Network architecture¶
Hetzner MAC Filtering¶
Critical: Bridge MAC
The Bridgebr0MUSSuse the MAC address of the physical interface:10:7c:61:4f:28:62.
Hetzner filters all traffic to MAC — false MAC = complete connection loss.
Network files¶
| Parameters | Value |
|---|---|
| Host IP | 46.4.96.105/32(Single IP) |
| Gateway | 46.4.96.129(on-link, other subnet!) |
| IPv6 | 2a01:4f8:140:829d::/64 |
| Host IPv6 | ::2 |
| VM IPv6 | ::3to::9 |
| Physical IF | enp4s0(enslaved to br0) |
| Bridge | br0(travels the IP) |
| VM IPs | 46.4.96.150(ansitel PBX) |
Network topology¶
enp4s0 (kein IP!) ──enslaved──> br0 (46.4.96.105/32)
├── Docker (ai-network 172.23.0.0/16)
│ └── Traefik :80/:443
└── KVM VMs
└── ansitel (46.4.96.150/32, routed)
Safety tools¶
# Netplan mit automatischem Rollback testen
sudo netplan-safe-apply.sh 120
# Neue Config testen (Rollback nach Timeout)
sudo netplan-test-config.sh /path/to/config.yaml
# Syntax-Check
sudo netplan generate
Niemals
- Use
netplan applydirectly — alwaysnetplan-safe-apply.sh - Put IP content on
enp4s0(only onbr0!) - Bridge MAC change
VM routing¶
VMs get routed/32Public IPs (no NAT):
vmctl list # Alle VMs anzeigen
vmctl start NAME # VM starten
vmctl stop NAME # Graceful shutdown
vmctl create TPL NAME # VM aus Template erstellen
Routing service:systemdServicevm-ip-routing.servicesets proxy ARP + routes.