Dedicated Linux Debian Proxmox Server. Load-balancing Virtual Machine Services.
Network : 2a01:cb1d:0005:af00:0000:0000:0000:0000/56
Network range : 2a01:cb1d:0005:af00:0000:0000:0000:0000-2a01:cb1d:0005:afff:ffff:ffff:ffff:ffff
Network : 2a01:cb1d:0005:af00:1800:0000:0000:0000/70
Network range : 2a01:cb1d:0005:af00:1800:0000:0000:0000-2a01:cb1d:0005:af00:1bff:ffff:ffff:ffff
Ethernet interfaces :
root@srv-fr:~ # lshw -C network
*-network
description: Ethernet interface
produit: 82599ES 10-Gigabit SFI/SFP+ Network Connection
fabriquant: Intel Corporation
identifiant matériel: 0
information bus: pci@0000:01:00.0
nom logique: enp1s0
version: 01
numéro de série: 00:1b:21:bc:c7:0e
taille: 10Gbit/s
capacité: 10Gbit/s
bits: 64 bits
horloge: 33MHz
fonctionnalités: pm msi msix pciexpress vpd bus_master cap_list rom ethernet physical fibre 10000bt-fd
configuration: autonegotiation=off broadcast=yes driver=ixgbe driverversion=6.8.12-8-pve duplex=full firmware=0x00012b2c latency=0 link=yes multicast=yes port=fibre speed=10Gbit/s
ressources: irq:16 mémoire:51400000-5147ffff portE/S:3000(taille=32) mémoire:51500000-51503fff mémoire:51480000-514fffff mémoire:51504000-51603fff mémoire:51604000-51703fff
root@srv-fr:~ # brctl show bridge name bridge id STP enabled interfaces gatebr0 8000.001b21bcc70e no enp1s0 vmbr0 8000.16faeaefe802 yes tap100i0 vmbr1 8000.9e76818e82ad yes tap101i0
gatebr0 : 2a01:cb1d:0005:af00:1ab3:0000:0000:0001/128
2a01:cb1d:0005:af00:1aff:00ff:00ff:00ff/70
fc01::10:106:0:252/124 ⇆ (GATE) SPF+ 10GiG ⇆ SPF+ 10GiG
# /etc/sysctl.conf net.ipv6.conf.gatebr0.forwarding = 1 net.ipv6.conf.gatebr0.autoconf = 0 net.ipv6.conf.gatebr0.accept_redirects = 1 net.ipv6.conf.gatebr0.accept_ra = 2 net.ipv6.conf.gatebr0.proxy_ndp = 1 net.ipv6.conf.gatebr0.accept_source_route = 0 net.ipv6.conf.gatebr0.use_tempaddr = 0
root@srv-fr:~ # ip6tables -L FORWARD -vn
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
785 538K aICMPs 58 -- * * ::/0 ::/0
0 0 ACCEPT 0 -- lo * ::/0 ::/0
0 0 ACCEPT 0 -- * lo ::/0 ::/0
523K 544M ACCEPT 0 -- * * fc00::/7 fc00::/7
0 0 ACCEPT 0 -- * * ff00::/8 ff00::/8
0 0 ACCEPT 0 -- * * fe80::/10 fe80::/10
0 0 ACCEPT 0 -- * * fec0::/10 fec0::/10
10M 768M ACCEPT 0 -- * * fec0::/10 fc00::/7
5305K 474M ACCEPT 0 -- * * fc00::/7 fec0::/10
1975K 211M ACCEPT 0 -- vmbr0 gatebr0 ::/0 ::/0
2421K 3514M ACCEPT 0 -- gatebr0 vmbr0 ::/0 ::/0
30694 18M ACCEPT 0 -- vmbr1 gatebr0 ::/0 ::/0
33295 35M ACCEPT 0 -- gatebr0 vmbr1 ::/0 ::/0
0 0 ACCEPT 0 -- vmbr0 vmbr1 ::/0 ::/0
0 0 ACCEPT 0 -- vmbr1 vmbr0 ::/0 ::/0
root@srv-fr:~ # ip6tables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 2737K packets, 220M bytes)
pkts bytes target prot opt in out source destination
1 64 DNAT 6 -- * * ::/0 2a01:cb1d:5:af00:1ab3::1 tcp dpt:53 to::53
4 347 DNAT 17 -- * * ::/0 2a01:cb1d:5:af00:1ab3::1 udp dpt:53 to::53
Chain INPUT (policy ACCEPT 2135 packets, 153K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1918 packets, 181K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2737K packets, 220M bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE 0 -- * gatebr0 fc01::10:116:42:0/112 !fc00::/7
0 0 MASQUERADE 0 -- * gatebr0 fc01::10:126:42:0/112 !fc00::/7
root@srv-fr:~ # ip -6 route show dev gatebr0 2a01:cb1d:5:af00:1ab3::/80 proto kernel metric 256 pref medium fc01::10:106:0:250/124 proto kernel metric 256 pref medium fe80::/64 proto kernel metric 256 pref medium default via fc01::10:106:0:254 proto kernel metric 1024 onlink pref medium default via fe80::7c18:ddff:febb:3f7d proto ra metric 1024 expires 28sec hoplimit 64 pref medium
root@srv-fr:~ # ip -6 neighbor show proxy
vmbr0 : fc01::10:116:0:252/112 ⇆ (vHost1) LOC 10GiG
# /etc/sysctl.conf net.ipv6.conf.vmbr0.forwarding = 1 net.ipv6.conf.vmbr0.autoconf = 0 net.ipv6.conf.vmbr0.accept_redirects = 1 net.ipv6.conf.vmbr0.accept_ra = 2 net.ipv6.conf.vmbr0.proxy_ndp = 1 net.ipv6.conf.vmbr0.accept_source_route = 0 net.ipv6.conf.vmbr0.use_tempaddr = 0
root@srv-fr:~ # ip -6 route show dev vmbr0 2a01:cb1d:5:af00:1ab3:116::/96 via fc01::10:116:0:1 metric 1024 pref medium fc01::10:116:0:0/112 proto kernel metric 256 pref medium fc01::10:116:42:0/112 via fc01::10:116:0:1 metric 1024 pref medium fe80::/64 proto kernel metric 256 pref medium
Network : 2a01:cb1d:0005:af00:1ab3:0116:0000:0000/96
Network range : 2a01:cb1d:0005:af00:1ab3:0116:0000:0000-2a01:cb1d:0005:af00:1ab3:0116:ffff:ffff
Ethernet interfaces :
root@srv-fr.h1:~ $ lshw -C network
*-network
description: Ethernet controller
produit: Virtio network device
fabriquant: Red Hat, Inc.
identifiant matériel: 12
information bus: pci@0000:00:12.0
version: 00
bits: 64 bits
horloge: 33MHz
fonctionnalités: msix bus_master cap_list rom
configuration: driver=virtio-pci latency=0
ressources: irq:10 portE/S:f060(taille=32) mémoire:fea52000-fea52fff mémoire:fd604000-fd607fff mémoire:fea00000-fea3ffff
*-virtio1
description: Ethernet interface
identifiant matériel: 0
information bus: virtio@1
nom logique: ens18
numéro de série: bc:24:11:9b:a1:af
fonctionnalités: ethernet physical
configuration: autonegotiation=off broadcast=yes driver=virtio_net driverversion=1.0.0 link=yes multicast=yes
root@srv-fr.h1:~ $ brctl show
bridge name bridge id STP enabled interfaces
vmbr0 8000.928dac2b1e6a no ens18
vmbr1 8000.e2c3d33147fd yes veth100i0
veth101i0
veth102i0
veth103i0
vmbr0 : 2a01:cb1d:0005:af00:1ab3:0116:0000:0001/128
fc01:0000:0000:0000:0010:0116:0000:0001/128
# /etc/sysctl.conf net.ipv6.conf.vmbr0.forwarding = 1 net.ipv6.conf.vmbr0.autoconf = 0 net.ipv6.conf.vmbr0.accept_redirects = 1 net.ipv6.conf.vmbr0.accept_ra = 2 net.ipv6.conf.vmbr0.proxy_ndp = 1 net.ipv6.conf.vmbr0.accept_source_route = 0 net.ipv6.conf.vmbr0.use_tempaddr = 0
root@srv-fr.h1:~ $ ip6tables -L FORWARD -vn
Chain FORWARD (policy DROP 148 packets, 10944 bytes)
pkts bytes target prot opt in out source destination
1158 496K aICMPs 58 -- * * ::/0 ::/0
0 0 ACCEPT 0 -- lo * ::/0 ::/0
0 0 ACCEPT 0 -- * lo ::/0 ::/0
15078 34M ACCEPT 0 -- * * fc00::/7 fc00::/7
0 0 ACCEPT 0 -- * * ff00::/8 ff00::/8
54 3888 ACCEPT 0 -- * * fe80::/10 fe80::/10
0 0 ACCEPT 0 -- * * fec0::/10 fec0::/10
2896K 223M ACCEPT 0 -- * * fec0::/10 fc00::/7
1504K 177M ACCEPT 0 -- * * fc00::/7 fec0::/10
1990K 213M ACCEPT 0 -- vmbr1 vmbr0 ::/0 ::/0
2298K 3496M ACCEPT 0 -- vmbr0 vmbr1 ::/0 ::/0
root@srv-fr.h1:~ $ ip6tables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 178 MASQUERADE 0 -- * vmbr0 fc01::10:116:42:0/112 !fc00::/7
root@srv-fr.h1:~ $ ip -6 route show dev vmbr0 2a01:cb1d:5:af00:1ab3:116::/96 proto kernel metric 256 pref medium fc01::10:116:0:0/112 proto kernel metric 256 pref medium fe80::/64 proto kernel metric 256 pref medium default via fc01::10:116:0:252 metric 1024 onlink pref medium
root@srv-fr.h1:~ $ ip -6 neighbor show proxy
vmbr1 : 2a01:cb1d:0005:af00:1ab3:0116:00ff:ffff/96
fc01:0000:0000:0000:0010:0116:0042:ffff/112
# /etc/sysctl.conf net.ipv6.conf.vmbr1.forwarding = 1 net.ipv6.conf.vmbr1.autoconf = 0 net.ipv6.conf.vmbr1.accept_redirects = 1 net.ipv6.conf.vmbr1.accept_ra = 2 net.ipv6.conf.vmbr1.proxy_ndp = 1 net.ipv6.conf.vmbr1.accept_source_route = 0 net.ipv6.conf.vmbr1.use_tempaddr = 0
root@srv-fr.h1:~ $ ip -6 route show dev vmbr1 2a01:cb1d:5:af00:1ab3:116:42:0/112 metric 1024 pref medium fc01::10:116:42:0/112 proto kernel metric 256 pref medium fe80::/64 proto kernel metric 256 pref medium
LinuX childs Containers (LXC) :
2a01:cb1d:0005:af00:1ab3:0116:0042:1000/112 (NS1) - Name Server
fc01:0000:0000:0000:0010:0116:0042:1000/112
2a01:cb1d:0005:af00:1ab3:0116:0042:0010/124 (WE1) - BackEnd Web Server
fc01:0000:0000:0000:0010:0116:0042:0010/112
2a01:cb1d:0005:af00:1ab3:0116:0042:00db1/124 (DB1) - Datas Bases
fc01:0000:0000:0000:0010:0116:0042:0db1/112
2a01:cb1d:0005:af00:1ab3:0116:0042:0ad0/124 (AD0) - Active Directory : Domains controller for inter-site (global) networks.
fc01:0000:0000:0000:0010:0116:0042:0ad0/7
vmbr1 : fc01::10:126:0:252/112 ⇆ (vHost2) LOC 10GiG
# /etc/sysctl.conf net.ipv6.conf.vmbr1.forwarding = 1 net.ipv6.conf.vmbr1.autoconf = 0 net.ipv6.conf.vmbr1.accept_redirects = 1 net.ipv6.conf.vmbr1.accept_ra = 2 net.ipv6.conf.vmbr1.proxy_ndp = 1 net.ipv6.conf.vmbr1.accept_source_route = 0 net.ipv6.conf.vmbr1.use_tempaddr = 0
root@srv-fr:~ # ip -6 route show dev vmbr1 2a01:cb1d:5:af00:1ab3:126::/96 via fc01::10:126:0:1 metric 1024 pref medium fc01::10:126:0:0/112 proto kernel metric 256 pref medium fc01::10:126:42:0/112 via fc01::10:126:0:1 metric 1024 pref medium fe80::/64 proto kernel metric 256 pref medium
Network : 2a01:cb1d:0005:af00:1ab3:0126:0000:0000/96
Network range : 2a01:cb1d:0005:af00:1ab3:0126:0000:0000-2a01:cb1d:0005:af00:1ab3:0126:ffff:ffff
Ethernet interfaces :
root@srv-fr.h2:~ $ lshw -C network
*-network
description: Ethernet controller
produit: Virtio network device
fabriquant: Red Hat, Inc.
identifiant matériel: 12
information bus: pci@0000:00:12.0
version: 00
bits: 64 bits
horloge: 33MHz
fonctionnalités: msix bus_master cap_list rom
configuration: driver=virtio-pci latency=0
ressources: irq:10 portE/S:f060(taille=32) mémoire:fea52000-fea52fff mémoire:fd604000-fd607fff mémoire:fea00000-fea3ffff
*-virtio1
description: Ethernet interface
identifiant matériel: 0
information bus: virtio@1
nom logique: ens18
numéro de série: bc:24:11:68:22:1c
taille: 10Gbit/s
fonctionnalités: ethernet physical
configuration: autonegotiation=off broadcast=yes driver=virtio_net driverversion=1.0.0 duplex=full link=yes multicast=yes speed=10Gbit/s
root@srv-fr.h2:~ $ brctl show
bridge name bridge id STP enabled interfaces
vmbr0 8000.36ef42f817a1 no ens18
vmbr1 8000.6630798a397c yes veth100i0
veth101i0
veth102i0
veth103i0
vmbr0 : 2a01:cb1d:0005:af00:1ab3:0126:0000:0001/128
fc01:0000:0000:0000:0010:0126:0000:0001/128
# /etc/sysctl.conf net.ipv6.conf.vmbr0.forwarding = 1 net.ipv6.conf.vmbr0.autoconf = 0 net.ipv6.conf.vmbr0.accept_redirects = 1 net.ipv6.conf.vmbr0.accept_ra = 2 net.ipv6.conf.vmbr0.proxy_ndp = 1 net.ipv6.conf.vmbr0.accept_source_route = 0 net.ipv6.conf.vmbr0.use_tempaddr = 0
root@srv-fr.h2:~ $ ip6tables -L FORWARD -vn
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
157 101K aICMPs 58 -- * * ::/0 ::/0
0 0 ACCEPT 0 -- lo * ::/0 ::/0
0 0 ACCEPT 0 -- * lo ::/0 ::/0
418K 493M ACCEPT 0 -- * * fc00::/7 fc00::/7
0 0 ACCEPT 0 -- * * ff00::/8 ff00::/8
0 0 ACCEPT 0 -- * * fe80::/10 fe80::/10
0 0 ACCEPT 0 -- * * fec0::/10 fec0::/10
7568K 561M ACCEPT 0 -- * * fec0::/10 fc00::/7
3903K 305M ACCEPT 0 -- * * fc00::/7 fec0::/10
27434 17M ACCEPT 0 -- vmbr1 vmbr0 ::/0 ::/0
30060 35M ACCEPT 0 -- vmbr0 vmbr1 ::/0 ::/0
root@srv-fr.h2:~ $ ip6tables -L -vn -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 5128 447K MASQUERADE 0 -- * vmbr0 fc01::10:126:42:0/112 !fc00::/7
root@srv-fr.h2:~ $ ip -6 route show dev vmbr0 2a01:cb1d:5:af00:1ab3:126::/96 proto kernel metric 256 pref medium fc01::10:126:0:0/112 proto kernel metric 256 pref medium fe80::/64 proto kernel metric 256 pref medium default via fc01::10:126:0:252 metric 1024 onlink pref medium
root@srv-fr.h2:~ $ ip -6 neighbor show proxy
vmbr1 : 2a01:cb1d:0005:af00:1ab3:0126:00ff:ffff/96
fc01:0000:0000:0000:0010:0126:0042:ffff/112
# /etc/sysctl.conf net.ipv6.conf.vmbr1.forwarding = 1 net.ipv6.conf.vmbr1.autoconf = 0 net.ipv6.conf.vmbr1.accept_redirects = 1 net.ipv6.conf.vmbr1.accept_ra = 2 net.ipv6.conf.vmbr1.proxy_ndp = 1 net.ipv6.conf.vmbr1.accept_source_route = 0 net.ipv6.conf.vmbr1.use_tempaddr = 0
root@srv-fr.h2:~ $ ip -6 route show dev vmbr1 2a01:cb1d:5:af00:1ab3:126:42:0/112 metric 1024 pref medium fc01::10:126:42:0/112 proto kernel metric 256 pref medium fe80::/64 proto kernel metric 256 pref medium
LinuX childs Containers (LXC) :
2a01:cb1d:0005:af00:1ab3:0126:0042:1000/112 (NS2) Name Server
fc01:0000:0000:0000:0010:0126:0042:1000/112
2a01:cb1d:0005:af00:1ab3:0126:0042:0010/124 (WE2) - BackEnd Web Server
fc01:0000:0000:0000:0010:0126:0042:0010/112
2a01:cb1d:0005:af00:1ab3:0126:0042:0bdd/124 (BDD) - Base de données
fc01:0000:0000:0000:0010:0126:0042:0bdd/112
2a01:cb1d:0005:af00:1ab3:0126:0042:0bdc/124 (BDC) - Backup Domain Controller : Domains controller for the local network.
fc01:0000:0000:0000:0010:0126:0042:0bdc/64
Not to joke, because you never know with all this information, I'm adding the files /.well-known/security.txt to the default WebServers directory ; hoping you're not too mean.
🔑 How to configure strongSwan v6 Post-Quantum Cryptography NIST compliant #2731 : https://github.com/strongswan/strongswan/discussions/2731
🌐 Create your network map with GestióIP IPv4/IPv6 subnet calculator : http://www.gestioip.net/cgi-bin/subnet_calculator.cgi
🖧 The IPv6 ULA (Unique Local Address) network configuration from my home to the servers ; shown in the image : https://howto.zw3b.fr/pub/vpn/strongSwan-v6.0/network_map-ipv10.jpg
IPv4/IPv6 FrontEnd Web Services with French IP address :
TODO : Installing an Active Directory (currently it's just the Samba service) - Introduction : AD integration on Ubuntu Server.
