Routed Configuration with IPv6 not working

nak

Member
Apr 15, 2021
9
6
8
I'm trying to set up a server with routed networking. My host has given me:

Public IPv4 IPs: 170.1.2.88/29
IPv4 Gateway IP: 170.1.2.89
Public IPv6 IPs: 2600:1234:1234:1234::/64
IPv6 Gateway 2600:1234:1234:1234::1

Here is my /etc/network/interfaces on the Proxmox host:

Code:
auto lo
iface lo inet loopback

auto enp11s0f0np0
iface enp11s0f0np0 inet static
        address 170.1.2.90/29
        gateway 170.1.2.89
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/enp11s0f0np0/proxy_arp

iface enp11s0f0np0 inet6 static
        address 2600:1234:1234:1234::90/64
        gateway 2600:1234:1234:1234::1
        post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

iface enp6s0 inet manual

iface enp7s0 inet manual

iface enp11s0f1np1 inet manual

iface enx5a3fcd409b33 inet manual

auto vmbr0
iface vmbr0 inet static
        address 10.13.1.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        up ip route add 170.1.2.91/32 dev vmbr0

iface vmbr0 inet6 static
    address 2600:1234:1234:1234::10/64
    up ip -6 route add 2600:1234:1234:1234::91/128 dev vmbr0

source /etc/network/interfaces.d/*


and here is the configuration in a Proxmox container /etc/systemd/network/eth0.network:

Code:
[Match]
Name = eth0

[Network]
Description = Interface eth0 autoconfigured by PVE
Address = 170.1.2.91/29
Gateway = 170.1.2.90
Address = 2600:1234:1234:1234::91/128
Gateway = 2600:1234:1234:1234::10
DHCP = no
IPv6AcceptRA = false

[Route]
Destination = 2600:1234:1234:1234::10/128
Scope = link


It appears that everything works OK for IPv4, both on host and guest.

The host can talk through IPv6 OK. However, the guest cannot communicate over IPv6 to the internet.

Can anyone help see what is wrong in my configuration? Thank you!
 
The gateway 2600:1234:1234:1234::1 would send packets to 2600:1234:1234:1234::91 into its LAN, trying to resolve the MAC address via neighbor discovery.

Your guest with this IP is not in the same broadcast domain, hence neighbor discovery will not find it. The gateway has no destination to send the packets to.

You cannot have the same IPv6 network on two different broadcast domains.

With IPv4 you use Proxy-ARP which relays ARP requests. There seems to be something similar for ND, but I do not know if there is an implementation for Linux available.

https://www.rfc-editor.org/rfc/rfc4389
 
OK, thanks for your help. That pointed me on the right track. I eventually found this website which was helpful.

It does look like there is some sort of daemon to handle automatically creating the IPv6 neighbor proxies, but in my case I only have a few VMs on the box so I just created them manually. For anyone reading it in the future, here is my configuration that seems to be working at /etc/network/interfaces on the Proxmox host:

Code:
auto lo
iface lo inet loopback


auto enp11s0f0np0
iface enp11s0f0np0 inet static
        address 170.1.2.90/29
        gateway 170.1.2.89
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up echo 1 > /proc/sys/net/ipv4/conf/enp11s0f0np0/proxy_arp


iface enp11s0f0np0 inet6 static
        address 2600:1234:1234:1234:90::/128
        gateway 2600:1234:1234:1234::1
        post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
        post-up echo 1 > /proc/sys/net/ipv6/conf/all/proxy_ndp
        post-up echo 1 > /proc/sys/net/ipv6/conf/enp11s0f0np0/forwarding
        post-up echo 1 > /proc/sys/net/ipv6/conf/enp11s0f0np0/proxy_ndp




iface enp6s0 inet manual


iface enp7s0 inet manual


iface enp11s0f1np1 inet manual


iface enx5a3fcd409b33 inet manual


auto vmbr0
iface vmbr0 inet static
        address 10.13.1.1/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        up ip route add 170.1.2.91/32 dev vmbr0
        up ip route add 170.1.2.92/32 dev vmbr0
        up ip route add 170.1.2.93/32 dev vmbr0
        up ip route add 170.1.2.94/32 dev vmbr0


iface vmbr0 inet6 static
        address 2600:1234:1234:1234:90::/64
        up ip -6 neigh add proxy 2600:1234:1234:1234:91:: dev enp11s0f0np0
        up ip -6 neigh add proxy 2600:1234:1234:1234:92:: dev enp11s0f0np0
        up ip -6 neigh add proxy 2600:1234:1234:1234:93:: dev enp11s0f0np0
        up ip -6 neigh add proxy 2600:1234:1234:1234:94:: dev enp11s0f0np0
        post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
        post-up echo 1 > /proc/sys/net/ipv6/conf/all/proxy_ndp


source /etc/network/interfaces.d/*

And then when creating a VM or container I set the network bridge to vmbr0 and the IPv4 to static 170.1.2.91/29 gateway 170.1.2.90 and the IPv6 to static 2600:1234.1234.1234:91::/80 gateway 2600:1234.1234.1234:90:: for a VM that has an IPv4 address of 170.1.2.91 and an IPv6 address of 2600:1234.1234.1234:91::
 
BTW: Why do you use a routed setup anyway? If the VMs have public IPs why not use a bridged configuration?

From https://pve.proxmox.com/wiki/Network_Configuration:

Most hosting providers do not support the above setup (bridged networking). For security reasons, they disable networking as soon as they detect multiple MAC addresses on a single interface.
Some providers allow you to register additional MACs through their management interface. This avoids the problem, but can be clumsy to configure because you need to register a MAC for each of your VMs.
You can avoid the problem by “routing” all traffic via a single interface. This makes sure that all network packets use the same MAC address.