Access IPv6 from the outside

Our hosting provider assigns a /64 IPv6 subnet to each of our boxes. The primary ethernet interface gets 2001:DB8:0001:0001::1 for example. As far as I understand, there is no subnetting available for IPv6. How can I configure LXD/dnsmasq to use IPv6s from the public network and make them publicly available?

As far as I understand, there is no subnetting available for IPv6.

Yes, that’s true SLAAC requires a /64 subnet. You can use a smaller subnet with DHCPv6. But there seems to be a bug in LXD which means you can only use a /64 subnet since the prefix-len option is missing in the --dhcp-range option. (/64 is the default when no prefix-len is specified.) (I made a pull request which fixes the problem and was merged in commit ca8a3be857de982d248f2c7055af1021f8a5534f. Maybe it’s possible to insert the --dhcp-range option in the raw.dnsmasq parameter as a workaround, I haven’t tested yet.)

Another problem is that the /64 apparently is directly connected to the primary ethernet interface in your case. To be able to use the addresses on the LXD bridge they need to be routed to the host. If the provider aren’t able to route the /64 to you then you need to use a NDP proxy as a work-around. I’m using ndp-proxy with on a VPS of mine. GitHub - mikma/ndp-proxy: NDP Proxy.

Let me clarify this a little bit, all packets for the network arrive at the hosts primary interface eth0. As far as I can see, all addresses are configure statically, there is no SLAAC on eth0. Outgoing traffic must have eth0’s MAC address, though.

If you configure another IPv6 address from the /64 subnet on “lo” or “lxdbr0”, does it make the address reachable the same way as if it’s configured on the primary ethernet interface? If the /64 is routed to your host then it shouldn’t matter on which interface an address is configured.

But if the /64 is directly connected to the primary ethernet interface, then the addresses can only be used on that interface unless you use a NDP proxy since the host needs to respond to NDP requests for all addresses in the /64.