Assign IPv6 to KVM machine
We all need IPv6
It is kind of awesome, the internet of things is incoming, which is going to be a security desaster, and so IPv6 does, along with other advantages that IPv6 provides we definitely want it especially because of the mass of available addresses.
Also we have to, IPv6 will replace IPv4 in 5 or 100 years, or just never...
One big advantage of IPv6 is that you can allocate one IP Address per Application, or whatever desire you have to use more than one IP Adress. It's not a problem anymore.
Everyone gets minimum a /64 Block referring to
SLAAC, that means 64bit or 2^64 or 18.446.744.073.709.551.616 or just enough...
That's great! No NAT anymore or no worries about ports wich are already in use anymore!
Why I'm so happy about IPv6
I own many dedicated Servers, but only a few of them got multiple IPv4 Addresses allocated. That's a problem for example if I want to setup VMs, which I do commonly often.
It's not a big deal to setup the NAT over iptables and sharing this IP Address, but I want to have my Servers listen on any Port, without caring about the Port may be already in use. In this case I have to build awkward workarounds, like using
NGINX which is proxying to the other
NGINX on the VM or a modified
HAProxy. Or I just allocate the Port to this single machine, stuff like that and much more...
This times are over, thanks to IPv6!
Well... , or maybe not, yet it does not seem that it is going to be used anytime soon, but hey however, let's get IPv6 ready anyway!
So lets assign a dedicated IPv6 to our KVM machine.
One way would be to use the router advertisment daemon
radvd, the other way would be to statically assign the IP Addresses.
I will setup now only a static IP, for setting up
radvd you may consider reading:
It's in german but the configuration parameters should tell you enough about what you have to do.
Also this post mentions some problems using router advertisment together with forwarding. If you want more Information about this you might read this post:
So the first thing we have to setup, is our bridge. In this case I'm on debian and edit my
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback auto eth0 iface eth0 inet manual auto br0 iface br0 inet dhcp bridge_ports eth0 bridge_fd 9 bridge_hello 2 bridge_maxage 12 bridge_stp off iface br0 inet6 static address 2001:beef:2:9dd0:: netmask 64 post-up /sbin/ip -f inet6 route add 2001:beef:2:9dff:ff:ff:ff:ff dev br0 post-up /sbin/ip -f inet6 route add default via 2001:beef:2:9dff:ff:ff:ff:ff pre-down /sbin/ip -f inet6 route del default via 2001:beef:2:9dff:ff:ff:ff:ff pre-down /sbin/ip -f inet6 route del 2001:beef:2:9dff:ff:ff:ff:ff dev br0
The IPv4 I get over DHCP on this Server, my new IPv6 block I have to setup statically.
The post up define and set the gateway on the last Adress of the block.
Also you need to edit or add the following options in
/etc/sysctl.conf to be enabled:
net.ipv6.conf.all.proxy_ndp = 1 net.ipv6.conf.all.forwarding = 1
The KVM Settings
Next you configure your KVM and add an interface of the type bridge like the following:
<interface type='bridge'> <mac address='52:54:00:0a:41:d5'/> <source bridge='br0'/> <target dev='vnet2'/> <model type='virtio'/> <alias name='net2'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/> </interface>
Now you can configure the IPv6 in your VM.
The tricky part
It's not really tricky, but you've to know it. But there are several issues that can happen to you.
Neighbour Discovery Proxy
You may need to tell the System that it should "split your subnet into parts". You accomplish this by doing this:
ip -6 neigh add proxy 2001:beef:2:9dd0::12 dev br0
This should be of course your configured IPv6 of your VM and you need to configure this every time you add a new IP. You may read more about this here.
By the way, if you want to add a new IPv6 to your host System you only need to execute this command:
ip -6 addr add 2001:beef:2:9dd0::29 dev br0
That's all. No
iptable forwarding stuff, no NAT, no Portforwarding. Just a dedicated IPv6, or more Addresses if you want to, for this single virtual machine.
Alternatively if you want to give a specific VM a whole subnet (for example a /122), I recommend to use ndppd.
I recommend you also to read the ip-neighbour(8).
If you restart your VM it may happen, that you can't use your IPv6 again with the error
global tentative dadfailed. This means that your address is already in use, to prevent this deactivate
net.ipv6.conf.all.accept_dad in your
More information about this you may get by reading this:
Oh ok, you're using windows.
Then you need to use netsh.
netsh int ipv6 show addresses
You should find your address that can't be assigned because of DAD-Status
Ok, so how to disable dad_accept on Windows?
First execute this
netsh int ipv6 show int
Now get from the displayed list the
Idx of your Network Interface. In our case the
Idx will be 19.
To list which options are enabled for your interface enter this command:
netsh int ipv6 show int 19
Now execute the following command to disable accept_dad:
netsh int ipv6 set int 19 dadtransmit=0
For more information view the MS Docu: