3.2 update breakes guest ipv6 networking when using vlans onthe same bridge

[rahman]

Hi,

We use our KVM cluster for both DMZ servers and local servers. Local servers uses tagged vlans on the bridge. Our topology is like the attached image.
In every proxmox host VMs uses vmbr1 bridge. DMZ VMs does not configured with any vlans. So their traffic go through dmz switch -> firewall. Lan server VMs configured with vlans on vmbr1 so their traffic go through dmz switch -> Lan backbone. On dmz switch all local vlans are tagged on the switch ports which are connected to proxmox hosts vmbr1 physical interface (eth0) and port that connected to backbone switch.

It was working without any issues until I upgraded to 3.2. After the upgrade, Ipv4 traffic runs without issue but Ipv6 traffic screwed up.

root@webserver-new:~# route -6Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
xxx:101::/64          ::                         UAe  256 0     0 eth0
xxx:10a::/64          ::                         UAe  256 0    47 eth0
xxx:10b::/64          ::                         UAe  256 0    63 eth0
xxx:10c::/64          ::                         UAe  256 0   132 eth0
xxx:10d::/64          ::                         UAe  256 0    58 eth0
xxx:10e::/64          ::                         UAe  256 0    47 eth0
xxx:10f::/64          ::                         UAe  256 0    59 eth0
xxx:110::/64          ::                         UAe  256 0    48 eth0
xxx:111::/64          ::                         UAe  256 0    83 eth0
xxx:112::/64          ::                         UAe  256 0    48 eth0
xxx:113::/64          ::                         UAe  256 0    69 eth0
xxx:114::/64          ::                         UAe  256 0   840 eth0
xxx:115::/64          ::                         UAe  256 0    69 eth0
xxx:11a::/64          ::                         UAe  256 0     0 eth0
xxx:121::/64          ::                         UAe  256 0    46 eth0
xxx:252::/64          ::                         U    256 0     1 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           xxx:252::1        UG   1   0  1659 eth0

This is the output of one of DMZ KVM guest. As you can see it thinks that all lan ipv6 blocks as neigbours. So when I try to connect to our web server via ipv6 address from a lan PC (xxx:10a::/64) the traffic goes through our firewall (xxx:252::1 ) as expected but the kvm guest doesn't send the reply via its default gateway as it thinks xxx:10a::/64 is his neighbour. So the the ipv6 traffic from lan to dmz and dmz to lan screwed up.

I don't understand why linux bridge vmbr1 forward tagged local vlan traffic to guest vms that has no vlan config?

Any advice?

 

[rahman]

With using Debian 3.10 kernel it is working as expected. Linux bridge does its job and doesn't forward vlan traffic to all VMs.

root@webserver-new:~# route -6Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
xxx:252::/64          ::                         U    256 0     1 eth0
fe80::/64                      ::                         U    256 0     0 eth0
::/0                           xxx:252::1        UG   1   0     5 eth0
::/0                           ::                         !n   -1  1     7 lo
::1/128                        ::                         Un   0   1   165 lo
xxx::53/128       ::                         Un   0   1     6 lo
fe80::d8ba:d7ff:fe29:5598/128  ::                         Un   0   1     2 lo
ff00::/8                       ::                         U    256 0     0 eth0
::/0                           ::                         !n   -1  1     7 lo

as you see the VM doesn't see LAN ipv6 subnets anymore as expected. So something is broken with this PVE kernel bride code.