How to distribute the Internet in the ipv6 local network, but leave all the cars hidden behind one external ipv6?

K

konchober2016-09-26 01:24:29

linux

konchober, 2016-09-26 01:24:29

Hey! There is a Linux Proxmox-VE 4.4.19-1-pve server with virtual machines and 1 external ipv4 and ipv6 subnet.
Task: create several vds inside the server with their own local network, the existence of which could not be known from the outside.
Problem: if you do not issue ipv6 to virtual machines from the external subnet (Scope:Global), then they cannot contact the outside world, for example, update packages. And if you issue ipv6 from an external subnet, then theoretically it will be possible to determine the size of the network from the outside and make any attacks.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Dmitry Shitskov, 2016-09-26
@konchober

Release cars to the Internet through a proxy or NAT if they only need to download updates.
If you need to access them from the outside, just properly configure the firewall, restricting the connection from the outside.

A

Antony, 2016-09-26
@RiseOfDeath

In addition to normal solutions (NAT and proxies) - if you are so paranoid, and virtual machines only go outside for updates - make a mirror inside the local area, even if it climbs outside.
ps
In addition to any paranoia - a mirror with updates "on its own territory" is convenient - it reduces the load on the external channel (when all the virtual machines get updated at once) and, ultimately, increases the speed of downloading updates (which not only depends on your Internet channel, but and from "foreign").

N

nwur, 2016-09-29
@nwur

IPv6 _no_ NAT. At all.
By itself, NAT (in IPv4) does not protect against anything, this is not its task. Want to protect - put a firewall.
If you only need updates via http/https, you'll need a proxy.