On Sat, Nov 15, 2025 at 08:40:56PM +0000, H. Hartzer wrote: > On Sat Nov 15, 2025 at 7:52 PM UTC, Crystal Kolipe wrote: > >> My first test was to put each VM on its own veb and route the /112 out > >> of the physical ethernet interface. This seems like it would work, in > >> theory, but the host doesn't respond to icmp6 "who-has"-style requests > >> for a VM's IP. Thus, the upstream router doesn't know to address traffic > >> to the host's MAC, and for it to forward it on. > > > > To make that setup work, you could use proxy NDP on the host. > > Interesting! > > So to do that, would run something like this? > > ndp -s 2001:db8::1 (mac address of physical nic) proxy
ndp (and arp) work by sending route socket messages. if you can do it for one ip with ndp you shold be able to do it with a whole prefix with route(8). i'd run `route monitor` in one terminal and the ndp command in the other, to figure out what flags and addresses are needed, and then try and reproduce it with route(8). > It seems like I would have to do this for every address in the range, if > I understand it correctly. Of course if it supports a whole range, it > would seem more practical. > > > By the way, /112 is a fairly small allocation for IPv6. > > Indeed, it is. Maybe /72 would be more sensibile for what I'm doing, > though I'm not really sure how many would exhaust even a /112. > > I'm not sure this design is the best. I'll have to test some different > possibilities. I guess one benefit is that I could run rad on each > per-VM bridge interface and get stateless addresses. From what I > undestand, OpenBSD and no other mainstream OSs support stateless IP > assignment with prefixes smaller than a /64. For OpenBSD it would be > convenient, though no others that I am aware of. i have vague memories that the /64 thing was relaxed in openbsd and you could use longer prefixes. it's worth a try. > Of course I can also do cloudinit + config drive and manually assign > this, but it is handy to be able to run other things and have it work > out-of-the-box. Debian, netboot.xyz/iPXE, etc. > > Now one hack might be to let someone "use" a space within the range, but > give them the whole /64 through router advertizements. You'd enforce the > stateless address through clever mac address assigning to predictably > give you the range. This would only work with... /102 and smaller, I > think. And you'd have to ifconfig inet6 -temporary on OpenBSD, since > those wouldn't work. why is it important that each vm gets a prefix out of the /64? could the vms (and the host) share the /64? are you trying to apply policy somewhere else in the network to each vm and therefore need to lock them down to a prefix to be able to enforce that?
