On 27.04.2021 17:30, Per Jessen wrote:
Per Jessen wrote:
Andrei Borzenkov wrote:
However, Hetzner is complaining that some of our guest MAC addresses are "leaking out". AFAICT, this is happening in neighbour solitications and advertisements, with the link-local addresses.
How exactly can you tell it? Do you have any packet capture?
Yes, I ran a tcpdump this morning to confirm what Hetzner told me. a tcpdump on "br0", looking for the two local link addresses from my two DomUs.
see attached.
The DomU with 'fe80::216:3eff:febb:ac82' is currently down. It was running 15.3, but failed to boot after the latest 'zypper dup'.
Well, this does not show any MAC address, so is rather uninteresting. I suspect there is some misunderstanding and proxy_arp is actually red herring. You cannot use proxy ARP/NDP to hide MAC addresses on bridge. Even assuming proxy works, it will only handle ARP/NDP - it will *not* replace MAC address in any other packet. When proxy ARP/NDP is used, actual packet delivery after LL address has been determined is handled by L3 switching which explains why MAC addresses do not leak (because packet delivery remains local to each LAN segment). But you are on bridge so no L3. Proxied host will attempt to send packet directly using its own MAC address. So to actually hide guests MAC you would need separate external interface and separate bridge for guests and proxy each guest on external interface via bridge. You will need (host) route to each guest also. And I do not even want to think about DHCP or any other similar protocol :)