We are going to use the host as a proxy for IPv6. First of all, you need to install
Npd6 in order to discover all IPv6 neighbors:
apt-get install npd6
set it up:
/etc/npd6.conf
Bash:
...
prefix=2001:41d0:XXXX:17ba:
interface = vmbr0
...
Doing that all container IPv6 addresses will be added as neighbors automatically.
Then you have to set:
/etc/sysctl.conf
Bash:
vm.max_map_count=262144
fs.protected_hardlinks=1
fs.protected_symlinks=1
### IPv4
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.default.proxy_arp=0
net.ipv4.ip_forward=1
kernel.sysrq=1
net.ipv4.conf.default.send_redirects=1
net.ipv4.conf.all.send_redirects=0
### IPv6
net.ipv6.conf.eno1.autoconf=0
net.ipv6.conf.vmbr0.autoconf=0
net.ipv6.conf.eno1.accept_ra=0
net.ipv6.conf.vmbr0.accept_ra=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.all.router_solicitations=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
net.ipv6.conf.default.proxy_ndp=1
net.ipv6.bindv6only=1
and:
/etc/network/interfaces
Bash:
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto eno1
iface eno1 inet manual
auto vmbr0
# Main IPv4 Bridge
iface vmbr0 inet static
address 51.XXX.53.186
netmask 255.255.255.0
gateway 51.XXX.53.254
bridge_ports eno1
bridge_stp off
bridge_fd 0
# Failover IP #1
up ip addr add 51.XXX.245.61/32 dev vmbr0
down ip addr del 51.XXX.245.61/32 dev vmbr0
# Failover IP #2
up ip addr add 51.XXX.245.70/32 dev vmbr0
down ip addr del 51.XXX.245.70/32 dev vmbr0
# Internal network #1
up ip addr add 192.168.1.1/24 dev vmbr0
down ip addr del 192.168.1.1/24 dev vmbr0
# Internal network #2
up ip addr add 192.168.2.1/24 dev vmbr0
down ip addr del 192.168.2.1/24 dev vmbr0
# Main IPv6 address
iface vmbr0 inet6 static
address 2001:41d0:XXXX:17ba::ffff
netmask 128
# IPv6 Gateway
post-up sleep 5; /sbin/ip -6 route add 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev vmbr0
post-up sleep 5; /sbin/ip -6 route add default via 2001:41d0:XXXX:17FF:FF:FF:FF:FF
pre-down /sbin/ip -6 route del default via 2001:41d0:XXXX:17FF:FF:FF:FF:FF
pre-down /sbin/ip -6 route del 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev vmbr0
# Adding IPv6 Gateway to the neighbors
post-up /sbin/ip -f inet6 neigh add proxy 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev vmbr0
# Enabling NPD and Forwarding
post-up echo 1 > /proc/sys/net/ipv6/conf/all/proxy_ndp
post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
post-up echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
Set IPv6 DNS nameservers:
/etc/resolv.conf
Bash:
search myserver.com
nameserver 2001:4860:4860::8888
nameserver 8.8.8.8
Make IPv4 NAT works using some rules:
Bash:
-A POSTROUTING -s 192.168.1.0/24 -o eno1 -j SNAT --to-source 51.XXX.245.61
-A POSTROUTING -s 192.168.2.0/24 -o eno1 -j SNAT --to-source 51.XXX.245.70
# Some rule to a Container with IP 192.168.1.100
-A PREROUTING -p tcp -m tcp -d 51.XXX.245.61 -i vmbr0 --dport 80 -j DNAT --to-destination 192.168.1.100:80
# Some rule to a Container with IP 192.168.2.100
-A PREROUTING -p tcp -m tcp -d 51.XXX.245.70 -i vmbr0 --dport 80 -j DNAT --to-destination 192.168.2.100:80
Reboot and test the host connectivity:
Bash:
root@srv001:~/# ping google.com
PING google.com(fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e)) 56 data bytes
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=1 ttl=51 time=4.50 ms
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=2 ttl=51 time=4.58 ms
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=3 ttl=51 time=3.57 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 3.571/4.215/4.578/0.456 ms
root@srv001:~/# ping6 ipv6.google.com
PING ipv6.google.com(fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e)) 56 data bytes
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=1 ttl=51 time=4.34 ms
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=2 ttl=51 time=4.33 ms
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=3 ttl=51 time=4.26 ms
^C
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 4ms
rtt min/avg/max/mdev = 4.263/4.313/4.343/0.064 ms
Then configure a container:
/etc/network/interfaces
Bash:
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto eth0
iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
gateway 192.168.1.1
iface eth0 inet6 static
address 2001:41d0:XXXX:17ba::1:100
netmask 64
# --- BEGIN PVE ---
post-up ip route add 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev eth0
post-up ip route add default via 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev eth0
pre-down ip route del default via 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev eth0
pre-down ip route del 2001:41d0:XXXX:17FF:FF:FF:FF:FF dev eth0
# --- END PVE ---
and test the container connectivity:
Bash:
nginx ⌁ root /etc/nginx ping google.com
PING google.com(fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e)) 56 data bytes
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=1 ttl=51 time=3.32 ms
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=2 ttl=51 time=3.49 ms
64 bytes from fra16s12-in-x0e.1e100.net (2a00:1450:4001:818::200e): icmp_seq=3 ttl=51 time=3.41 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 3.321/3.405/3.487/0.095 ms
nginx ⌁ root /etc/nginx ping6 ipv6.google.com
PING ipv6.google.com(fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e)) 56 data bytes
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=1 ttl=51 time=3.19 ms
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=2 ttl=51 time=2.88 ms
64 bytes from fra15s17-in-x0e.1e100.net (2a00:1450:4001:81c::200e): icmp_seq=3 ttl=51 time=3.20 ms
^C
--- ipv6.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 6ms
rtt min/avg/max/mdev = 2.876/3.087/3.200/0.156 ms
Done!
I'll post the solution as soon as I can.