The main IP of a dedicated root server is usually located in a /26 or /27 subnet. In order to prevent the accidental use of a foreign IP address, our infrastructure rejects any Ethernet packets that are not addressed to the gateway address. In order to reach a server in the same subnet, our standard images already have a static route in their network configuration. The static route forwards the entire traffic to the subnet via the gateway.
This is not the best solution; duplicate and inconsistent information appears in the routing table. A better way to reach a server in your subnet is to set the netmask to
255.255.255.255 (/32). The server assumes it is alone in this subnet and will not send any packets directly. However, you now need an explicit host route to the gateway. This is very easy to do with Debian by adding the option
pointopoint 192.168.0.1 in the configuration. Please change
192.168.0.1 to the valid IP address of your gateway.
## /etc/network/interfaces example Hetzner root server # Loopback-Adapter auto lo iface lo inet loopback # # LAN interface auto eth0 iface eth0 inet static # Main IP address of the server address 192.168.0.250 # Netmask 255.255.255.255 (/32) independent from the # real subnet size (e.g. /27) netmask 255.255.255.255 # explicit host route to the gateway gateway 192.168.0.1 pointopoint 192.168.0.1
The additional route to the gateway is now no longer necessary.
In principle, the above applies to IPv6 as well. But instead of a single main IP, you get a /64 block.
As opposed to the IPv4 configuration, there is no "point-to-point" setting in IPv6.
- Address block:
- We use the first address from this:
## /etc/network/interfaces example Hetzner root server # Loopback-Adapter auto lo iface lo inet loopback # # IPv6 LAN auto eth0 iface eth0 inet6 static # Main IPv6 Address of the server address 2a01:4f8:61:20e1::2 netmask 64 gateway fe80::1
It is expected that over the next few years, IPv4 and IPv6 will be used in parallel. Simply join both configuration files together and omit duplicate entries.
## /etc/network/interfaces example Hetzner root server # Loopback-Adapter auto lo iface lo inet loopback # # LAN interface auto eth0 iface eth0 inet static # Main IP address of the server address 192.168.0.250 # Netmask 255.255.255.255 (/32) independent from the # real subnet size (e.g. /27) netmask 255.255.255.255 # explicit host route to the gateway gateway 192.168.0.1 pointopoint 192.168.0.1 # iface eth0 inet6 static # Main IPv6 Address of the server address 2a01:4f8:61:20e1::2 netmask 64 gateway fe80::1
## /etc/network/interfaces Example Hetzner Virtual Server # Loopback-Adapter auto lo iface lo inet loopback # # LAN interface auto eth0 iface eth0 inet static # Main IP address of the server address 192.168.0.250 netmask 255.255.255.224 gateway 192.168.0.1 # # IPv6 LAN iface eth0 inet6 static # Main IPv6 Address of the server address 2a01:4f8:61:20e1::2 netmask 64 gateway 2a01:4f8:61:20e1::1
For our dedicated root servers (with the exception of SX131/291 models), you can order up to 6 additional single IPs. The network configuration is similar in both cases.
In order to use the additional addresses on the server (no virtualization), you need the package
iproute and service program
ip. Configuration with alias interfaces (such as
eth0:2 etc.) are outdated; you should no longer use them. To add an address, please run:
ip addr add 10.4.2.1/32 dev eth0
ip addr shows the IP addresses which are currently active. The server uses the entire subnet, so it is also useful here to add the addresses with the prefix /32, which means the subnet mask is
/etc/network/interfaces, insert the following two lines in the appropriate interface (e.g.
up ip addr add 10.4.2.1/32 dev eth0 down ip addr del 10.4.2.1/32 dev eth0
down, expect just one line of shell code and this can be repeated for several addresses. The disadvantage is that you need to list both the interface name and address twice. If you are using many IPs, the configuration file becomes confusing and prone to errors. And if you change the data, you need to adjust all the entries.
ATTENTION: The following instructions involve the installation of software by a third party (www.wertarbyte.de). This is not supported by Hetzner. In the event of errors or problems, please contact the developer.
The script is in the package
ifupdown-scripts-wa, which is not a part of the official Debian distribution. If you add the following line for APT configuration, you just need to use the
apt-get install ifupdown-scripts-wa command to install the script correctly:
# /etc/apt/sources.list.d/wertarbyte.list # Tartarus, ifupdown-scripts etc. deb [http://wertarbyte.de/apt/](http://wertarbyte.de/apt/) ./
You can make the complete installation routine shorter using the following commands:
wget -P/etc/apt/sources.list.d/ [http://wertarbyte.de/apt/wertarbyte-apt.list](http://wertarbyte.de/apt/wertarbyte-apt.list) wget -O - [http://wertarbyte.de/apt/software-key.gpg](http://wertarbyte.de/apt/software-key.gpg) | apt-key add - apt-get update apt-get install ifupdown-scripts-wa
If you do not wish to install the script using the package system, you can also download it manually: http://wertarbyte.de/debian/ifupdown/addresses. It is filed in the
/etc/network/if-up.d/ directory and also linked with
cd /etc/network/if-up.d/ && \ wget [http://wertarbyte.de/debian/ifupdown/addresses](http://wertarbyte.de/debian/ifupdown/addresses) && \ chmod +x addresses && \ cd ../if-down.d/ && \ ln -s ../if-up.d/addresses .
It is recommended to install the script via the packet system because the current version of the script is always available.
The script extends the syntax of the configuration file by adding a new command
addresses. This lets you specify additional binding IP addresses (with the netmask in /-notation):
addresses 10.4.2.1/32 10.4.2.2/32 10.4.2.3/32
If you add this line to configure the "eth0" interface, addresses are added upon activating the interface and removed upon deactivation.
It is also possible to use several lines to bundle addresses into categories and to make the configuration more transparent:
addresses 10.4.2.1/32 addresses-https 10.4.2.2/32 10.4.2.3/32 # SSL-Websites addresses-mail 10.4.2.4/32 # Mailserver
The script captures various commands that start with the key word
addresses- and a label of your choice. You shouldn't use labels twice. Otherwise you will get a syntax error for ifupdown, and the configuration of the interface will be interrupted. This can result in the server not being reachable.
The IP addresses which you have added via
ip addr are not visible in the output of
ifconfig ; you need the command
ip addr show to show these. However, the addresses script can also set up alias devices:
addresses 10.0.0.1/32 10.0.0.2/32 10.0.0.3/32 create_alias_devices yes
The script creates consecutively numbered eth0:X devices using this configuration, which are also visible in
Instead of simply numbering the devices, it is also possible to use the labels from the configuration:
addresses-https 10.0.0.1/32 10.0.0.3/32 addresses-vhost 10.0.0.2/32 label_addresses yes
The addresses are subsequently labelled
eth0:vhost in the output of
ip addr and are also shown in
With virtualization, the additional IP addresses are used via the guest system. To make these reachable via the Internet, you need to adjust the configuration in the host system accordingly in order to forward the packets. There are two ways of doing this for additional single IPs: the routed and bridged methods.
In this type of configuration, the packets are routed. For this method, you need to set up an additional bridge with almost the same configuration (without gateway) as eth0.
auto eth0 iface eth0 inet static address (Main IP) netmask 255.255.255.255 pointopoint (Gateway IP) gateway (Gateway IP) # iface eth0 inet6 static address 2a01:4f8:XX:YY::2 netmask 128 gateway fe80::1 # auto virbr1 iface virbr1 inet static address (Main IP) netmask 255.255.255.255 bridge_ports none bridge_stp off bridge_fd 0 pre-up brctl addbr virbr1 up ip route add (Additional IP)/32 dev virbr1 down ip route del (Additional IP)/32 dev virbr1 # iface virbr1 inet6 static address 2a01:4f8:XX:YY::2 netmask 64
You also need to create a corresponding host route for each additional IP address. For IPv4, the eth0 configuration remains unchanged. For IPv6, you need to reduce the prefix from /64 to /128.
auto eth0 iface eth0 inet static address (Additional IP) netmask 255.255.255.255 pointopoint (Main IP) gateway (Main IP) # iface eth0 inet6 static address 2a01:4f8:XX:YY::4 netmask 64 gateway 2a01:4f8:XX:YY::2
With a bridged configuration, packets are sent directly. The guest system behaves as if it is independent. This makes the MAC addresses of the guest system visible from the outside, so you need to request a virtual MAC address for each single IP address. (Make a support request on Robot). Then assign the virutal MAC address to the guest network card. The bridge gets the same network configuration as eth0.
# remove or disable configuration for eth0 #auto eth0 #iface eth0 inet static # auto br0 iface br0 inet static address (Main IP) netmask (like eth0, e.g: 255.255.255.254) gateway (same as that for the main IP) bridge_ports eth0 bridge_stp off bridge_fd 1 bridge_hello 2 bridge_maxage 12
The configuration of
eth0 is omitted without replacement.