Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


In this Discussion

Proxmox IP mac limitation with routed configuration in hetzner
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Proxmox IP mac limitation with routed configuration in hetzner

akhfaakhfa Member

Hi all...

Recently I bought server from hetzner and bought 14 IP. Long time ago I also set up proxmox in hetzner. The different between these two server was now I buy 14 IP in one subnet, and long time ago I bought 1 IP individually.

The problems come here. When I bought IP individually, I can set virtual mac address, and this is usually how I set up my proxmox server (using bridge with virtual mac). As we know that individual IP address purchased from hetzner is limited until 6 IPs, so I bought the 14 IP address in one subnet. Unfortunatelly when I ask their support, the 14 IPs don't support to create virtual mac, so the proxmox must be set up in routed mode.

I don't have experience in this configuration, and what I see in https://www.sysorchestra.com/2014/11/08/hetzner-root-server-with-kvm-ipv4-and-ipv6-networking/, if I setup proxmox with routed IP, I can easily add additional IP without mac address limitation. How can I add limitation that mac address x can only use ip x' like as virtual mac configuration?

Comments

  • FalzoFalzo Member

    proxmox firewall comes with a MAC filter setting per VM, but afaik that is rather only to prevent the VM itself from spoofing another MAC address but not from hijacking IP addresses based on those MAC.

    you might want to look into running ebtables on the node for setting up MAC-IP Pairs...

    for not so many IPs, a different approach might be to not add all IPs from your subnet to one bridge, but add seperate bridges for each IP address... after that assign each VM it's own bridge and hopefully be done.

    btw: if you purchased a /28 you can use all 16 IPs in a routed setup like single IPs not only 14...

    Thanked by 1akhfa
  • akhfaakhfa Member
    edited June 2017

    @Falzo said:
    you might want to look into running ebtables on the node for setting up MAC-IP Pairs...

    Do you mean like this?
    http://ebtables.netfilter.org/examples/basic.html#ex_anti-spoof

    for not so many IPs, a different approach might be to not add all IPs from your subnet to one bridge, but add seperate bridges for each IP address... after that assign each VM it's own bridge and hopefully be done.

    is it ok to add so many bridge to one node? I still don't know what is preferred method between ebtables or "1 ip 1 bridge". In your opinion, what is more preferred @Falzo?

    btw: if you purchased a /28 you can use all 16 IPs in a routed setup like single IPs not only 14...

    I write 14 because it was stated in hetzner ipv4 pricing. Actually yes I can use 16 IP from robot interface. Thank you for the correction.

  • FalzoFalzo Member
    edited June 2017

    yes. but haven't had the time or need to try that myself...

    akhfa said: is it ok to add so many bridge to one node? I still don't know what is preferred method between ebtables or "1 ip 1 bridge". In your opinion, what is more preferred @Falzo?

    I wouldn't consider 16 bridges 'a lot' after all, hence that suggestion. also I am quite lazy and just have to think about assigning the correct bridge from proxmox interface instead of caring for correct MAC and updating ebtables rules on recreation of any VM would make me try the bridging way first ;-)
    but my guess would also be ebtables simply is the more common solution, so honestly can't tell what should be preferred or if there are any noticable performance differences.

    PS: maybe @AshleyUk can point you into the right direction, if I am not mistaken he at least asked about those things in the proxmox forum and is using ebtables in production...

Sign In or Register to comment.