Firewall VM not reachable via IPv6 on Hetzner



  • Hi,

    i have a problem with setting up the network on one of my servers, located at Hetzner. I want to have a pfsense VM as a firewall for the other VMs and LXC containers. There is a HAproxy running on this firewall VM as well, and i have made the web frontend reachable from WAN side for easier config.

    For setting up IPv4 i have followed https://pratt.is/hetzner-und-proxmox-pfsense-als-gateway/ - this works quite reliable. This is the complete config of the interfaces on the hypervisor: https://pastebin.com/xjcSUYpU

    For IPv6 config i tried Dominic Pratt's way as well, but without success. Currently i have a static IPv6 on my WAN interface, it has the first IP from the /64 subnet Hetzner gave me. On the LAN end i took another IP from this subnet, and set the interface to /64 for SLAAC. As a result, the VMs get a v6 IP and can reach the internet via IPv6.

    On the other side i have a problem. Of course i have set up an AAAA-Record in the DNS to access the firwall. I have also set up some firewall rules so that one can connect to the HAproxy. The proxy itself binds to the address i have set up on WAN side. Now the problem:

    I can ping the firewall via its AAAA record perfectly well from the internet. However, it is not accessible via IPv6 at all, except the pings. Neither the web frontend, nor the HAproxy. The access from the LAN side works fine.

    What is strange: The firewall has an Accept-rule for IPv6 traffic from the WAN side. I can see the connection attempts in the firewall log, they are marked as "Pass". However, i do not see any connection attempts in the HAproxy log. The web frontend isn't accessible either.

    Where is my error? Has my interface config a mistake somewhere?

    I think it isn't HAproxy's fault, it is reachable from the inside (via its WAN IP, though).
    It isn't the firewall's fault. It logs the connection as "pass".
    It cannot be due to missing IP forwarding in the hypervisor's kernel, since the VMs can communicate with the internet via IPv6. Strangely they were able to do so as well, when i had forgotten to activate net.ipv6.conf.all.forwarding in sysctl.

    For information: I am using proxmox 6, the LXC containers are a fresh install from a Debian 10 template.

    Maybe someone has an idea.



  • @simonszu said in Firewall VM not reachable via IPv6 on Hetzner:

    Where is my error? Has my interface config a mistake somewhere?

    Yes.
    Here :

    @simonszu said in Firewall VM not reachable via IPv6 on Hetzner:

    Currently i have a static IPv6 on my WAN interface, it has the first IP from the /64 subnet Hetzner gave me. On the LAN end i took another IP from this subnet

    The first IP from the /64 could / should be used on the LAN NIC.
    For the WAN, you should use some other IPv6 ... as is shown here :

    @simonszu said in Firewall VM not reachable via IPv6 on Hetzner:

    https://pratt.is/hetzner-und-proxmox-pfsense-als-gateway/

    See the IPv6 page : the guy uses a DHCP6-client setup, certainly not a static WAN IPv6 setup.


Log in to reply