Basic setup of Proxmox in an OVH environment (Kimsufi example) with NAT and IPv6 enabled containers

Maounique

@ebony said:

@qeba said:

@ebony said: working now thanks

currently facing the same issues, how does you solve this? im able to ping to gateway IP but not working ping to google with IPv6.

i had to always tracert ipv6.google.com to get it to fire on the VM a few hours later it would die unless u keep a ping6 open i had very bad ping6 on the server support fixed the ::1 address but would not fix anything else on the ipv6 orded a new server lower price less ram but that server just worked fine no problems at all run my minecraft server on a ipv6 and works great!

That looks like the wrong bridging, i.e. you bridged to vmbr0 or the wrong gateway. It is likely you paid more attention in the new server.

@lala_th said: How to create multiple VMs running webserver on ports 80/443 while using this NAT setup?

If you mean over IPv4, you can't, just create on other ports and use something to redirect, such as Cloudflare. On IPv6, no problems.

miguelzabala

I have the same problem, I can ping to the IPv6 gateway on the host (xxxx:xxxx::1) from the VM. I can ping from the host to the VM (xxxx:xxxx:100). I can ping from host to google.con using ipv6. But the container can't ping to google.com using ipv6. I double checked ndppd config and running, the bridge on container, the ipv6 addresses and gateways. I have not clue what to do.

Maounique

post configs here, I will take a look. Check if you enabled ipv6 forwarding first.

Bertie

Thanks for this guide. I was able to finally get IPv6 finally properly up and running thanks to you.

I know this is mentioned in the troubleshooting. When IPv4 port 80/443 is forwarded to a VM, all containers are no longer able to browse. Connections to github, docker, etc. time out. Ping and nslookup both still work.

Unlike the troubleshooting, I wasn't able to get it consistently working after restarting the VM. I can curl google.com afterwards (sometimes), but curl to github.com and registry-1.docker.io both time out always, no matter how many times I restart the host or VM. At least my port 80/443 web servers are accessible.

I am using the proxmox 7 template from OVH and have already tried reinstalling proxmox 7 to get it working.

config (with anonymized IP):

auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
        address 198.27.64.100/24
        gateway 198.27.64.254
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        hwaddress 2A:B1:8F:04:7C:D9

iface vmbr0 inet6 static
    address 2607:5300:dead:beef::ffff/128
    post-up sleep 5; /sbin/ip -6 route add  2607:5300:dead:beff:ff:ff:ff:ff dev vmbr0
    post-up sleep 5; /sbin/ip -6 route add default via 2607:5300:dead:beff:ff:ff:ff:ff
    pre-down /sbin/ip -6 route del default via 2607:5300:dead:beff:ff:ff:ff:ff
    pre-down /sbin/ip -6 route del 2607:5300:dead:beff:ff:ff:ff:ff dev vmbr0

auto vmbr6
iface vmbr6 inet static
    address 10.0.0.254/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o vmbr0 -j MASQUERADE
    post-up iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.3
    post-up iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.0.0.3
    post-down iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.3
    post-down iptables -t nat -D PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.0.0.3

iface vmbr6 inet6 static
    address 2607:5300:dead:beef::1/64

This is a bit of a shot in the dark - I don't think anyone really knows what's causing this.

I'm happy just only using IPv6 at this point; since I finally managed to get that working thanks to you and I can just use IPv6 reverse proxy from Cloudflare. Alternatively, I can just defy best practice and setup the reverse proxy on the hypervisor itself.

Maounique

I know what is causing it. The interface is not specified and the system gets confused.

Change this:

@Bertie said: post-up iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.3
post-up iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.0.0.3

Into this:

post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.3
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to-destination 10.0.0.3

And the subsequent post-down stanzas.

Sorry for being lazy, I will have to update the guide as many people have complex setups with multiple bridges etc. So far That issue only appeared for those but it looks like 2 bridges can also be enough to confuse the system.

Bertie

@Maounique said: Sorry for being lazy, I will have to update the guide as many people have complex setups with multiple bridges etc. So far That issue only appeared for those but it looks like 2 bridges can also be enough to confuse the system.

Thanks, that worked, and definitely don't think you're lazy, you got me way further than I would've on my own and I'm very appreciative. I don't think anyone else came up with a viable tutorial on dealing with the quirks of Kimsufi's IPv6 routing.