Proxmox

Setting up networking in Proxmox on a Hetzner server with only one IPv4 address

published on

To be clear: These instructions will give each virtual machine you create an IPv6 address. This will be how your machines predominately connect with the rest of the internet. However, they will have access to the IPv4 address of the host should they need it. Incoming traffic will not be able to connect to your virtual machine through the IPv4 address.

Setting up the host machine

Make a backup of your /etc/network/interfaces file and add the following:

iface enp0s31f6 inet6 static
   address 2a01:4f8:xxx:xxx::2/128
   gateway fe80::1

auto vmbr0
iface vmbr0 inet static
  address 10.0.0.1/24
  bridge_ports none
  bridge_stp off
  bridge_fd 0
  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/proxy_arp
  post-up   iptables -A FORWARD -i enp0s31f6 -o vmbr0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  post-up   iptables -A FORWARD -i vmbr0 -o enp0s31f6 -j ACCEPT
  post-up   iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o enp0s31f6 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o enp0s31f6 -j MASQUERADE
  post-down iptables -D FORWARD -i vmbr0 -o enp0s31f6 -j ACCEPT
  post-down iptables -D FORWARD -i enp0s31f6 -o vmbr0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iface vmbr0 inet6 static
  address 2a01:4f8:xxx:xxx::2/64

Change enp0s31f6above to the name of your network interface. The 2a01:4f8:xxx:xxx::2 address above is the one that Hetzner give you with a 2 appended.

Now add the following lines to your /etc/sysctl.conf file:

net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.proxy_ndp = 1
net.ipv6.conf.all.proxy_ndp = 1
net.ipv4.conf.enp0s31f6.send_redirects=0

Setting up the guest machines

When creating your guest machines make sure to use an IPv4 address of 10.0.0.x/24 (where x can be any number other than 1 and anything already allocated to another machine) and a gateway of 10.0.0.1.

Use an IPv6 address of 2a01:4f8:xxx:xxx::x/64 (using the above example but make sure to change your IPv6 address to suit what Hetzner already gave you). Make sure that the last x is any number other than 2 or anything already used with another machine. The gateway should be 2a01:4f8:121:266::2 (remembering the above about your IPv6 address).

Having problems?

You likely will need to make sure that you turn off the firewall in the Proxmox guest set up. However, inside the guest you will need to enable a firewall for the IPv6 address.

Conclusion

You should now have working guest machines that are allocated unique Pv6 addresses but are able to use the IPv4 address for outbound connections only.

It will be much easier if you purchase extra IPv4 addresses instead of using this method. However, if you choose not to you can, at least, create virtual machines without proper IPv4 access.