OVH Community, your new community space.

Ipv6 subneting.


ozgurerdogan
29-05-2016, 11:22
Is there any disadvantages of this forwarding? Also possible with windows? I added you to skype, if you do not mind, can we please make a sample vm together for centos?

alvaroag
29-05-2016, 05:45
Quote Originally Posted by ozgurerdogan
How do you do that with proxmox without using vMac? AFAIK you can not use ips without vMac.
Yes, it's possible. IP forwarding, which is available for IPv4 & IPv6 makes the kernel send traffic between an external network("eth0") and internal network, masking the traffic on both sides with it's own MAC address; so the internet traffic is sent to the OVH routers with the server's MAC address, but the VM IP; and is sent to the VMs with the Host vmbr0 MAC address(which is somehow random), but with the internet IPs.

First, you have to setup eth0 as a standalone interface. It's almost the same configuration you currently have for vmbr0, but omitting the bridge parameters. Then, you setup vmbr0 the same way it is, but removing the gateway, so it does not conflicts with the gateway on eth0; also, on vmbr0 you must set the netmask to 255.255.255.255, even when on eth0 you can let it as 255.255.255.0(which is not the best alternative, but works).

Then, you must enable forwarding on both interfaces: "/sbin/sysctl net.ipv4.conf.eth0.forwarding=1" & "/sbin/sysctl net.ipv4.conf.vmbr0.forwarding=1", and add the route to each IP so the kernel knows where the IPs can be found: "/sbin/ip -4 r a IPADDR/32 dev vmbr0". If you have a full block, you can add a single route to the block instead of multiple routes, one for each IP: "/sbin/ip -4 r a IPADDR/29 dev vmbr0", changing the CIDR mask as needed.

Finally, you must delete the vMAC from the manager, and change the gateway on the VM: instead of using the same gateway as your just, you will use your host IP as gateway(that's why I said to use the same IP on eth0 and vmbr0). You can make these commands permanent on /etc/network/interfaces, with "post-up" directives.

Quote Originally Posted by ozgurerdogan
Do you mean only allowing vm to use specif ipv6 at firewall ? Sounds good idea.
Yes, it's possibe. Check the official documentation: https://pve.proxmox.com/wiki/Proxmox_VE_Firewall

ozgurerdogan
28-05-2016, 22:12
Quote Originally Posted by alvaroag
Hi. vMAC is not available for IPv6. But, even for IPv4, the best option under Proxmox was never using vMACs. Forwarding is a much better option, as it is configured qlmost the same way for IPv4 and IPv6.
How do you do that with proxmox without using vMac? AFAIK you can not use ips without vMac.


Quote Originally Posted by alvaroag
On how to prevent address spoofing from the VMs, Proxmox itself provides a solution, the PVE Firewall, which can control IP address announcement(ARP/NDP) by VM. There's some documentation on the Proxmox wiki.
Do you mean only allowing vm to use specif ipv6 at firewall ? Sounds good idea.

alvaroag
28-05-2016, 21:46
Hi. vMAC is not available for IPv6. But, even for IPv4, the best option under Proxmox was never using vMACs. Forwarding is a much better option, as it is configured qlmost the same way for IPv4 and IPv6.

In either case, eth0 is not part of the vmbr0 bridge; instead, it is just a standalone interface, and vmbr0 contains only the VMs interfaces, so you can control how traffic flows between internet and the VM.

On how to prevent address spoofing from the VMs, Proxmox itself provides a solution, the PVE Firewall, which can control IP address announcement(ARP/NDP) by VM. There's some documentation on the Proxmox wiki.

RandomThoughts
28-05-2016, 21:24
Which server do you have and how many IPv6 addresses were you given (in the few OVH servers I looked at they offer just one)?

ozgurerdogan
28-05-2016, 20:59
I was able to add ipv6 to proxmox vm and ping it. But what if I want to subnet it and use on multible vms. I mean in v4, we created vMac. with v6 what will stop user to add additional v6 ips on his own and use them or worse cause conflict (not sure if v6 has conflicting issues)?