...
No, why would I need to enable the Firewall? I have it enabled on all of them, but it works just fine without it.

Yes, that is quite nice. Altrough I would like to avoid having my address and telephone number in the public RIPE database because the IP addresses are registered to me.
 
My setup on OVH works. (with soyoustart line of dedicated servers, with 64/ net)

on Proxmox Host I have set this in /etc/sysctl.conf

Code:
net.ipv6.conf.vmbr0.autoconf = 0
net.ipv6.conf.vmbr0.accept_ra = 2

net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1

net.ipv6.conf.default.proxy_ndp = 1
net.ipv6.conf.all.proxy_ndp = 1

and then every VM needs the Proxmox setting "Router advertisements" activated in Firewall->Options in proxmox GUI

I set all VMS up with static ipv6. As gateway I use the proxmox host IPv6.

I dont know if it is new for 2022, but it is possible to use the regular "gateway" "add route" was not necessary.

for ipv4 in your VM's you do need to set the vMAC in proxmox GUI.

for som reason Debian and Ubuntu do not want to connect from their installer to ipv4. You have to set it up after install. But ipv6 works.

RHEL, Rocky, Alma work normally through their installer with ipv4.

Anyway my point is that without Router advertisements set I had the problem that the VM cannot reach the WAN, but can reach the gateway and other VMs.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!