[SOLVED] Setting up Proxmox on OVH with 2 failover IPs, IPv4 with NAT, and IPv6

kamzata said:
We are going to use the host as a proxy for IPv6. First of all, you need to install Npd6 in order to discover all IPv6 neighbors:
apt-get install npd6

set it up:
/etc/npd6.conf
Bash: 
...

prefix=2001:41d0:XXXX:17ba:

interface = vmbr0

...

Doing that all container IPv6 addresses will be added as neighbors automatically.

Then you have to set:
/etc/sysctl.conf
Bash: 
vm.max_map_count=262144
fs.protected_hardlinks=1
fs.protected_symlinks=1


### IPv4
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp=0
net.ipv4.ip_forward=1
kernel.sysrq=1
net.ipv4.conf.default.send_redirects=1
net.ipv4.conf.all.send_redirects=0

### IPv6
net.ipv6.conf.eno1.autoconf=0
net.ipv6.conf.vmbr0.autoconf=0
net.ipv6.conf.eno1.accept_ra=0
net.ipv6.conf.vmbr0.accept_ra=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.all.router_solicitations=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
net.ipv6.conf.default.proxy_ndp=1
net.ipv6.bindv6only=1

and:
/etc/network/interfaces
Bash: 
auto lo
iface lo inet loopback
iface lo inet6 loopback

auto eno1
iface eno1 inet manual


auto vmbr0

# Main IPv4 Bridge
iface vmbr0 inet static
    address  51.XXX.53.186
    netmask  255.255.255.0
    gateway  51.XXX.53.254
    bridge_ports eno1
    bridge_stp off
    bridge_fd 0

   # Failover IP #1
    up ip addr add 51.XXX.245.61/32 dev vmbr0
    down ip addr del 51.XXX.245.61/32 dev vmbr0

   # Failover IP #2
    up ip addr add 51.XXX.245.70/32 dev vmbr0
    down ip addr del 51.XXX.245.70/32 dev vmbr0

   # Internal network #1
    up ip addr add 192.168.1.1/24 dev vmbr0
    down ip addr del 192.168.1.1/24 dev vmbr0

   # Internal network #2
    up ip addr add 192.168.2.1/24 dev vmbr0
    down ip addr del 192.168.2.1/24 dev vmbr0

# Main IPv6 address
iface vmbr0 inet6 static
    address  2001:41d0:XXXX:17ba::ffff
    netmask  128

    # IPv6 Gateway
    post-up sleep 5; /sbin/ip -6 route add 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev vmbr0
    post-up sleep 5; /sbin/ip -6 route add default via 2001:41d0:XXXX:17FF:FF:FF:FF:FF
    pre-down /sbin/ip -6 route del default via 2001:41d0:XXXX:17FF:FF:FF:FF:FF
    pre-down /sbin/ip -6 route del 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev vmbr0

    # Adding IPv6 Gateway to the neighbors
    post-up /sbin/ip -f inet6 neigh add proxy 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev vmbr0

    # Enabling NPD and Forwarding
    post-up echo 1 > /proc/sys/net/ipv6/conf/all/proxy_ndp
    post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
    post-up echo 1 > /proc/sys/net/ipv6/conf/default/forwarding

Set IPv6 DNS nameservers:
/etc/resolv.conf
Bash: 
search myserver.com
nameserver 2001:4860:4860::8888
nameserver 8.8.8.8

Make IPv4 NAT works using some rules:
Bash: 
-A POSTROUTING -s 192.168.1.0/24 -o eno1 -j SNAT --to-source 51.XXX.245.61
-A POSTROUTING -s 192.168.2.0/24 -o eno1 -j SNAT --to-source 51.XXX.245.70

# Some rule to a Container with IP 192.168.1.100
-A PREROUTING -p tcp -m tcp -d 51.XXX.245.61 -i vmbr0 --dport 80 -j DNAT --to-destination 192.168.1.100:80

# Some rule to a Container with IP 192.168.2.100
-A PREROUTING -p tcp -m tcp -d 51.XXX.245.70 -i vmbr0 --dport 80 -j DNAT --to-destination 192.168.2.100:80


Reboot and test the host connectivity:
Bash: 
root@srv001:~/# ping google.com
PING google.com(fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e)) 56 data bytes
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=1 ttl=51 time=4.50 ms
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=2 ttl=51 time=4.58 ms
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=3 ttl=51 time=3.57 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 3.571/4.215/4.578/0.456 ms
root@srv001:~/# ping6 ipv6.google.com
PING ipv6.google.com(fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e)) 56 data bytes
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=1 ttl=51 time=4.34 ms
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=2 ttl=51 time=4.33 ms
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=3 ttl=51 time=4.26 ms
^C
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 4.263/4.313/4.343/0.064 ms

Then configure a container:
/etc/network/interfaces
Bash: 
auto lo
iface lo inet loopback
iface lo inet6 loopback

auto eth0
iface eth0 inet static
        address 192.168.1.100
        netmask 255.255.255.0
        gateway 192.168.1.1

iface eth0 inet6 static
        address 2001:41d0:XXXX:17ba::1:100
        netmask 64
# --- BEGIN PVE ---
        post-up ip route add 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev eth0
        post-up ip route add default via 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev eth0
        pre-down ip route del default via 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev eth0
        pre-down ip route del 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev eth0
# --- END PVE ---

and test the container connectivity:
Bash: 
 nginx  ⌁ root  /etc/nginx  ping google.com
PING google.com(fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e)) 56 data bytes
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=1 ttl=51 time=3.32 ms
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=2 ttl=51 time=3.49 ms
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=3 ttl=51 time=3.41 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 3.321/3.405/3.487/0.095 ms
nginx  ⌁ root  /etc/nginx  ping6 ipv6.google.com
PING ipv6.google.com(fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e)) 56 data bytes
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=1 ttl=51 time=3.19 ms
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=2 ttl=51 time=2.88 ms
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=3 ttl=51 time=3.20 ms
^C
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 6ms
rtt min/avg/max/mdev = 2.876/3.087/3.200/0.156 ms

Done!
Click to expand...

Wow!!, @kamzata
Very detailed guide. Its now working great for me. I want to celibrate this with you with a beer share me your paypal address.
 
  • Like
Reactions: kamzata
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back