This guide will show you how to deploy Proxmox VE 5 with KVM Routing and NAT on a Hetzner server with focus on networking and DHCP/DHCPv6.

Table of Contents

Assumptions

• The connected interface is enp4s0
• 192.0.2.62/27 is the public IP assigned by Hetzner
• 192.0.2.33 is the default gateway for the network
• 10.1.1.0/24 is the private block used on the VMs
• 2001:db8:1111:2222::/64 is the IPv6 block assigned to the host
• 2001:db8:1111:2222:81::/80 is the IPv6 block delegated to the VMs
• The domain name used in the VMs is my.cloud
• The host name of the hypervisor is hyper.my.cloud
• All the commands are run as root

Deployment and Installation of Proxmox

Boot into rescue mode and run installimage. These are the settings for Custom image:

DRIVE1 /dev/sda
DRIVE2 /dev/sdb
SWRAID 1
SWRAIDLEVEL 1
BOOTLOADER grub
HOSTNAME hyper.my.cloud
PART /boot ext3 1G
PART lvm vg0 all
LV vg0 swap swap swap 64G
LV vg0 root / ext4 all
IMAGE /root/.oldroot/nfs/install/../images/Debian-90-stretch-64-minimal.tar.gz

After rebooting the system, follow the installation instructions from the Proxmox Wiki to install Proxomx on your new Debian Stretch.

Additional tasks before you continue

• Generate your SSL certificates: Proxmox Wiki. You will probably need to run apt-get install git first.
• Create a user and give the permissions: Proxmox Wiki.

Warning!

The installation will be very slow until the RAID is initialized. You can check the status by running:

cat /proc/mdstat

The output (while initializing), looks like this:

Personalities : [raid1] [linear] [multipath] [raid0] [raid6] [raid5] [raid4] [raid10]
md1 : active raid1 sda2[0] sdb2[1]
      2929084864 blocks super 1.2 [2/2] [UU]
      [=>...................]  resync =  6.4% (189365952/2929084864) finish=605.2min speed=75438K/sec
      bitmap: 21/22 pages [84KB], 65536KB chunk

md0 : active raid1 sda1[0] sdb1[1]
      1047552 blocks super 1.2 [2/2] [UU]

Network

Create /etc/network/interfaces

Make sure that the interfaces are configured correctly:

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto vmbr0
iface vmbr0 inet static
  address  192.0.2.62
  netmask  255.255.255.224
  gateway  192.0.2.33
  pointopoint 192.0.2.33
  bridge_ports enp4s0
  bridge_stp off
  bridge_fd 0
  up ip route add 192.0.2.32/27 via 192.0.2.33 dev vmbr0
  up sysctl -p

iface vmbr0 inet6 static
  address  2001:db8:1111:2222::2
  netmask  64
  gateway  fe80::1

auto vmbr1
iface vmbr1 inet static
  address  10.1.1.1
  netmask  255.255.255.0
  bridge_ports none
  bridge_stp off
  bridge_fd 0
  up iptables -t nat -A POSTROUTING -s '10.1.1.0/24' -o vmbr0 -j MASQUERADE
  down iptables -t nat -D POSTROUTING -s '10.1.1.0/24' -o vmbr0 -j MASQUERADE

iface vmbr1 inet6 static
  address  2001:db8:1111:2222:81::1
  netmask  64
  up ip -6 route add 2001:db8:1111:2222:81::/80 dev vmbr1

Create /etc/sysctl.d/local.conf:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.enp4s0.disable_ipv6=0
net.ipv4.conf.enp4s0.proxy_arp=1

Now you can reboot and continue below.

dnsmasq

In order to get out-of-the-box DHCP and DHCPv6 running, I’m using dnsmasq:

apt-get install dnsmasq

After installing it, you will need to create the folder for the leases and the TFTP boot:

mkdir -p /var/lib/dnsmasq/vmbr1/
mkdir -p /var/lib/tftpboot
chown -R dnsmasq /var/lib/dnsmasq/
chown -R dnsmasq /var/lib/tftpboot

Create /etc/dnsmasq.d/dnsmasq.conf

no-hosts
except-interface=enp4s0
except-interface=lo
interface=vmbr1
no-negcache
domain=my.cloud
user=dnsmasq
strict-order
bind-interfaces
pid-file=/run/dnsmasq/dnsmasq.pid
dhcp-range=10.1.1.10,10.1.1.254,255.255.255.0,10.1.1.255,2h
dhcp-lease-max=4096
dhcp-no-override
dhcp-leasefile=/var/lib/dnsmasq/vmbr1/leases
addn-hosts=/var/lib/dnsmasq/hosts.LAN
dhcp-authoritative
dhcp-range=2001:db8:1111:2222:81::1000,2001:db8:1111:2222:81::1fff,80,2h
enable-ra
dhcp-option=option6:dns-server,[2001:db8:1111:2222:81::1]
local=/my.cloud/
dhcp-fqdn
# You only need the rest if you plan to boot (Container Linux) from iPXE
enable-tftp
tftp-root=/var/lib/tftpboot
dhcp-userclass=set:ipxe,iPXE
dhcp-boot=tag:#ipxe,undionly.kpxe
dhcp-boot=tag:ipxe,http://matchbox:8080/boot.ipxe
log-queries
log-dhcp
address=/matchbox/2001:db8:1111:2222:81::1
address=/matchbox/10.1.1.1

Reverse DNS in the VM network:

Create /usr/local/bin/show_ips.py:

#! /usr/bin/env python
start = 0x1000
end = 0x1fff
for i in xrange(start, end+1):
  print format(i, 'x')

Create /var/lib/dnsmasq/hosts.LAN

This snippet creates a list of 4096 hosts with random name using the python script above:

cat <<EOF> /var/lib/dnsmasq/hosts.LAN
2001:db8:1111:2222:81::1       hyper.my.cloud    hyper
10.1.1.1                       hyper.my.cloud    hyper
EOF
chown dnsmasq /var/lib/dnsmasq/hosts.LAN
for IP in $(python /usr/local/bin/show_ips.py); do
  SHA=$(cat /proc/sys/kernel/random/uuid|md5sum)
  HOST=${SHA::-3}
  echo "2001:db8:1111:2222:81::${IP}   ${HOST}.my.cloud    ${HOST}" >> /var/lib/dnsmasq/hosts.LAN
done

Restart dnsmasq

systemctl restart dnsmasq