Hetzner Dedicated Server + Debian -- How Can VMs Use All of the IPv4 Subnet IPs?
Hello LES!
Hetzner seems to have an interesting policy that outgoing packets from virtual machines ("VMs") using additional subnet IPs on dedicated servers must come from the known-to-Hetzner hardware MAC address of the server.
Thus, Hetzner wants VMs using subnet IPv4 addresses to use the server node's main IPv4 as the VM's gateway. If I understand correctly, the usual way to accomplish using the node's main IPv4 as a VM gateway means that the VMs cannot use all of the IP addresses in the node's IPv4 subnet.
However, could using layer 2 networking for IPv4 on the server node allow use of all of the additional IPv4 subnet addresses by VMs while still meeting Hetzner's requirements?
This enticing possibility is suggested at https://www.sysorchestra.com/hetzner-root-server-with-kvm-ipv4-and-ipv6-networking/ .
The subnet here is a /28 with 16 IP addresses. Would it be completely crazy to image that an /etc/network/interfaces
configuration somewhat like the following might work to utilize all 16 of the IPv4 subnet IPs?
source /etc/network/interfaces.d/* auto lo iface lo inet loopback iface lo inet6 loopback auto enp7s0 iface enp7s0 inet static address 198.18.1.0 netmask 255.255.255.255 gateway 198.18.0.1 pointopoint 198.18.0.1 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up echo 0 > /proc/sys/net/ipv4/conf/enp7s0/send_redirects iface enp7s0 inet6 static address 2001:0002::2 netmask 128 gateway fe80::1 post-up echo 1 > /proc/sys/net/ipv6/conf/all/forwarding auto vmbr0 iface vmbr0 inet static address 198.18.1.0 netmask 255.255.255.255 bridge_ports none bridge_stp off bridge_fd 0 bridge_maxwait 0 post-up ip route add 198.18.10.0/32 dev vmbr0 pre-down ip route del 198.18.10.0/32 dev vmbr0 post-up ip route add 198.18.10.1/32 dev vmbr0 pre-down ip route del 198.18.10.1/32 dev vmbr0 [ . . . ] post-up ip route add 198.18.10.15/32 dev vmbr0 pre-down ip route del 198.18.10.15/32 dev vmbr0 iface vmbr0 inet6 static address 2001:0002::2 netmask 64
When the server is booted using the above /etc/network/interfaces
configuration, and with no VMs running, I seem to see something like the following. Is this as should be expected?
Thanks very much for reading and for any help! π Best wishes from Mexico's Sonoran Desert! π΅
Tom. η©ε¦ηΆ. Not Oles. Happy New York City guy visiting Mexico! How is your ζθ¨ζ?
The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!
Comments
yes. you need to add the (subnet) IPs in a way that they are 'routed' instead of 'bridged'.
Hetzner have their own knowledge base article on that: https://community.hetzner.com/tutorials/install-and-configure-proxmox_ve
important is that the main IP is set up in a pointopoint/host route config and enabling ip-forward (can be done in sysctl instead of network/interfaces)
apart from adding them all to a single interfaces like you did, you could have mutliple (routed) bridges though where you add only the IPs needed and which might help to avoid IP spoofing.
this is a bit more complex if you add IPv6 to the mix, as you need to define all bridges independently for that as well...
Yeah, I've done a similar config using a dedi that just had a couple of additional IPs and not an additional subnet.
Route the IPs on the host then used a pointopoint setup in the guest. Works fine just not normally able to set it up on the guest as part of the installation, has to be done after (ie, debian net install)
indeed. if you want the installer to be able to set up sources and update packages you can use a shell to issue ip addr and route add and have your connection working though. also... IPv6 ;-)
I use a similar setup and use DHCP to hand out IPs and gateway. When installing from ISO, the Debian installer just refuses to work, doesn't like the gateway being out of the subnet, Ubuntu's new installer, Anaconda, Windows work just fine. Ubuntu's old installer refused the DHCP offer.
Update: So far I haven't been able to get the above configuration to work with VMs.
Here is yet another blog which says
Friendly greetings!
Tom. η©ε¦ηΆ. Not Oles. Happy New York City guy visiting Mexico! How is your ζθ¨ζ?
The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!
Thanks to the comments above and also to wonderful help from @PenguinGenius, the networking on the Debian MetalVPS node at Hetzner now may be configured in a way which enables use of all of the IPv4s in the additional subnet.
Starting from a Hetzner installimage Debian install, followed by an upgrade to sid, here is my attempted summary of what changes seemed to get connectivity working inside qemu VMs:
On the Node
"net.ipv4.ip_forward=1" was commented out with a hash tag
#
The hash tag was removed.
When VMs were started, /etc/qemu-ifup gave a warning:
Fixed by adding as lines, 27 and 28:
Command to launch VMs
I had been trying this command without the
ifname=tap0
parameter, which I did not see in the start command shown in the tutorial at https://www.linux-kvm.org/page/Networking#Public_Bridge .Secure VNC access to the VM is available via an ssh tunnel:
ssh [email protected] -L 5901:localhost:5901
Ask local VNC viewer to connect to
localhost:5901
To relaunch the VM after installation, remove the
-cdrom
and-boot d
lines.Configuration inside the VM
/etc/network/interfaces:
/etc/resolv.conf:
Comments
There are easier ways to launch VMs. I am trying to do it in a basic way so that I might learn.
Your additional criticism and comments will be very greatly appreciated! @Falzo @SagnikS @Mr_Tom @chocolateshirt @Decicus @quangthang @PenguinGenius @yoursunny @Mason @mikho @Hetzner_OL
Very friendly greetings from New York City and Sonora, Mexico! π½πΊπΈπ²π½ποΈ
Tom. η©ε¦ηΆ. Not Oles. Happy New York City guy visiting Mexico! How is your ζθ¨ζ?
The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!
Thank you so much for your efforts. When I get around to try this, I'll give you an update.
MetalVPS
And may I ask if this configuration survives after reboot or not?
MetalVPS
Should be:
iface ens3 inet static
Tom. η©ε¦ηΆ. Not Oles. Happy New York City guy visiting Mexico! How is your ζθ¨ζ?
The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!
The internal configuration of the VM survives reboot of the VM and reboot of the node.
Reboot of the node stops the VM temporarily.
Following reboot of the node, the VM restarts automatically if the node is configured to restart the VM as part of the node reboot. Alternatively, the VM can be restarted manually.
Thanks for your question! Β‘Saludos!
Tom. η©ε¦ηΆ. Not Oles. Happy New York City guy visiting Mexico! How is your ζθ¨ζ?
The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!
The discussion above doesn't cover the apt repository configuration inside the VM, which is required to be done by hand following a VM install from the netinst iso at a time when the VM does not yet have network connectivity. Apt repository configuration is covered in this recent blog post.
The Debian KVM wiki page says "It is possible to install only QEMU and KVM for a very minimal setup, but most users will also want libvirt for convenient configuration and management of the virtual machines. . . ." This morning, now that the "very minimal setup" has been accomplished, the question on my mind is what to do next.
The Debian KVM wiki page mentions that libvirt provides the libvirt group, which permits management of virtual machines by a regular user. Well, maybe regular users could have the VM launch command configured into
sudo
. But libvirt might be a good choice for what to do next.Another idea for what to do next might be to look at easier installs than the netinst iso. Debian has ["nocloud" daily images] (https://cloud.debian.org/images/cloud/sid/daily/latest/debian-sid-nocloud-amd64-daily.qcow2) which might be great.
Does anyone have an additional or an alternative suggestion for what to do next? π Please let me know!
Thanks and friendly greetings from the Sonoran desert! Where there now are hints that the hottest summer sun might be beginning to recede. π₯βοΈπ₯
Tom. η©ε¦ηΆ. Not Oles. Happy New York City guy visiting Mexico! How is your ζθ¨ζ?
The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!
This is good networking tutorial, I can try on my proxmox too.. Thank you @Not_Oles
β A simple uptime dashboard using UptimeRobot API https://upy.duo.ovh
β Currently using VPS from BuyVM, GreenCloudVPS, Gullo's, Hetzner, HostHatch, InceptionHosting, LetBox, MaxKVM, MrVM, VirMach.
Thanks for your kind words!
When / if you do try it, please let us know how it works for you. If I can help, please feel free to ask. Thanks very much!
Friendly greetings!
Tom. η©ε¦ηΆ. Not Oles. Happy New York City guy visiting Mexico! How is your ζθ¨ζ?
The MetalVPS.com website runs very speedily on MicroLXC.net! Thanks to @Neoon!