Xen on Ubuntu 18.04 with IPv4 (NAT) and IPv6












0















I'm renting a dedicated server at Hetzner and installed Ubuntu server 18.04 LTS on it.
I've got two public IPv4 addresses named x.x.x.x and y.y.y.y and one IPv6 /64 block for connecting my private networks to the internet. I use NAT for IPv4.



XEN Schema
My network is configured using Netplan as follows:



network:    
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- x.x.x.x/32
- y.y.y.y/32
- a.a.a.a::2/64
routes:
- on-link: true
to: 0.0.0.0/0
via: z.z.z.z
gateway6: fe80::1
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
bridges:
xenbr0:
interfaces:
addresses:
- 192.168.0.1/24
- a.a.a.a::3/64
parameters:
forward-delay: 0
stp: false
xenbr1:
interfaces:
addresses:
- 192.168.1.1/24
- a.a.a.a::4/64
parameters:
forward-delay: 0
stp: false


The installation and configuration of XEN:



sudo apt-get install xen-hypervisor-amd64 xen-tools
sudo reboot
sudo vim /etc/default/grub
GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=min:1024M,max:1024M dom0_max_vcpus=2 dom0_vcpus_pin"
sudo vim /etc/xen/xl.conf
autoballoon=0
sudo update-grub
sudo reboot


VM's should be accessible to and from the Internet using IP forwarding and NAT.



sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p /etc/sysctl.conf
sudo apt-get install iptables-persistent


The NAT part:



sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Forward HTTP and HTTPS requests to our VM2 server:



sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 80 -j DNAT --to 192.168.0.11:80
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 443 -j DNAT --to 192.168.0.11:443


We don't want any traffic between 192.168.0.x <-> 192.168.0.y so we drop all data packages with some simple rules. This Blocks communication between the bridges:



sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -i eth0 -o xenbr0 -j ACCEPT
sudo iptables -A FORWARD -i xenbr0 -o eth0 -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o xenbr1 -j ACCEPT
sudo iptables -A FORWARD -i xenbr1 -o eth0 -s 192.168.1.0/24 -j ACCEPT


The IPv4 part works perfectly but the IPv6 doesn't. I've assigned an IPv6 address manually to my VM's.When logged in to VM1 i can ping xenbr0 at address ::3 and VM2 at address ::11 but can't ping eth0 at address ::2.
It's like the bridge prevents the IPv6 traffic from leaving the network but can't figure out why.










share|improve this question




















  • 1





    If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).

    – ctrl-alt-delor
    Jan 20 at 15:57
















0















I'm renting a dedicated server at Hetzner and installed Ubuntu server 18.04 LTS on it.
I've got two public IPv4 addresses named x.x.x.x and y.y.y.y and one IPv6 /64 block for connecting my private networks to the internet. I use NAT for IPv4.



XEN Schema
My network is configured using Netplan as follows:



network:    
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- x.x.x.x/32
- y.y.y.y/32
- a.a.a.a::2/64
routes:
- on-link: true
to: 0.0.0.0/0
via: z.z.z.z
gateway6: fe80::1
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
bridges:
xenbr0:
interfaces:
addresses:
- 192.168.0.1/24
- a.a.a.a::3/64
parameters:
forward-delay: 0
stp: false
xenbr1:
interfaces:
addresses:
- 192.168.1.1/24
- a.a.a.a::4/64
parameters:
forward-delay: 0
stp: false


The installation and configuration of XEN:



sudo apt-get install xen-hypervisor-amd64 xen-tools
sudo reboot
sudo vim /etc/default/grub
GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=min:1024M,max:1024M dom0_max_vcpus=2 dom0_vcpus_pin"
sudo vim /etc/xen/xl.conf
autoballoon=0
sudo update-grub
sudo reboot


VM's should be accessible to and from the Internet using IP forwarding and NAT.



sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p /etc/sysctl.conf
sudo apt-get install iptables-persistent


The NAT part:



sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Forward HTTP and HTTPS requests to our VM2 server:



sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 80 -j DNAT --to 192.168.0.11:80
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 443 -j DNAT --to 192.168.0.11:443


We don't want any traffic between 192.168.0.x <-> 192.168.0.y so we drop all data packages with some simple rules. This Blocks communication between the bridges:



sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -i eth0 -o xenbr0 -j ACCEPT
sudo iptables -A FORWARD -i xenbr0 -o eth0 -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o xenbr1 -j ACCEPT
sudo iptables -A FORWARD -i xenbr1 -o eth0 -s 192.168.1.0/24 -j ACCEPT


The IPv4 part works perfectly but the IPv6 doesn't. I've assigned an IPv6 address manually to my VM's.When logged in to VM1 i can ping xenbr0 at address ::3 and VM2 at address ::11 but can't ping eth0 at address ::2.
It's like the bridge prevents the IPv6 traffic from leaving the network but can't figure out why.










share|improve this question




















  • 1





    If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).

    – ctrl-alt-delor
    Jan 20 at 15:57














0












0








0








I'm renting a dedicated server at Hetzner and installed Ubuntu server 18.04 LTS on it.
I've got two public IPv4 addresses named x.x.x.x and y.y.y.y and one IPv6 /64 block for connecting my private networks to the internet. I use NAT for IPv4.



XEN Schema
My network is configured using Netplan as follows:



network:    
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- x.x.x.x/32
- y.y.y.y/32
- a.a.a.a::2/64
routes:
- on-link: true
to: 0.0.0.0/0
via: z.z.z.z
gateway6: fe80::1
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
bridges:
xenbr0:
interfaces:
addresses:
- 192.168.0.1/24
- a.a.a.a::3/64
parameters:
forward-delay: 0
stp: false
xenbr1:
interfaces:
addresses:
- 192.168.1.1/24
- a.a.a.a::4/64
parameters:
forward-delay: 0
stp: false


The installation and configuration of XEN:



sudo apt-get install xen-hypervisor-amd64 xen-tools
sudo reboot
sudo vim /etc/default/grub
GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=min:1024M,max:1024M dom0_max_vcpus=2 dom0_vcpus_pin"
sudo vim /etc/xen/xl.conf
autoballoon=0
sudo update-grub
sudo reboot


VM's should be accessible to and from the Internet using IP forwarding and NAT.



sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p /etc/sysctl.conf
sudo apt-get install iptables-persistent


The NAT part:



sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Forward HTTP and HTTPS requests to our VM2 server:



sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 80 -j DNAT --to 192.168.0.11:80
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 443 -j DNAT --to 192.168.0.11:443


We don't want any traffic between 192.168.0.x <-> 192.168.0.y so we drop all data packages with some simple rules. This Blocks communication between the bridges:



sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -i eth0 -o xenbr0 -j ACCEPT
sudo iptables -A FORWARD -i xenbr0 -o eth0 -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o xenbr1 -j ACCEPT
sudo iptables -A FORWARD -i xenbr1 -o eth0 -s 192.168.1.0/24 -j ACCEPT


The IPv4 part works perfectly but the IPv6 doesn't. I've assigned an IPv6 address manually to my VM's.When logged in to VM1 i can ping xenbr0 at address ::3 and VM2 at address ::11 but can't ping eth0 at address ::2.
It's like the bridge prevents the IPv6 traffic from leaving the network but can't figure out why.










share|improve this question
















I'm renting a dedicated server at Hetzner and installed Ubuntu server 18.04 LTS on it.
I've got two public IPv4 addresses named x.x.x.x and y.y.y.y and one IPv6 /64 block for connecting my private networks to the internet. I use NAT for IPv4.



XEN Schema
My network is configured using Netplan as follows:



network:    
version: 2
renderer: networkd
ethernets:
eth0:
addresses:
- x.x.x.x/32
- y.y.y.y/32
- a.a.a.a::2/64
routes:
- on-link: true
to: 0.0.0.0/0
via: z.z.z.z
gateway6: fe80::1
nameservers:
addresses:
- 1.1.1.1
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
bridges:
xenbr0:
interfaces:
addresses:
- 192.168.0.1/24
- a.a.a.a::3/64
parameters:
forward-delay: 0
stp: false
xenbr1:
interfaces:
addresses:
- 192.168.1.1/24
- a.a.a.a::4/64
parameters:
forward-delay: 0
stp: false


The installation and configuration of XEN:



sudo apt-get install xen-hypervisor-amd64 xen-tools
sudo reboot
sudo vim /etc/default/grub
GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=min:1024M,max:1024M dom0_max_vcpus=2 dom0_vcpus_pin"
sudo vim /etc/xen/xl.conf
autoballoon=0
sudo update-grub
sudo reboot


VM's should be accessible to and from the Internet using IP forwarding and NAT.



sudo vim /etc/sysctl.conf
net.ipv4.ip_forward=1
sudo sysctl -p /etc/sysctl.conf
sudo apt-get install iptables-persistent


The NAT part:



sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Forward HTTP and HTTPS requests to our VM2 server:



sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 80 -j DNAT --to 192.168.0.11:80
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 -d x.x.x.x --dport 443 -j DNAT --to 192.168.0.11:443


We don't want any traffic between 192.168.0.x <-> 192.168.0.y so we drop all data packages with some simple rules. This Blocks communication between the bridges:



sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -i eth0 -o xenbr0 -j ACCEPT
sudo iptables -A FORWARD -i xenbr0 -o eth0 -s 192.168.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o xenbr1 -j ACCEPT
sudo iptables -A FORWARD -i xenbr1 -o eth0 -s 192.168.1.0/24 -j ACCEPT


The IPv4 part works perfectly but the IPv6 doesn't. I've assigned an IPv6 address manually to my VM's.When logged in to VM1 i can ping xenbr0 at address ::3 and VM2 at address ::11 but can't ping eth0 at address ::2.
It's like the bridge prevents the IPv6 traffic from leaving the network but can't figure out why.







ubuntu iptables bridge nat xen






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 21 at 11:31







JonasVH

















asked Jan 18 at 9:36









JonasVHJonasVH

13114




13114








  • 1





    If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).

    – ctrl-alt-delor
    Jan 20 at 15:57














  • 1





    If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).

    – ctrl-alt-delor
    Jan 20 at 15:57








1




1





If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).

– ctrl-alt-delor
Jan 20 at 15:57





If you are trying to create a guide, the re-write to be a question, and answer it. (self answered questions are encouraged).

– ctrl-alt-delor
Jan 20 at 15:57










0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495239%2fxen-on-ubuntu-18-04-with-ipv4-nat-and-ipv6%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f495239%2fxen-on-ubuntu-18-04-with-ipv4-nat-and-ipv6%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How to make a Squid Proxy server?

Is this a new Fibonacci Identity?

19世紀