Setting IPv6 on Proxmox

kamzata

Active Member
Jan 21, 2011
179
8
38
Venezia - Italy
I've got this configuration fully working on IPv4. Basically, there are 2 failover IPs laying on enp1s0f0 interface aliases, "natted" to 2 internal different Container network.
/etc/network/interface
Code:
auto lo
iface lo inet loopback
auto enp1s0f0
iface enp1s0f0 inet manual
auto enp1s0f0:0
iface enp1s0f0:0 inet static
        address  62.211.148.20
        netmask  255.255.255.0
        gateway  62.211.148.1
auto enp1s0f0:1
iface enp1s0f0:1 inet static
        address  62.211.148.21
        netmask  255.255.255.0
        gateway  62.211.148.1
auto vmbr0
iface vmbr0 inet static
        address  192.168.1.1
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
iptables IPv4 Firewall rules:
Code:
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
####################
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
####################
#-A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j MASQUERADE
#-A POSTROUTING -s 192.168.1.0/24 -o vmbr0 -j SNAT --to-source 163.172.52.100
-A POSTROUTING -s 192.168.1.0/24 -o enp1s0f0 -j SNAT --to-source 62.211.148.20
-A PREROUTING -p tcp -m tcp -d 62.211.148.20 -i enp1s0f0 --dport 80 -j DNAT --to-destination 192.168.1.100:80
-A PREROUTING -p tcp -m tcp -d 62.211.148.20 -i enp1s0f0 --dport 443 -j DNAT --to-destination 192.168.1.100:443
-A PREROUTING -p tcp -m tcp -d 62.211.148.21 -i enp1s0f0 --dport 80 -j DNAT --to-destination 192.168.2.100:80
-A PREROUTING -p tcp -m tcp -d 62.211.148.21 -i enp1s0f0 --dport 443 -j DNAT --to-destination 192.168.2.100:443
-A PREROUTING -p tcp -m tcp -d 62.211.148.21 -i enp1s0f0 --dport 22200 -j DNAT --to-destination 192.168.2.100:22
####################
COMMIT
*mangle
:PREROUTING ACCEPT [6361:22504845]
:INPUT ACCEPT [6361:22504845]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4510:394131]
:POSTROUTING ACCEPT [4510:394131]
####################
####################
COMMIT

How can replicate the same configuration with IPv6?

I make the host partially works (now I can ping6 ipv6.google.com from Proxmox host itself) adding this to /etc/network/interface this config:
Code:
iface enp1s0f0 inet6 static
        address  2001:bc8:2cc7:101::
        netmask  64

iface enp1s0f0 inet6 static
        address  2001:bc8:2cc7:102::
        netmask  64

But I don't know what IPv6 address assign to vmbr0 and vmbr1, and how to set nat rules...
 
Last edited:

Richard

Proxmox Staff Member
Staff member
Mar 6, 2015
886
41
48
Austria
But I don't know what IPv6 address assign to vmbr0 and vmbr1, and how to set nat rules...


More or less corresponding to ipv4 method - if you want to use NAT, you must define first a private ipv6 network e.g.:

Code:
iface vmbr0 inet6 static
       address  fcd9::1
       netmask  64

Then configure your NAT:

Code:
ip6tables -A POSTROUTING -s 192.168.1.0/24 -o enp1s0f0 -j SNAT --to-source 2001:bc8:2cc7:101::
ip6tables -t nat -A PREROUTING -p tcp -m tcp -d 2001:bc8:2cc7:101:: -i enp1s0f0 --dport 80 -j DNAT --to-destination [fcd9::100]:80
....

Instead of 2001:bc8:2cc7:101:: you can use of course any of the /64 addresses you have got (don't forget to assign that address in /etc/network/interfaces to your NIC too!)

If you want to run without NAT (as you may expect it in ipv6) it's much clearer: Define a new bridge (e.g. vmbr2), add your NIC to it as well as virtual NICs in your VMs. Assign in the VMs simply an ip address from your /64 network (no ip6tables needed any more). However, this method works only if your router (provider!?) accepts MAC addresses from your virtual NICs.
 

kamzata

Active Member
Jan 21, 2011
179
8
38
Venezia - Italy
More or less corresponding to ipv4 method - if you want to use NAT, you must define first a private ipv6 network e.g.:

Code:
iface vmbr0 inet6 static
       address  fcd9::1
       netmask  64

Then configure your NAT:

Code:
ip6tables -A POSTROUTING -s 192.168.1.0/24 -o enp1s0f0 -j SNAT --to-source 2001:bc8:2cc7:101::
ip6tables -t nat -A PREROUTING -p tcp -m tcp -d 2001:bc8:2cc7:101:: -i enp1s0f0 --dport 80 -j DNAT --to-destination [fcd9::100]:80
....

Instead of 2001:bc8:2cc7:101:: you can use of course any of the /64 addresses you have got (don't forget to assign that address in /etc/network/interfaces to your NIC too!)
Thanks for your reply. I tried to do exactly like that but without success. If you want use NAT on IPv6 you need first to enable it. I tried to enable it appending this on interfaces file
Code:
post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
and setting a static gateway (because enabling port-forwarding on IPv6 disables SLAAC ipv6-address autoconfiguraton) like this
Code:
iface enp1s0f0 inet6 static
        address  2001:bc8:2cc7:101::
        netmask  64
        gateway  fe80::2c8:8bff:fff2:6c45
I also appended this
Code:
post-up echo 1 > /proc/sys/net/ipv6/conf/all/accept_ra
but nothing to do. Host works but container doesn't.
If you want to run without NAT (as you may expect it in ipv6) it's much clearer: Define a new bridge (e.g. vmbr2), add your NIC to it as well as virtual NICs in your VMs. Assign in the VMs simply an ip address from your /64 network (no ip6tables needed any more). However, this method works only if your router (provider!?) accepts MAC addresses from your virtual NICs.

As we're discussing here, run it without NAT breaks IPv4 configuration because bridge port doesn't work and setting a dedicated vmbrx for IPv6 force you to choose if you want to use that or the other (IPv4) on the container itself.
 

Richard

Proxmox Staff Member
Staff member
Mar 6, 2015
886
41
48
Austria
T
Code:
post-up echo 1 > /proc/sys/net/ipv6/conf/all/accept_ra
but nothing to do. Host works but container doesn't.


I used to run
Code:
sysctl -w net.ipv6.conf.all.forwarding=1

in order to route ipv6 traffic.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!