Can't get IPv6 Netmask 64 to work (no NAT, should be end to end)

michacassola · April 22, 2020, 4:20pm

Fancy stuff! I wished I had teachers like you in school. Or for that matter, a school system that teaches you anything useful for actual life.

Thank you very much!

seven · December 10, 2020, 1:06pm

Hi,
I am trying to follow this, offcourse modifying network name.
but i keep getting this error.
rror: Failed to run: ip -6 addr add fe80::1/128 dev vethd08ddefc: RTNETLINK answers: Permission denied
Note: am using hetzner cloud, where they provide me with /64 v6.
what matters in my case a bridge has single ip v4 nat, later on add small portion/ divide the v6 subnet on multiple bridges that use different ip v4 as nat ip.
How would i go about this, please advice?

tomp · December 10, 2020, 1:38pm

Can you clarify what command you are running to get that error please?

seven · December 10, 2020, 1:41pm

lxc network set lxdbr0 ipv6.address=none
lxc network set lxdbr0 ipv6.dhcp=false
lxc init ubuntu:18.04 c1
lxc config device add c1 eth1 nic nictype=routed ipv6.address=2a02:nnn:76f4:1::1234 parent=wlp0s20f3
sysctl net.ipv6.conf.all.proxy_ndp=1
sysctl net.ipv6.conf.wlp0s20f3.proxy_ndp=1
lxc start c1

i get it immediately after start.
Now, i came this page by making a search on ipv6 static.
This is my goal actually, and this might / might not be what i need,
Goal:
Note: am using hetzner cloud, where they provide me with /64 v6.
what matters in my case a bridge has single ip v4 nat, later on add small portion/ divide the v6 subnet on multiple bridges that use different ip v4 as nat ip.
How would i go about this, please advice?

seven · December 10, 2020, 1:44pm

@tomp
In other words, am trying to have:
lxdbr1 using IPV4_1 for nat.
lxdbr2 using IPV4_2 for nat.
lxdbr3 using IPV4_3 for nat.
Then make use of the huge ipv6/64 subnet to add ipv6 to make containers public-ally accessible on ipv6.
Does it sound right? what am trying to do.

tomp · December 10, 2020, 5:27pm

If I recall correctly, Hetzner route the /64 directly to the host, and so there is no need for proxy NDP to use the /64 addresses.

In that case then you could configure each of your 3 bridges with a subset of your /64 subnet, for example you could use a /120 which then allows 256 statically assigned IPv6s per bridge.

Then you would set the IPv4 as you need with ipv4.nat=true and set ipv6.nat=false.

As you wouldn’t be able to use SLAAC, as that needs a /64 or larger, you’d need to configure the IPv6 addresses statically.

tomp · December 10, 2020, 5:37pm

So for example if your /64 was fd0b:bc39:4820:d4f8::/64

Then you could create two network as follows, each with a separate /120 subnet, and IPv6 NAT disabled and stateful DHCPv6 enabled.

lxc network create lxdbr1 ipv6.address=fd0b:bc39:4820:d4f8::1:1/120 ipv6.nat=false ipv6.dhcp.stateful=true
lxc network create lxdbr2 ipv6.address=fd0b:bc39:4820:d4f8::2:1/120 ipv6.nat=false ipv6.dhcp.stateful=true

Then launch some containers on the networks:

lxc init images:ubuntu/focal cbr1
lxc config device add cbr1 eth0 nic network=lxdbr1
lxc start cbr1

lxc init images:ubuntu/focal cbr2
lxc config device add cbr1 eth0 nic network=lxdbr2
lxc start cbr2

lxc ls
lxc ls cbr
+------+---------+----------------------+----------------------------------+-----------+-----------+
| NAME |  STATE  |         IPV4         |               IPV6               |   TYPE    | SNAPSHOTS |
+------+---------+----------------------+----------------------------------+-----------+-----------+
| cbr1 | RUNNING | 10.196.72.119 (eth0) | fd0b:bc39:4820:d4f8::1:75 (eth0) | CONTAINER | 0         |
+------+---------+----------------------+----------------------------------+-----------+-----------+
| cbr2 | RUNNING | 10.115.99.13 (eth0)  | fd0b:bc39:4820:d4f8::2:f6 (eth0) | CONTAINER | 0         |
+------+---------+----------------------+----------------------------------+-----------+-----------+

Then from my upstream router, that represents Hetzer’s router, I would add a static route for the /64 subnet and test connectivity:

ip -6 r add fd0b:bc39:4820:d4f8::/64 via <LXD host IP> dev enp2s0
ping -c1 fd0b:bc39:4820:d4f8::1:75
ping -c1 fd0b:bc39:4820:d4f8::2:f6

This setup still allows dynamic IP allocation as long as the container can do DHCPv6.

This only works if your ISP routes the /64 directly to your LXD host and doesn’t rely on your LXD host responding to NDP queries.

seven · December 10, 2020, 9:03pm

@tomp Thanks.
indeed works.
Is there a way making the ipv6 static instead of it being scope global dynamic noprefixroute for now.
Edit:
manually restarting the network inside the container gets back the ip.
note: i made a change to the config file adding.
ipv6.address: fd0b:bc39:4820:d4f8::1:75
as i said on first reboot of whole system , it does not get the ipv6. but after restarting network inside container it does get it back.

tomp · December 10, 2020, 9:27pm

I’m not really following you on this, for me it just works, the container starts up, makes a DHCPv6 request to LXD’s dnsmasq and that gives out an address. Router advertisements then configure the default route to the LXD bridge address.

I’m not clear what isn’t working for you I’m afraid.

You can configure the addressing statically inside the container too for more control if DHCPv6 isn’t suitable for you.

seven · December 10, 2020, 9:42pm

Maybe am making no sense, ignore me please.
and this is how i add ipv6 statically for a container, just like ipv4, right?

ipv4.address: 10.196.72.119
ipv6.address: fd0b:bc39:4820:d4f8::1:75

and since the ipv6 is not using nat, no need for any proxy, as ips are globally accessible right?

tomp · December 10, 2020, 9:48pm

Correct, and as long as you’ve enabled stateful DHCPv6 on the network (as shown above) and your container’s network stack requests an IP using DHCPv6 then LXD’s DHCP server will allocate it statically.

seven · December 11, 2020, 4:32am

For sake of learning;
When will i ever need to use ndp way?
How do i manually ask the container to renew ipv6?
Edit:
in case wanted some containers using same profile, not get an ipv6,
will having this configs insides the containers, /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

net.ipv6.conf.lo.disable_ipv6 = 1

is the right way disabling ipv6 for certain containers?

Edit:
This warning message, keeps puping in the logs,

lvl=warn msg="Proxy bridge netfilter not enabled: br_netfilter not loaded: open /proc/sys/n
et/bridge/bridge-nf-call-iptables: no such file or directory. Instances using the bridge will not be able to connect t
o the proxy's listen IP"

tomp · December 11, 2020, 9:33am

You would need to use proxy NDP if your provider had just routed your /64 to the physical subnet rather than the specific IP/MAC address of your LXD host, such that their upstream router performs an NDP neighbour solicitation to resolve the MAC address for each address being used in your /64.

This would then require your LXD host to respond to those requests in order for the packets to arrive at the LXD host (this is what the routed NIC type provides).

You should be able to disable IPv6 that way, or you can just configure your container’s network config to not perform DHCPv6.

As for the warning, this suggests you have an instance with a proxy device configured in NAT mode, but do not have the br_netfilter kernel module loaded, meaning that LXD cannot add the firewall rules required to allow other instances to connect to the proxy device’s listen IP.

qupfer · October 26, 2022, 12:19pm

You are my hero. That worked well out of the box (arch-host on netcup with a /64)
The other “easy” tutorial let me still without connectivity.