Running libvirt on Hetzner with libvirt-fabric-restapi

Notes summarizing many years of experience running a mini-cloud on Hetzner.

Mac address masquerading

Careful. As of september 2018, Hetzner’s been actively locking out machines that leak unpermitted MAC addresses onto their switch.

Hetzner sends out an email with subject “Important client information: wrong server configuration“, with the following contents:

Dear Sir or Madam,

We have noticed that you have been using other MAC addresses in addition

to the allowed at your Robot account.

Please take all necessary measures to avoid this in the future and to

solve the issue.

Server [TYPE] #[ID] ([PUBLIC IP]):

Allowed MAC addresses:


not allowed MAC addresses:




In the event that you not solve the problem with the wrong MAC

addresses, your server can be blocked at any time after the [DEADLINE].

If you have any questions, please write us a support request via your

account on the user administration interface Robot and we will be happy

to assist you.

Yours faithfully

Your Hetzner Team

Here’s the way to fix this with ebtables, by masquerading the internal addresses as they leave the interface.

module.exports = "python -c \"for a in xrange(0x00,0xff+1): print(format(a,'X').zfill(2).lower())\" | \\\n  awk '{print \"ebtables -t nat -A POSTROUTING -s 00:16:3e:\"$1\":95:60 -j snat --to-src 38:d5:47:0:c:ed --snat-target ACCEPT --log --log-level=warning --log-prefix=MACREWRITE\"}' | \\\n  tee /tmp/ && \\\n  bash /tmp/"

© 2023 Web GMA R&D Ltd.