On Tue, Apr 27, 2021 at 3:22 PM Per Jessen <per@computer.org> wrote:
On some servers we rent at Hetzner, we have recently (in the last month) begun to run Xen - and the Xen guests obviously have "made up" MAC addresses, e.g. 00:16:3e:bb:ac:82.
For IPv4, we have enabled proxy_arp on the bridge interface, works well as always. We have not yet configuredany IPv6 in any of the guests, only on the xen host. The guests only have a link-local address.
In this config, the only MAC addresses that should be seen on the network that of the only real interface, eth0/br0.
What does it mean? eth0 is slave interface in br0? Where and how guests are connected? You really need to explain network topology better.
However, Hetzner is complaining that some of our guest MAC addresses are "leaking out". AFAICT, this is happening in neighbour solitications and advertisements, with the link-local addresses.
How exactly can you tell it? Do you have any packet capture?
I figured out we probably needed to enable ipv6 ndp - neighbour discovery protocol proxy :
setting /proc/sys/net/ipv6/conf/*/proxy_ndp = 1
This did not have the desired effect, so I am clearly missing something?
NDP proxy works between two interfaces (and you need to explicitly define which addresses are proxied). If guests are connected to the same br0 as eth0, then guests are on the same physical link and there is nothing to proxy. If guests are connected to something else, how comes MAC leaks? You really need to explain your topology.