All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Routing secondary IP (/32) from BuyVM Slice to Proxmox VM (MAC-NAT issue)
Looking for ideas to finish de puzzle: random network drop on a vm created on a buyvm slice (Proxmox 8.4)
Slice allows only one MAC per NIC, so I’m in “routed /32 + ebtables MAC-NAT” mode.
Topology
────────
• Host :
• VM : /32 mapped to same MAC
different public subnet from host (so two unrelated /24s)
• Bridge: vmbr0 (ens3 as port)
• OS : Proxmox VE 8.4 (ifupdown2)
What works
──────────
- VM is fully reachable (SSH in/out, ICMP, HTTP) for minutes–hours.
- Bandwidth and latency are normal while up.
When link dies, BOTH egress and ingress stop only on VM.
Host can still ping VM, VM can ping host – but anything beyond host (on vm) fails.Connection self-revives at random (sometimes 1 min, sometimes 20 min) OR
instantly after a gratuitous-ARP from host.
So far I have:
/etc/network/interfaces (HOST):
auto lo
iface lo inet loopback
iface ens3 inet manual
auto vmbr0
iface vmbr0 inet static
address <MAIN_Ip>/24
gateway 209.141.60.1
bridge-ports ens3
bridge-stp off
bridge-fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/proxy_arp
post-up echo 1 > /proc/sys/net/ipv4/conf/ens3/proxy_arp
source /etc/network/interfaces.d/*
sysctl.conf deltas on HOST:
net.ipv4.ip_forward=1
net.ipv4.conf.all.proxy_arp=1
net.ipv4.conf.default.proxy_arp=1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.vmbr0.send_redirects = 0
net.ipv4.conf.ens3.arp_ignore = 1
net.ipv4.conf.ens3.arp_announce = 2
ebtables MAC-NAT on HOST:
# ebtables -t nat -L --Lmac2
Bridge table: nat
Bridge chain: PREROUTING, entries: 1, policy: ACCEPT
-p IPv4 -i ens3 --ip-dst <VM_IP> -j dnat --to-dst <VM_MAC> --dnat-target ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: POSTROUTING, entries: 1, policy: ACCEPT
-p IPv4 -o ens3 --ip-src <VM_IP> -j snat --to-src <HOST_MAC> --snat-target ACCEPT
Quick VM details (Proxmox KVM):
───────────────
• OS : AlmaLinux 9 (NetworkManager active)
• virt NIC : virtio-net (ens18), static IPv4 /32 via
• virt MAC : (from Proxmox GUI)
• No firewall or firewalld running in VM
Configuration on VM:
[connection]
id=static-ip
type=ethernet
interface-name=ens18
[ethernet]
[ipv4]
address1=<VM_IP>/32,<HOST_IP>
dns=1.1.1.1;1.0.0.1;
method=manual
[ipv6]
method=ignore
[proxy]
Mitigations attempted
─────────────────────
1️⃣ ARP PERMANENT entries
ip neigh replace <VM_IP> lladdr <VM_MAC> nud permanent dev vmbr0
ip neigh replace <GW_HOST_NET> lladdr <GW_MAC> nud permanent dev vmbr0
2️⃣ systemd-timer every 2 min
ip addr add <VM_IP>/32 dev ens3 label ens3:garp
arping -c1 -A -I ens3 <VM_IP>
ip addr del <VM_IP>/32 dev ens3 label ens3:garp
Everything survives reboots: bridge up, routes & ebtables load, timer fires.
Still failing
─────────────
• Drops occur even while timer is running (I see the ARPING lines).
• While ‘dead’, vm → 8.8.8.8 returns “Destination Host Unreachable”
and host → sometimes shows ARP in INCOMPLETE state.
• Rest of slice traffic (other VMs, Proxmox GUI) stays fine.
Any clue what piece I’m missing? Happy to provide full logs.
Thanks in advance!
Comments
You should just request bgp from us with private asn and then you can “announce” the ipv4 extras and next hop however you want.
Private ASNs are free and you aren’t in proxy arp hell.
Francisco