Network configuration Debian / Ubuntu

Main IP address

IPv4

The main IP of a dedicated root server is usually located in a /26 or /27 subnet. In order to prevent the accidental use of a foreign IP address, our infrastructure rejects any Ethernet packets that are not addressed to the gateway address. In order to reach a server in the same subnet, the network configuration must be set up as a point to point configuration. Our standard images already come with this configuration so that all traffic is routed via the gateway.

This is done via a point to point configuration between the primary IP and the gateway. The primary IP is configured with the netmask set to 255.255.255.255 (/32). This way the server assumes it is alone and will not send any packets directly. In order to reach other servers as well as the Internet an explicit host route for the gateway in addition to the default route is needed.

etc/network/interfaces (ENI)

When networking is configured via /etc/network/interfaces this is easily done by adding the option pointopoint <gateway IP> in the configuration stanza.

## /etc/network/interfaces example Hetzner root server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# LAN interface
auto eth0
iface eth0 inet static
  # Main IP address of the server
  address 192.168.0.250
  # Netmask 255.255.255.255 (/32) independent from the
  # real subnet size (e.g. /27)
  netmask 255.255.255.255
  # explicit host route to the gateway
  gateway 192.168.0.1
  pointopoint 192.168.0.1

netplan

When using netplan this is done via the on-link keyword in the configuration:

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses:
      - 192.168.0.250/32
      routes:
      - to: 0.0.0.0/0
        via: 192.168.0.1
        on-link: true

IPv6

In addition to a primary IPv4 address, every servers is assigned an /64 IPv6 subnet. This subnet is routed to the link-local IPv6 address that is generated from the MAC address of the server. As opposed to the IPv4 configuration, no point-to-point configuration is needed for IPv6.

The gateway is always fe80::1

## /etc/network/interfaces example Hetzner root server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# IPv6 LAN
auto eth0
iface eth0 inet6 static
  # One IPv6 address out of the /64 subnet
  address 2001:db8:1234::1
  netmask 64
  gateway fe80::1

IPv4 + IPv6

It is expected that over the next few years, IPv4 and IPv6 will be used in parallel. Simply join both configuration files together and omit duplicate entries.

etc/network/interfaces (ENI)

## /etc/network/interfaces example Hetzner root server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# LAN interface
auto eth0
iface eth0 inet static
  # Main IP address of the server
  address 192.168.0.250
  # Netmask 255.255.255.255 (/32) independent from the
  # real subnet size (e.g. /27)
  netmask 255.255.255.255
  # explicit host route to the gateway
  gateway 192.168.0.1
  pointopoint 192.168.0.1
#
iface eth0 inet6 static
  # one IPv6 address from assigned subnet
  address 2001:db8:1234::1
  netmask 64
  gateway fe80::1

netplan

Configuration via netplan for Ubuntu 22.04 and later or using netplan 1.03 or later

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses:
      - 192.168.0.250/32
      - 2001:db8:1234::1/64
      routes:
      - to: default
        via: 192.168.0.1
        on-link: true
      - to: default
        via: fe80::1

Configuration for Ubuntu 21.04 and older

network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      addresses:
      - 192.168.0.250/32
      - 2001:db8:1234::1/64
      routes:
      - to: 0.0.0.0/0
        via: 192.168.0.1
        on-link: true
      gateway6: fe80::1

Additional IP addresses (host)

For our dedicated root servers you can order up to 6 additional single IPs. The network configuration is similar in both cases.

In order to use the additional addresses on the server (no virtualization), you need the package iproute2 and service program ip. Configuration with alias interfaces (such as eth0:1, eth0:2 etc.) are outdated; you should no longer use them. To add an address, please run:

ip addr add 10.4.2.1/32 dev eth0

The command ip addr shows the IP addresses which are currently active. The server uses the entire subnet, so it is also useful here to add the addresses with the prefix /32, which means the subnet mask is 255.255.255.255.

etc/network/interfaces (ENI)

In /etc/network/interfaces, insert the following two lines in the appropriate interface (e.g. eth0):

up ip addr add 10.4.2.1/32 dev eth0
down ip addr del 10.4.2.1/32 dev eth0

For up and down, expect just one line of shell code and this can be repeated for several addresses. The disadvantage is that you need to list both the interface name and address twice. If you are using many IPs, the configuration file becomes confusing and prone to errors. And if you change the data, you need to adjust all the entries.

netplan

When using netplan, simply add the additional IP addresses as /32 to the addresses section

Additional IP addresses (virtualization)

With virtualization, the additional IP addresses are used via the guest system. To make these reachable via the Internet, you need to adjust the configuration in the host system accordingly in order to forward the packets. There are two ways of doing this for additional single IPs: the routed and bridged methods.

Routed (brouter)

In this type of configuration, the packets are routed. For this method, you need to set up an additional bridge with almost the same configuration (without gateway) as eth0.

Host:

auto eth0
iface eth0 inet static
   address (Main IP)
   netmask 255.255.255.255
   pointopoint (Gateway IP)
   gateway (Gateway IP)
#
iface eth0 inet6 static
  address 2001:db8:1234::1
  netmask 128
  gateway fe80::1
#
auto virbr1
iface virbr1 inet static
   address (Main IP)
   netmask 255.255.255.255
   bridge_ports none
   bridge_stp off
   bridge_fd 0
   pre-up brctl addbr virbr1
   up ip route add (Additional IP)/32 dev virbr1
   down ip route del (Additional IP)/32 dev virbr1
 #
 iface virbr1 inet6 static
   address 2a01:4f8:XX:YY::1
   netmask 64

You also need to create a corresponding host route for each additional IP address. For IPv4, the eth0 configuration remains unchanged. For IPv6, you need to reduce the prefix from /64 to /128.

Guest:

auto eth0
iface eth0 inet static
   address (Additional IP)
   netmask 255.255.255.255
   pointopoint (Main IP)
   gateway (Main IP)
#
iface eth0 inet6 static
  address 2a01:4f8:XX:YY::4
  netmask 64
  gateway 2a01:4f8:XX:YY::1

Bridged

With a bridged configuration, packets are sent directly. The guest system behaves as if it is independent. This makes the MAC addresses of the guest system visible from the outside, so you need to request a virtual MAC address for each single IP address. The address can be generated automatically in Robot by clicking on the server and then on the small icon next to the additional IP. Then assign the virtual MAC address to the guest network card. The bridge gets the same network configuration as eth0.

# remove or disable configuration for eth0
#auto eth0
#iface eth0 inet static
#
auto  br0
iface br0 inet static
 address (Main IP)
 netmask (like eth0, e.g: 255.255.255.254)
 gateway (same as that for the main IP)
 bridge_hw eth0 (required as of Debian 11 'bulleye')
 bridge_ports eth0
 bridge_stp off
 bridge_fd 1
 bridge_hello 2
 bridge_maxage 12

The configuration of eth0 is omitted without replacement.