I run a few Proxmox VE hosts with multiple network interfaces and recently added a untagged interface to be passed through to containers:
┌────────────┐ ┌──────┐ ┌─────────────┐ │ Public │ vmbr1 │ │ vmbr0 │ Management │ │ Untagged ├───────┤ PVE ├───┬───┤ Untagged v10│ │ IPv6+IPv4 │ │ │ │ │ IPv4 │ └────────────┘ └──────┘ │ └─────────────┘ │ │ ┌─────────────┐ │ │ Private │ └───┤ Tagged v20 │ │ IPv6+IPv4 │ └─────────────┘
This was working, but I noticed that some backup status emails were bouncing because they were being send over IPv6 and PTR didn’t match:
<[email@example.com](mailto:firstname.lastname@example.org)>: host [aspmx.l.google.com](http://aspmx.l.google.com/)[2607:f8b0:4023::redact] said: 550-5.7.1 [2602:fc0d::redact] Our system has detected that this 550-5.7.1 message does not meet IPv6 sending guidelines regarding PTR records 550-5.7.1 and authentication. Please review 550-5.7.1 [https://support.google.com/mail/?p=IPv6AuthError](https://support.google.com/mail/?p=IPv6AuthError) for more information 550 5.7.1 . m5-20020a252605000000b008b454a588bcsi6031513ybm.298 - gsmtp (in reply to end of DATA command)
Which, ?!?! because I hadn’t migrated management from IPv4 to IPv6 yet, so it shouldn’t have any routable IPv6 addresses. Except, it did.
The public vmbr was getting an address from SLAAC despite not having any config in
So box was able to talk to the internet over an interface that should have only been for public VMs.
Solution: Disable autoconf by adding the following to
/etc/sysctl.conf & reboot:
net.ipv6.conf.vmbr1.autoconf=0 net.ipv6.conf.vmbr1.accept_ra=0 net.ipv6.conf.vmbr1.addr_gen_mode=1
You don’t really have to reboot. You can set the sysctls and delete the public & fe80 IPs instead.