On Sat Nov 15, 2025 at 7:52 PM UTC, Crystal Kolipe wrote: >> My first test was to put each VM on its own veb and route the /112 out >> of the physical ethernet interface. This seems like it would work, in >> theory, but the host doesn't respond to icmp6 "who-has"-style requests >> for a VM's IP. Thus, the upstream router doesn't know to address traffic >> to the host's MAC, and for it to forward it on. > > To make that setup work, you could use proxy NDP on the host.
Interesting! So to do that, would run something like this? ndp -s 2001:db8::1 (mac address of physical nic) proxy It seems like I would have to do this for every address in the range, if I understand it correctly. Of course if it supports a whole range, it would seem more practical. > By the way, /112 is a fairly small allocation for IPv6. Indeed, it is. Maybe /72 would be more sensibile for what I'm doing, though I'm not really sure how many would exhaust even a /112. I'm not sure this design is the best. I'll have to test some different possibilities. I guess one benefit is that I could run rad on each per-VM bridge interface and get stateless addresses. From what I undestand, OpenBSD and no other mainstream OSs support stateless IP assignment with prefixes smaller than a /64. For OpenBSD it would be convenient, though no others that I am aware of. Of course I can also do cloudinit + config drive and manually assign this, but it is handy to be able to run other things and have it work out-of-the-box. Debian, netboot.xyz/iPXE, etc. Now one hack might be to let someone "use" a space within the range, but give them the whole /64 through router advertizements. You'd enforce the stateless address through clever mac address assigning to predictably give you the range. This would only work with... /102 and smaller, I think. And you'd have to ifconfig inet6 -temporary on OpenBSD, since those wouldn't work. -Henrich
