All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Mac address abuse message from Hetzner
Hi everyone,
A week ago, I decided to use IPv6 for my personal VMs setup with Proxmox on a Hetzner dedicated server, because of the recent IPv4 price increase.
I just received Abuse Message MAC-Errors: MAC-Report from their Network-Abuse department.
They said I need to "route the requests, so the MAC used is the Hardware MAC."
I did some research, and found this https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve
But if I follow the guidance above, both the host and the VMs don't have internet access.
So I did it my way, and both the host and the VMs have internet working on IPv6
The host:
/etc/network/interfaces
auto lo
iface lo inet loopback
iface enp35s0 inet manual
auto vmbr0
iface vmbr0 inet6 static
address 2a01:masked::/64
gateway fe80::1
/etc/sysctl.d/ipv6.conf
net.ipv6.conf.all.forwarding=1
The VM:
And now Hetzner support told me
"Please make sure that your VMs are in a different Layer-2 domain than your physical NIC."
Does anyone has an idea what should I do now?
Any help would be appreciated.
Thanks
Comments
Happened for me with ESXi, you basically need a VM to act as a router for it to work on Hetzner. You can use either pfSense to do this or some Linux flavor with manual network setup.
I only work with ESXi so I followed this guide to pull it through: https://community.hetzner.com/tutorials/install-and-configure-routervm-for-vmware-vsphere
Hi @comXyz !
Maybe try adding a "2" to the vmbr0 address in the server's /etc/network/interfaces:
The node gateway remains as fe80::1. However, the node's vmbr0 address 2a01:masked::2 replaces fe80::1 as the gateway inside the VM.
This seems to work for me without any complaints from Hetzner. I hope it works for you!
Best wishes!
I use OPNSense for that, following this guide: https://dominicpratt.de/hetzner-und-proxmox-ipv6-mit-router-vm-nutzen/
@Not_Oles I did it
And they said they still see traffic with wrong MACs
You are sure you setup bridge that way
Guide bellow
host still have :2 ip
bridge starts with 3
VMs with next one and uses 3 as gateway ?
If yes and it is not working you can try adding nat and masquerade it should hide anything from VM inder the 3 but I have it on IP4 with single failover IPs will try to addapt it for you for 6
Hetzner now charges for KVM access after first 3 hours.
"Only the first 3h per 24h cycle are free. After that there is a fee of 8.40€ + VAT per 3h extension. Do you accept this charge?"
I guess I will just cancel this server at Hetzner and get a new one from another provider then.
We had the same IP on the bridge as on the node.
https://talk.lowendspirit.com/discussion/3238/hetzner-dedicated-server-debian-how-can-vms-use-all-of-the-ipv4-subnet-ips
I got the configuration from @PenguinGenius. https://talk.lowendspirit.com/discussion/3278/review-system-administration-and-networking-services-from-penguingenius
Make sure you add:
To your vmbr0 interface. On mine this is on the inet block but if you're just using inet6 add it there.
I also have
On the inet6 block too.
The above works for me in Helsinki. Using ::2 on enp4s0 and ::3 on vmbr0
Edit: You shouldn't need KVM access to fix this. Worst case boot into rescue mode and chroot into your current install and make the changes.
Edit 2: reading earlier comments about gateway - I have the gateway set on enp4s0 and no gateway set on vmbr0. VMs use the vmbr0 address as a gateway.
Edit 3: As per hetzner guide, you'll also need to add a route for the IPv6 addresses (their guide shows
up ip -6 route add 2001:db8::/64 dev vmbr0
on the vmbr0 inet6 block).Probably you already know it is possible to work just with the Rescue System. If you change /etc/network/interfaces and lose connectivity, then you can activate the Rescue System, mount the boot drive, and then make further changes to the /etc/network/interfaces file.
It's always been like this why would you need permanent console more than 24hours?
No, In the past, it took me few "3 hours" times to get Windows installation done via their KVM.
So basically I could request 3 hours, if the job hasn't done, I can request another 3 hours, and just wait for their KVM info. Now it doesn't work that way, you can only request total 3 hours per 24 hours.
If you're using proxmox just install Windows via noVNC?
So I have this config
/etc/network/interfaces
The host doesn't have internet connection
From the host
The host can't ping 2a01:masked::2 (physical NIC address)
But it can ping 2a01:masked::1 (vmbr0 address)
From inside the VM, it can ping 2a01:masked::1, but not 2a01:masked::2
When I run this from the host
Any ideas?
Here's a redacted version of my /etc/network/interfaces (mostly removing additional routing post-up lines and hiding IPs:
Although, I actually split the /64 from Hetzner into a smaller /96 and route that (instead of the final line above) and give each VM a single address from that /96 but the above should work. I only do that so each VM has an address from the /96 and then a seperate /64 is routed to them but you need a /56 from hetzner to do this.
I have predefined IPs not subnet and has
post-up iptables -t nat -A POSTROUTING -s 'IP4/32' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s 'IP4/32' -o vmbr0 -j MASQUERADE
under the UP IP that should prevent any exposure of the VM under the bridge and trigger hetzner abuse for auto generated VM mac
Do not use KVM use rescue ...
I made all the changes based on @Mr_Tom configuration.
At this moment both the host and VMs have internet connection.
When I do tracert from within the VMs, I see it's going through the vmbr0 address.
How can I check if the traffic inside VMs using the routed configuration?
Hetzner support simply says "at this moment the problem is still active."
did you change the gateway in your VMs ?
Yes I did
hmm weird. I have a very similar config to what @Mr_Tom posted. also splitting the /64 into smaller pieces though and having individual bridges. however, more or less same syntax in the end and never had problems with that.
maybe share your actual settings for host and client again, so we can llok closer, where you are at right now.
do you involve any kind of IPv4 as well? maybe it's not even IPv6 related...
I asked Hetzner for the list of MAC addresses that having problems.
And they said
"Hello,
problem looks fixed since 04 Sep 19:16."
So I guess the config has been correct, and I don't have to change anything .
Thanks @Falzo
ah, good then! essentially it comes down to always use the host itself as gateway within the VMs and not the main one, to make sure nothing goes out with a virtual mac.
the only case where this is different are single addon IPv4, where you'd request a specific virtual mac from Hetzner and apply that to your VMs network interface.
anyway, glad you got it working finally...
Hi all,
looking for some help here. I've got a similar message from Hetzne but don't have a clue how to fix it. Could someone help with step by step instructions on the right commands for Ubuntu 18.04?
Do you run Proxmox?
Yesterday I got a similar complaint about my dedicated server (below, redacted):
"We have detected that your server is using a differente MAC address from those allowed by your Robot Account.
Allowed MACs:
90:1b:xx:xx:xx:xx
Unallowed MACs:
52:54:00:b3:8f:98
52:54:00:bd:84:58"
I had installed QEMU/KVM on my Ubuntu 20.04 server and seems the offending MACs are the ones in the bridged virtual NAT virbr0. What I want to do is create a VM which can get reached at some port 3389 from the outside internet but still have access to the internet in the server. Still trying to figure out how to do this with the existing MAC (read: avoid handing out €19 to setup a new IP/MAC on my server)
BTW, I found this is pretty easy with VirtualBox (in the VM configuration option Network | Attached to: NAT | Advanced: Port forwarding) but I'm not sure if this will also trigger a MAC abuse warning.