Hetzner开NAT小鸡并完成ikuai的DHCP配置

警告
本文最后更新于 2023-12-19,文中内容可能已过时。

一种比较小白的方法让大家在开小鸡时感受到DHCP的方便

写这篇文章的时候HZ的软路由配置已经很熟练了,但为了方便后人,也作为自己的笔记,还是用文字记录下来更好。

本教程针对刚入手HZ杜甫,想要开NAT小鸡的个人小白用户,大佬们不喜勿喷。。。

⚠️ 注意:我们这里还要额外订购一个独立的ip地址,这里选择双ip的原因主要是为了后续DHCP软路由端的使用,请提前订购一个额外的ip(不是子网),并申请好mac地址备用。

我这边的杜甫配置是:

CPU:I5-12500

内存:64G DDR4 频率4800

硬盘:两个500G nvme

这是前段时间入手的一个月付30欧左右的拍卖机

这里选择的是Debian12基础上的pve8版本,当然也可以选择HZ自带的基于Debian11的pve7的版本

关于PVE的安装太多的教程了,我这里贴一个链接和关键的步骤内容,请自行安装吧,如出现错误,可以参考pve的官方社区的内容。

Install Proxmox VE on Debian 12 Bookworm - Proxmox VE


Add an /etc/hosts entry for your IP address

The hostname of your machine must be resolvable via /etc/hosts.

This means that in /etc/hosts you need one of the following entries for your hostname:

  • 1 IPv4 or
  • 1 IPv6 or
  • 1 IPv4 and 1 IPv6

Note: This also means removing the address 127.0.1.1 that might be present as default.

For instance, if your IP address is 192.168.15.77, and your hostname prox4m1, then your /etc/hosts file could look like:

1
2
3
4
5
6
7
127.0.0.1       localhost
192.168.15.77   prox4m1.proxmox.com prox4m1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

You can test if your setup is ok using the hostname command:

1
2
hostname --ip-address
192.168.15.77 # should return your IP address here

Add the Proxmox VE repository:

1
echo "deb [arch=amd64] http://download.proxmox.com/debian/pve bookworm pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list

Add the Proxmox VE repository key as root (or use sudo):

1
2
3
4
wget https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg -O /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg 
# verify
sha512sum /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg 
7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87 /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg

Update your repository and system by running:

1
apt update && apt full-upgrade

First you need to install and boot the Proxmox VE kernel, as some packages depend on specific kernel compile flags to be set or feature extensions (e.g., for apparmor) to be available.

1
2
3
apt install pve-kernel-6.2

systemctl reboot

Install the Proxmox VE packages

1
apt install proxmox-ve postfix open-iscsi chrony

Note that you can replace chrony with any other NTP daemon, but we recommend against using systemd-timesyncd on server systems, and the ntpsec-ntpdate option might conflict with bringing up networking on boot on some hardware. Configure packages which require user input on installation according to your needs.

If you have a mail server in your network, you should configure postfix as a satellite system. Your existing mail server will then be the relay host which will route the emails sent by Proxmox VE to their final recipient.

If you don’t know what to enter here, choose local only and leave the system name as is.

Proxmox VE ships its own kernel and keeping the Debian default kernel can lead to trouble on upgrades, for example, with Debian point releases. Therefore, you must remove the default Debian kernel:

1
apt remove linux-image-amd64 'linux-image-6.1*

Update and check grub2 config by running:

1
update-grub

The os-prober package scans all the partitions of your host to create dual-boot GRUB entries. But the scanned partitions can also include those assigned to virtual machines, which one doesn’t want to add as boot entry.

If you didn’t install Proxmox VE as dual boot beside another OS, you can safely remove the os-prober package:

1
apt remove os-prober

⚠️ 注意:这一步是网络是否畅通的关键,请不要出现细节上的错误!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
### Hetzner Online GmbH installimage

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback
iface lo inet6 loopback

auto enp9s0
iface enp9s0 inet manual
#  post-up /sbin/ethtool -K enp9s0 tx off rx off
iface enp9s0 inet6 manual

auto vmbr0
iface vmbr0 inet static
  address 母鸡ip
  netmask 子网掩码
  gateway 网关ip
  pointopoint 同上网关ip
  hwaddress ether MAC地址
  bridge_ports enp9s0
  bridge_stp off
  bridge_fd 0
  bridge_maxwait 0
  # post-up /sbin/ethtool -K vmbr0 tx off rx off

iface vmbr0 inet6 static
  address 母鸡v6地址  #例子 2a01:abc:abc:abc::2
  netmask 64                #64或者128,看你之前的网络参数
  gateway fe80::1         #网关
  bridge_ports enp9s0
  bridge_stp off
  bridge_fd 0
  up ip -6 route del 2a01:abc:abc:abc::/64 dev vmbr0   #这个是你母鸡ipv6的网段,含义说明下面有写

auto vmbr1
iface vmbr1 inet static
  address 192.168.1.1
  netmask 255.255.255.0
  bridge_ports none
  bridge_stp off
  bridge_fd 0
  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE

auto vmbr1
iface vmbr1 inet6 static
  address  另一个ipv6地址 # 例子 2a01:abc:abc:abc::3/64   
  #gateway fe80::1
  bridge_ports none
  bridge_stp off
  bridge_fd 0
  up ip -6 route add 2a01:abc:abc:abc::/64 dev vmbr1
  post-down ip -6 route del 2a01:abc:abc:abc::/64 dev vmbr1

⚠️ 此处的mac地址一定要填对,不然会收到HZ的滥用警告

1
vim /etc/sysctl.conf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr 

net.ipv4.ip_forward=1
net.ipv6.conf.all.accept_dad = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.all.forwarding=1

上面两行是开启BBR,下面是相关转发

保存生效

1
sysctl -p

重启网络服务

1
systemctl restart networking.service

查看网络状态

1
systemctl status networking.service

如果你在配置桥接网络这块配完了重启网络服务失败但是机器还有网,那么恭喜你还可以继续折腾,也就是你还可以继续修改网卡的配置文件,但如果你想让你新修改的配置生效就得用下面这条命令强制重启vmbr0(networking restart是没用的):

1
ifdown --force vmbr0 && ifup --force vmbr0

确认好全部完成之后,重启母鸡

1
reboot
1
ip -6 route

长这样就ok了

1
2
3
4
5
6
7
8
::1 dev lo proto kernel metric 256 pref medium
2a01:abc:abc:abc::/64 dev vmbr1 proto kernel metric 256 linkdown pref medium
2a01:abc:abc:abc::/64 dev vmbr1 metric 1024 linkdown pref medium
fe80::/64 dev vmbr0 proto kernel metric 256 pref medium
fe80::/64 dev vmbr1 proto kernel metric 256 linkdown pref medium
default via fe80::1 dev vmbr0 metric 1024 onlink pref medium

# 并不是完全一样,其实最后网络通了就行

v4填192.168.1.x ,别是网关就行,网关 是 192.168.1.1,另外记得填上dns 8.8.8.8.8

v6填2a01🔤abc🔤:xxxx,xxxx别是网关就行, 网关是 2a01🔤abc🔤:3,DNS填Google的,2001:4860:4860::8888

1
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 23333 -j DNAT --to-destination 192.168.1.2:22

把母鸡端口23333,转发到IP为192.168.1.2的小鸡端口22上,这样访问母鸡的公网IP+23333端口就相当于访问了这台小鸡的22端口。

ipv6直接连就行了,连接地址就是小鸡v6地址。

上述步骤完成后,检查pve中网络的配置,物理口和虚拟口的信息与配置文件中一致即可。

在安装ikuai之前先了解HZ的ip分配,多订购的ip可以给虚拟机用,只要设置虚拟机网卡为主网卡而不是自己设置的虚拟网卡,那么这时候虚拟机是直接使用这个公网ip的,我们的方案就是将ip分配给ikuai的虚拟机,也就是软路由得进网口保证虚拟网卡的所有ip段可以通外网。

ikuai官网下载最新的iso文件安装虚拟机即可,将订购的ip设置为对外网口,对内网口设置自己设置的虚拟网卡的内网ip网段,ikuai 网卡配置和vlan的ip掩码之类的设置细节就不再多说,教程很多。

我的建议是不要动默认的公网ip,默认的ip就一直给母鸡用,如果默认ip配置错误会造成母鸡失联,后面的配置全部靠额外订购的ip来配置就好。

之后开启ikuai的dhcp功能就好,新建的虚拟机创建是全部选择vlan1,也就是自己设置内网网段。

其实并不是必须要用ikuai来实现dhcp,isc-dhcp配合iptables规则也是可以实现dhcp和端口映射等功能的,如果不想多花冤枉钱买ip,可以不使用dhcp而是只使用iptables规则来进行端口映射,玩法很多,大家可以自己去探索。