Notes summarizing many years of experience running a mini-cloud on Hetzner.
Careful. As of september 2018, Hetzner’s been actively locking out machines that leak unpermitted MAC addresses onto their switch.
Hetzner sends out an email with subject “Important client information: wrong server configuration“, with the following contents:
Dear Sir or Madam,
We have noticed that you have been using other MAC addresses in addition
to the allowed at your Robot account.
Please take all necessary measures to avoid this in the future and to
solve the issue.
Server [TYPE] #[ID] ([PUBLIC IP]):
Allowed MAC addresses:
[SNIP]
not allowed MAC addresses:
[SNAP0
…
..
]
In the event that you not solve the problem with the wrong MAC
addresses, your server can be blocked at any time after the [DEADLINE].
If you have any questions, please write us a support request via your
account on the user administration interface Robot and we will be happy
to assist you.
Yours faithfully
Your Hetzner Team
Here’s the way to fix this with ebtables, by masquerading the internal addresses as they leave the interface.
module.exports = "python -c \"for a in xrange(0x00,0xff+1): print(format(a,'X').zfill(2).lower())\" | \\\n awk '{print \"ebtables -t nat -A POSTROUTING -s 00:16:3e:\"$1\":95:60 -j snat --to-src 38:d5:47:0:c:ed --snat-target ACCEPT --log --log-level=warning --log-prefix=MACREWRITE\"}' | \\\n tee /tmp/ebatron.sh && \\\n bash /tmp/ebatron.sh"© 2023 Web GMA R&D Ltd.