Additional IP Addresses

Last change on 2021-04-14 • Created on 2020-03-23

Introduction

All dedicated and virtual servers come with an IPv4 address, as well as a /64 IPv6 subnet.

You can order additional IPv4 addresses on Robot. See also: IP Addresses

Note: This article is limited to showing you the corresponding Linux commands to illustrate the general concepts. For systems such as FreeBSD, a different configuration is necessary.

Main address

The main IPv4 address of a server is the IP that is originally assigned to the server and is configured in the automatic installations.

For IPv6, there is no clearly defined main address. In automatic installations, the ::2 from the assigned subnet is configured.

With dedicated root servers and virtual servers from the CX line, the IPv6 subnet is routed on the link-local address of the network adapter. If you ordered additional single IPv4 addresses their own MAC addresses, then you can route the IPv6 subnet onto their link-local address using Robot.

The particular link-local address is calculated from the MAC address using RFC 4291 and is automatically configured:

# ip address
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 54:04:a6:f1:7b:28 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5604:a6ff:fef1:7b28/64 scope link
       valid_lft forever preferred_lft forever

With older virtual server models (VQ/VX lines), there is no routing of the /64 IPv6 subnet. This is a local area network, whereby the ::1 of the subnet is used as the gateway. (See below).

Below, <10.0.0.2> is used as an example main IPv4 address. It is not a real IP address.

Additional addresses

Both individual addresses and addresses from subnets are generally routed via the main IP address. For the rest of this guide, let us assume that you have the following additional addresses/networks:

  • <2001:db8:61:20e1::/64> (IPv6 subnet)
  • <10.0.0.8> (single address)
  • <203.0.113.40/29> (IPv4 subnet)

You can further divide, forward, or assign the allowcated subnets depending on your own preferences.

With IPv4, the network and broadcast addresses are normally reserved. Based on the above example, that would be the IPs <203.0.113.40> and <203.0.113.47>. You may use these addresses as a secondary IP or as part of a point-to-point setup. As a result, in a /29 subnet, all 8 IPs are usable, rather than just 6.

With IPv6, the first address (::0) of the subnet is reserved as the Subnet-Router anycast address. IPv6 does not use a broadcast address, so the last address is also usable (as opposed to IPv4).

Gateway

For IPv6 on dedicated root servers and virtual servers from the CX line, the gateway is fe80::1. Since this is a link-local address, the explicit specification of the network adapter (usually eth0) is necessary:

# ip route add default via fe80::1 dev eth0

For older virtual server models (VQ/VX lines), the gateway lies within the assigned subnet:

# ip address add 2001:db8:61:20e1::2/64 dev eth0
# ip route add default via 2001:db8:61:20e1::1

For IPv4, the gateway is the first usable address of each subnet:

# Example: 10.0.0.2/26 => Network address is 192.0.2.64/26
#
# ip address add 10.0.0.2/32 dev eth0
# ip route add 192.0.2.65 dev eth0
# ip route add default via 192.0.2.65

Individual addresses

You can configure the assigned addresses as additional addresses on the network interface. To ensure the IP addresses are still configured after a restart, you need to adjust the corresponding configuration files of the operating system/distribution. You can find more details on the pages for Debian/Ubuntu and CentOS.

Add an (additional) IP address:

ip address add 10.0.0.8/32 dev eth0

Alternatively, it can be forwarded within the server (e.g. for virtual machines):

ip route add 10.0.0.8/32 dev tap0
# or
ip route add 10.0.0.8/32 dev br0

The corresponding virtual machines have to use the main IP address of the server as the default gateway.

ip route add 10.0.0.2 dev eth0
ip route add default via 10.0.0.2

When forwarding the IP, make sure you have enabled IP forwarding:

sysctl -w net.ipv4.ip_forward=1

If you have set up a separate MAC address for the IP address via Robot, then you need to use the corresponding gateway of the IP address.

Subnets

Newly assigned IPv4 subnets are statically routed on the main IP address of the server, so no gateway is required.

You can assign the IPs as secondary addresses to the network adapters, just like single additional IPs:

ip address add 203.0.113.40/32 dev eth0

You can forward them individually or as a whole.

ip route add 203.0.113.40/29 dev tun0
# or
ip route add 203.0.113.40/32 dev tap0

Unlike with single IPs, you can also assign subnet IPs (to virtual machines) using DHCP. Therefore, you need to configure an address from the subnet on the host sytem.

ip address add 203.0.113.41/29 dev br0

The hosts on br0 use this address as the gateway. Unlike single IPs, the rules for subnets then apply; for example, you cannot use the network and broadcast IP.

For IPv6, the routing of the subnet on the link-local address leads to many possible options for further division of the subnet into various sizes (/64 up to and including /128). For example:

2a01:04f8:0061:20e1:0000:0000:0000:0000
                   │    │    │    │
                   │    │    │    └── /112 Subnet
                   │    │    │
                   │    │    └── /96 Subnet
                   │    │
                   │    └── /80 Subnet
                   │
                   └── /64 Subnet

Before forwarding the subnets, make sure that forwarding is active:

sysctl -w net.ipv6.conf.all.forwarding=1 net.ipv4.ip_forward=1

You can forward the entire subnet (such as VPN):

ip route add 2001:db8:61:20e1::/64 dev tun0

Or just a part:

ip route add 2001:db8:61:20e1::/80 dev br0

From a single subnet, you can extract individual addresses, and you can forward the remainder. Note the prefix lengths:

ip address add 2001:db8:61:20e1::2/128 dev eth0
ip address add 2001:db8:61:20e1::2/64 dev br0

The hosts on br0 will show <2001:db8:61:20e1::2> as the gateway.

SLAAC (IPv6)

Furthermore, you can use SLAAC (Stateless Address Autoconfiguration) in the connected hosts (br0) by installing radvd on the host. The configuarion in /etc/radvd.conf requires that the host possesses an address from <2001:db8:61:20e1::> on the bridge or TAP device:

interface tap0
{
        AdvSendAdvert on;
        AdvManagedFlag off;
        AdvOtherConfigFlag off;
        prefix 2001:db8:61:20e1::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        RDNSS 2001:db8:0:a0a1::add:1010
              2001:db8:0:a102::add:9999
              2001:db8:0:a111::add:9898
        {
        };
};

Thus the hosts will automatically receive routes and addresses from the subnet. You can see this within the hosts:

$ ip address
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:0a:c5:b2 brd ff:ff:ff:ff:ff:ff
    inet6 2001:db8:61:20e1:38ad:1001:7bff:a126/64 scope global temporary dynamic
       valid_lft 86272sec preferred_lft 14272sec
    inet6 2001:db8:61:20e1:a00:27ff:fe0a:c5b2/64 scope global dynamic
       valid_lft 86272sec preferred_lft 14272sec
    inet6 fe80::a00:27ff:fe0a:c5b2/64 scope link
       valid_lft forever preferred_lft forever

(Seen here: privacy address, SLAAC address of the subnet, and the RFC 4291 link-local address of the link.)

Use with virtualization with the routed method

See also: Virtualization

alt text

In the routed method, you configure a new network interface on the server which one one or more VMs are connected to. The server itself acts as a router, hence the name.

The advantage of the routed method is that traffic has to flow through the host. This is useful for diagnostic tools (tcpdump, traceroute). It is also necessary for operating a host firewall which performs the filtering for the VMs.

Some virtualization solutions create a network interface per unit (like Xen and LXC), you may need to couple them with a virtual switch (e.g. via a bridge or TAP interface).

  • Xen: For each domU, an interface vifM.N (unfortunately with dynamic numbers) shows up in the dom0. These can be assigned addresses accordingly. Alternatively, you can combine VIFs into a segment using a bridge interface; you can do this via vif=['mac=00:16:3e:08:15:07,bridge=br0',] directives, in /etc/xen/vm/meingast.cfg.
  • VirtualBox: Guests are tied to an existing TAP interface and thus form a segment per TAP device. Create TAP interfaces according to your distribution. In the settings dialog of a single machine, select for assignment: Network > Attached to: Bridged Adapter. Name: tap0.
  • VMware Server/Workstation: Using your VMware programs, create a host-only interface (e.g. vmnet1) and add the address area to it. Assign the VMs to this created host-only interface.
  • Linux Containers (LXC, systemd-nspawn, OpenVZ): For each container an interface ve-… shows up in the parent. These can be assigned addresses accordingly. Alternatively, you can combine VE interfaces with a bridge interface.
  • QEMU: Uses TAP, similar to VirtualBox.

Use with virtualization with the bridged method

alt text

The bridged method describes the configuration which enables a virtual machine to be bridged directly to the connecting network just like a physical machine. This is possible only for single IP addresses. Subnets are always routed.

The advantage of the bridged solution is that the network configuration is usually simple to implement because no routing rules or point-to-point configuration is necessary. The disadvantage is that the MAC address of the guest system becomes "visible" from the outside. Therefore you must give each individual IP address a virtual MAC address, which you can do on Robot. You need to then route the IPv6 subnet via this new MAC. (An icon next to the subnet in the Robot allows you to do this).

  • VMware ESX: ESX sets a bridge to the physical adapter, which the VM kernel hangs on, and which you can bind further VMs to (for example, a router VM that runs the actual operating system). In ESX, you can define further virtual switches, which are then made available to the router VM via other NICs.
  • The other virtualization solutions let you use the bridged mode, but for the sake of simplicity, we will will only use to the simpler routed method, since it is also easier for troubleshooting (e.g. mtr/traceroute). Only ESX truly requires bridged mode.
  • Using the bridged mode currently requires the sysctl function net.ipv4.conf.default.proxy_arp=1 (e.g. with Xen).

Setup under different distributions

You can find setup guides for different distributions here:

Debian CentOS Proxmox VE VMware ESXi

Table of Contents