[Solved] IPv6 on Hetzner vSwitch / 64 er Subnet Seperation

[Patrick M. Hausen]

Will it work the other way round? That would be our setup at Hetzner for hosting - not OPNsense but FreeBSD.

WAN: dead:beef:dead:beef::1/128
WAN GW: fe80::1%igc0 (for example)
LAN: dead:beef:dead:beef::2/64 (bridge for our hosting jails and their default GW)

Kind regards,
Patrick

[Monviech (Cedrik)]

I really do not know, the ways it works are all in the man pages. I did a lot of testing and I have read people who use it here:

https://gist.github.com/MCterra10/7e3930e54db0be10f42dd999e3263560?permalink_comment_id=5178523#gistcomment-5178523

I could not recreate the above mentioned setup yet.

https://man.freebsd.org/cgi/man.cgi?query=ndproxy&apropos=0&sektion=4&manpath=FreeBSD+11-current&format=html

I guess you have to test the potential of it yourself in your environment, but the module seems to be around for a long while and there are no reports of people who have issues with it. Any (good or bad) reports are scarse...

[niclas]

Will it work the other way round? That would be our setup at Hetzner for hosting - not OPNsense but FreeBSD.

WAN: dead:beef:dead:beef::1/128
WAN GW: fe80::1%igc0 (for example)
LAN: dead:beef:dead:beef::2/64 (bridge for our hosting jails and their default GW)

Kind regards,
Patrick

Yes i had it like this before, but that only works if Hetzner gives you a MAC that you have to use. As mentioned earlier, because of that they know where to route your subnet.
vSwitches are different. You claim a IP without giving your IP to Hetzner so the GW dosen't know where to route the rest of the /64 subnet if your WAN only claims 128. (If I understood it right)

[Patrick M. Hausen]

Correct. But do you really need a vSwitch?

[niclas]

Yes, we use a Proxmox Cluster and if you wanna migrate your vm's / your OPNSense you need to change the ip's if you don't get the IP via vSwitch.

Hetzner only offer Public IP`s bound to a Dedicated Server or a vSwitch.

[niclas]

I really do not know, the ways it works are all in the man pages. I did a lot of testing and I have read people who use it here:

https://gist.github.com/MCterra10/7e3930e54db0be10f42dd999e3263560?permalink_comment_id=5178523#gistcomment-5178523

I could not recreate the above mentioned setup yet.

https://man.freebsd.org/cgi/man.cgi?query=ndproxy&apropos=0&sektion=4&manpath=FreeBSD+11-current&format=html

I guess you have to test the potential of it yourself in your environment, but the module seems to be around for a long while and there are no reports of people who have issues with it. Any (good or bad) reports are scarse...

I will give it a try, if i see it correct its experimental at the moment. Will it be implemented as plugin later? I can try it in a test enviroment, but not at production at the moment.

[Monviech (Cedrik)]

Check the previous page, it will come as normal plugin in the next version. Any tests are highly valuable for documentation purposes. Thanks in advance.

[niclas]

As an alias address on WAN.

If you want an address on LAN or OPT1, then routing must take place and you must use an entire /64.

I don't know if Hetzner support routing additional /64 with a vSwitch. They sure do if you do not use a vSwitch, though.

Where do i set the aliases? I tried the Virtual IP as i use it on IPv4, but that dosen't work.
The plan is to set multiple WAN IPv6 Addresses and then do a Port-forwarding and Outbound NAT for the Servers.

[niclas]

Check the previous page, it will come as normal plugin in the next version. Any tests are highly valuable for documentation purposes. Thanks in advance.

That sounds great! Sounds like it solves my Problem without NAT. I will test the Plugin if its out.
When it will come? In v25 or v24.8?

Are there any settings to do or dose it work out of the box?

[Monviech (Cedrik)]

Probably in the next minor version.  :)

So 24.7.9

Theres 4 settings, check out the man page. Its only 4 settings but it feels rather complicated (at least to me) even though it should be simple. Guess it depends highly on the exact usecase.

[niclas]

Probably in the next minor version.  :)

So 24.7.9

Theres 4 settings, check out the man page. Its only 4 settings but it feels rather complicated (at least to me) even though it should be simple. Guess it depends highly on the exact usecase.

Ah, found it. Can I do multiple LAN Networks? Because i have to put the MAC and IP in the config.

[Patrick M. Hausen]

Where do i set the aliases? I tried the Virtual IP as i use it on IPv4, but that dosen't work.

Surprises me although I admit I never tried it. Yes, I implied Virtual IP. Should work with IPv4 and IPv6 just the same.

I never used it because that's not how IPv6 is supposed to work. NAT deserves to die.

[niclas]

Where do i set the aliases? I tried the Virtual IP as i use it on IPv4, but that dosen't work.

Surprises me although I admit I never tried it. Yes, I implied Virtual IP. Should work with IPv4 and IPv6 just the same.

I never used it because that's not how IPv6 is supposed to work. NAT deserves to die.

😂 Thats what a wanted, but then the GW Thing stopped me.  :(

I will try it. The VIP shoud be pingable if the FW Rule for it is set right? (Ipv4 is it)

[Patrick M. Hausen]

The default GW in a vSwitch at Hetzner is not "pingable".

For IPv4 they told me to use 78.46.170.2 for gateway monitoring in Falkenstein. Best open a support ticket and ask which IPv6 address to use.

[niclas]

The Gateway for IPv6 on a vSwitch is pingable.  :)

The Virtual IP form type "Alias IP" also works now (no idea why not last time), but it takes some time to become active...