Setting the scene
Recently I found out the hard way that Hetzner frowns upon MAC addresses on their switch ports they don’t know, so they blocked my server.
What happened: The wan interface was a member of the bridge connecting my virtual machines, because from what I knew back then that was the only way to provide the VMs with IPv6 addresses from the Hetzner subnet. So their MAC addresses (52:54:…) went out to the switch. This was so bad that they didn’t even allow me to unlock it temporarily to fix the problem!
What I did: Reboot the server via the robot to shut down. They aren’t started automatically on boot. Then notify Hetzner via the robot that I fixed the problem by reconfiguring the network configuration. They replied very quickly by checking for foreign MAC addresses and, since they found none, unlocked my server. Now I had a chance to reconfigure the network without using their hardware KVM.
The fix
First thing to do, was remove the wan interface from the bridge. That was a remnant from a completely bridged setup from long ago, anyway. Since all IP4 traffic was routed, that wasn’t a problem. IPv6 was a problem, though. The router announcements from radvd worked, but neighbor discovery didn’t, so the VMs didn’t have IPv6 connectivity.
I finally found this article: It boils down to:
- Give the wan interface a single IPv6 address from your assigned network (netmask /128) to make it a part of it.
- Assign the bridge the same address, only with a /64 netmask!
The article does it for Debian. Translated to systemd-networkd I ended up with this:
The wan interface
/etc/systemd/network/wan.network
[Match]
Name=wan <- The interface name is set by an udev rule
[Network]
Address=2001:db8::2/128 <- /128 is the clue!!!
Gateway=<replace.with.ipv4.gateway>
Gateway=fe80::1 <- This is literal!!!
[Address]
Address=<your.ipv4.address>
Peer=<the.peer>/32
Create the bridge
[NetDev] Name=br0 Kind=bridge
Do not attach the wan interface to the bridge!
Configure the bridge
[Match] Name=br0 [Network] Address=192.168.0.1/24 <- Your private IPv4 VM network Address=2001:db8::2/64 <- YES, this is the same address as wan!
Don’t be alarmed if br0 is not configured and down on reboot. Once you start a VM using the bridge it will be taken up and have all the right addresses. If you add the IPv6 address manually with ip, you will loose IPv6 connectivity, since the kernel creates a useless default route! You have been warned!
Works like a charm (for now)!