Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


virtual mac abuse on hetzner due to network bridging on proxmox ...
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

virtual mac abuse on hetzner due to network bridging on proxmox ...

rinaldohackrinaldohack Member
edited August 2022 in Help

I have several VMs. all of them have 2 network card.
one of them is NAT'ed to the ipv4 interface on the host. no problems here.
the other one is bridged to the same interface, and running only ipv6.

I was running the vm with one address each, from the /64 block.
then this happens. and I'm not sure where to start fixing.
I even tried to play around with tunnelbroker.net, but somehow I can't configure it for multiple hosts. only one VM would work and the other would lose ipv6.

the original plan was every server would have its own ipv6 address.

Comments

  • Most of generic Proxmox tutorials won't work since they need specific Hetzner adjustments.
    Did you try here?
    https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve
    https://docs.hetzner.com/de/robot/dedicated-server/ip/additional-ip-adresses/#nutzung-mit-virtualisierung-per-routed-methode

    I ended up making a routed config, never exposing any other MAC except the host one to Hetzner.

    Thanked by 1rinaldohack
  • @luckypenguin said:
    Most of generic Proxmox tutorials won't work since they need specific Hetzner adjustments.
    Did you try here?
    https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve
    https://docs.hetzner.com/de/robot/dedicated-server/ip/additional-ip-adresses/#nutzung-mit-virtualisierung-per-routed-methode

    I ended up making a routed config, never exposing any other MAC except the host one to Hetzner.

    I already read those and didn't even know where to start.

  • You can't bridge VMs to a host's network, as they'll see the wrong MAC address. You need to use a routed network instead. Unfortunately I have zero experience with Proxmox so I'm not sure how to do that.

    Thanked by 1rinaldohack
  • rinaldohackrinaldohack Member
    edited August 2022

    so I got the IPv6 from hetzner : 2a01:4f8:160:xxxx::/64 (xxxx is censored)

    /etc/network/interfaces from host
    auto vmbr0
    iface vmbr0 inet static
    address xxx/28
    gateway xxx
    bridge-ports enp0s31f6
    bridge-stp off
    bridge-fd 0

        iface vmbr0 inet6 static
                address 2a01:4f8:160:xxxx::aa
                netmask 64
                gateway fe80::1
                up ip -6 route add 2a01:4f8:160:xxxx::/64 dev vmbr0
    
    auto vmbr1
    iface vmbr1 inet static
            address 192.168.1.1/24
            bridge-ports none
            bridge-stp off
            bridge-fd 0
            post-up echo 1 > /proc/sys/net/ipv4/ip_forward
            post-up   iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
            post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
    

    /etc/network/interfaces from guest
    eth0 goes to vmbr1 which is NAT, eth1 is bridged to vmbr0
    auto eth0
    iface eth0 inet static
    address 192.168.1.2
    netmask 255.255.255.0
    gateway 192.168.1.1

    auto eth1
    iface eth1 inet6 static
            address 2a01:4f8:160:xxxx::bb
            netmask 64
            gateway 2a01:4f8:160:xxxx::aa
    

    where do I go wrong?

  • damn formating error

  • Seems legit, but make sure to allow IPv6 forwarding on the host as well:
    sysctl -w net.ipv6.conf.all.forwarding=1

    And what is "..up.." in your first inet6 block? should be pre-up or post-up.

  • FalzoFalzo Member
    edited August 2022

    @rinaldohack said:
    so I got the IPv6 from hetzner : 2a01:4f8:160:xxxx::/64 (xxxx is censored)

    /etc/network/interfaces from host
    auto vmbr0
    iface vmbr0 inet static
    address xxx/28
    gateway xxx
    bridge-ports enp0s31f6
    bridge-stp off
    bridge-fd 0

    iface vmbr0 inet6 static
    address 2a01:4f8:160:xxxx::aa
    netmask 64
    gateway fe80::1
    up ip -6 route add 2a01:4f8:160:xxxx::/64 dev vmbr0

    auto vmbr1
    iface vmbr1 inet static
    address 192.168.1.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE

    /etc/network/interfaces from guest
    eth0 goes to vmbr1 which is NAT, eth1 is bridged to vmbr0
    auto eth0
    iface eth0 inet static
    address 192.168.1.2
    netmask 255.255.255.0
    gateway 192.168.1.1


    auto eth1
    iface eth1 inet6 static
    address 2a01:4f8:160:xxxx::bb
    netmask 64
    gateway 2a01:4f8:160:xxxx::aa

    where do I go wrong?

    your IPv6 on vmbr0 is running in bridged mode. but seems you do not have an IPv4 on that and therefore probably no virtual mac address, right?

    while your IPv4 gets forwarded (routed) via vmbr1 and will go out using the hosts native MAC your IPv6 connections use another mac-address (probably auto-generated for eth0 on that VM?) which is unknown to Hetzners switches and therefore trigger the abuse message.

    in other words: "bridged" can best be described as bypassing the hosts macs settings and the guest is directly communicating with the switch while "routed" has that forwarding/masquerading step on the host in between.

    if I recall correctly, you can't set a virtual mac for IPv6 addresses. so you have to split the net and use a part of it in a routed config on vmbr1 as well, instead of assigning it via vmbr0 (bridged).

  • @luckypenguin said:
    Seems legit, but make sure to allow IPv6 forwarding on the host as well:
    sysctl -w net.ipv6.conf.all.forwarding=1

    And what is "..up.." in your first inet6 block? should be pre-up or post-up.

    i just copied it from hetzner guide.

  • @rinaldohack said:

    @luckypenguin said:
    Seems legit, but make sure to allow IPv6 forwarding on the host as well:
    sysctl -w net.ipv6.conf.all.forwarding=1

    And what is "..up.." in your first inet6 block? should be pre-up or post-up.

    i just copied it from hetzner guide.

    apparently the sysctl part was the thing I need. THANKS!

Sign In or Register to comment.