Andrei Borzenkov wrote:
On 27.04.2021 17:30, Per Jessen wrote:
Per Jessen wrote:
Andrei Borzenkov wrote:
However, Hetzner is complaining that some of our guest MAC addresses are "leaking out". AFAICT, this is happening in neighbour solitications and advertisements, with the link-local addresses.
How exactly can you tell it? Do you have any packet capture?
Yes, I ran a tcpdump this morning to confirm what Hetzner told me. a tcpdump on "br0", looking for the two local link addresses from my two DomUs.
see attached.
The DomU with 'fe80::216:3eff:febb:ac82' is currently down. It was running 15.3, but failed to boot after the latest 'zypper dup'.
Well, this does not show any MAC address, so is rather uninteresting.
I can post what Hetzner sent me, sorry about the folding: -----------------%<----------------- 2021-04-27 08:18:33 2a01:4f8::a:22:2:639 info local3 fpc0 PFE_FW_SYSLOG_ETH_IP6_ICMP: FW: ge-0/0/29.0 A 86dd 00:16:3e:bb:ac:82 -> 4c:16:fc:c8:e2:c2 icmpv6 SA fe80:0:0:0:216:3eff:febb:ac82 -> DA fe80:0:0:0:0:0:0:1 type 136 code 0 (1 packets) 2021-04-27 08:18:34 2a01:4f8::a:22:2:639 info local3 fpc0 PFE_FW_SYSLOG_ETH_IP6_ICMP: FW: ge-0/0/29.0 A 86dd 00:16:3e:bb:ac:82 -> 4c:16:fc:c8:e2:c2 icmpv6 SA fe80:0:0:0:216:3eff:febb:ac82 -> DA fe80:0:0:0:0:0:0:1 type 136 code 0 (1 packets) -----------------%<----------------- Just now trying to see what I get with 'tcpdump ether'.
I suspect there is some misunderstanding and proxy_arp is actually red herring.
You cannot use proxy ARP/NDP to hide MAC addresses on bridge. Even assuming proxy works, it will only handle ARP/NDP - it will *not* replace MAC address in any other packet.
Hmmm. Okay.
When proxy ARP/NDP is used, actual packet delivery after LL address has been determined is handled by L3 switching which explains why MAC addresses do not leak (because packet delivery remains local to each LAN segment). But you are on bridge so no L3. Proxied host will attempt to send packet directly using its own MAC address.
hmm, yes, that is what it looks like with 'tcpdump ether' too. Okay, I'll have to use NAT'ing instead I guess. -- Per Jessen, Zürich (20.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland.