[SOLVED] Disable IPv6 entirely

[markc]

I've added ipv6.disable=1 to /etc/kernel/cmdline and rebooted, it shows up in /proc/cmdline and sure enough ip a does not show any ipv6 interfaces. However, now when I try to reboot a VM I am seeing an endless stream of these lines in the host logs and the Proxmox Mail Gateway VM won't reboot...

May 18 21:42:01 pve3 pve-firewall[2053]: status update error: iptables_restore_cmdlist: \
   Try `ip6tables-restore -h' or 'ip 6tables-restore --help' for more information.

There are no Datacenter, host node or VM firewall rules in place. How do I get rid of the above error without disabling pve-firewall?

pve-manager/7.4-3/9002ab8a (running kernel: 6.2.11-2-pve)

 

[_gabriel]

be careful, disabling full ipv6 break proxmox backup server.

 

[markc]

Okay, thanks for the heads-up. My upstream does not provide IPv6. I am trying to kill it off inside my LAN, so I can more easily troubleshoot a Proxmox Mail Gateway problem.

 

[markc]

In short, systemctl disable pve-firewall --now on all host nodes solves my ipv6-less LAN network induced problem and allows me to reboot and shutdown my VM/CTs again. Not ideal and still ugly, but it does indeed solve my immediate problem that I can't have, don't need and don't want IPv6 anything on my LAN, but I still want to be able to reboot and shutdown my VM/CTs from the gui and cli and not have to force stop them.

May 19 11:27:39 pve3 bgpd[1385]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF fwln116i0 in VRF 0
May 19 11:27:39 pve3 kernel: device fwpr116p0 left promiscuous mode
May 19 11:27:39 pve3 kernel: vmbr0: port 2(fwpr116p0) entered disabled state
May 19 11:27:39 pve3 bgpd[1385]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF fwpr116p0 in VRF 0
May 19 11:27:39 pve3 bgpd[1385]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF fwbr116i0 in VRF 0
May 19 11:27:39 pve3 bgpd[1385]: [VCGF0-X62M1][EC 100663301] INTERFACE_STATE: Cannot find IF tap116i0 in VRF 0
May 19 11:27:39 pve3 qmeventd[1230]: read: Connection reset by peer
May 19 11:27:39 pve3 pvedaemon[577510]: VM 116 qmp command failed - VM 116 not running
May 19 11:27:39 pve3 pvestatd[2059]: VM 116 qmp command failed - VM 116 not running
May 19 11:27:39 pve3 pvedaemon[644756]: <root@pam> end task UPID:pve3:0010A090:0086CED4:6466D084:qmreboot:116:root@pam: OK
May 19 11:27:39 pve3 systemd[1]: 116.scope: Succeeded.

 

[Stoiko Ivanov]

Have you tried disabling ipv6 as described in the reference documentation:
https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#_disabling_ipv6_on_the_node

(if yes and this does not work in your environment please describe, what's not working)

I hope this helps!

 

[markc]

Thank you Stoiko, I previously added those settings to /etc/sysctl.conf, and it did not seem to work, so in desperation I thought I'd try adding ipv6.disable=1 to the kernel boot sequence. I have now followed the simple instructions in the sysadmin docs, and it works as I would expect (no IPv6 devices in "ip a" output) and I can restart and shutdown VM/CTs from the web gui. For futureme, the settings are...

~ cat /etc/sysctl.d/disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

 

[Spoonman2002]

be careful, disabling full ipv6 break proxmox backup server.

Do you mean the Backup Server itself will break, or does it break and we cannot make vm backups to the PBS ?
And what exactly does "break" mean, can you explain please..

 

[Spoonman2002]

Have you tried disabling ipv6 as described in the reference documentation:
https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#_disabling_ipv6_on_the_node

(if yes and this does not work in your environment please describe, what's not working)

I hope this helps!

So this will disable ipv6 on the PVE host itself.
But how do I disable ipv6 in vm's and in lx containers?
Because the vm's and lx containers still show ipv6 addresses....

 

[_gabriel]

you need to disable ipv6 on each guest (vm & ct).
they've their own network stack.

 

[Spoonman2002]

you need to disable ipv6 on each guest (vm & ct).
they've their own network stack.

see my comment in this post, ipv6 is completely disabled also in lx containers.
I would like to do the same with another PVE host, but this one boots from systemd-boot instead of GRUB.
I read some comments about strange firewall errors when disabling ipv6. Also someone mentioned that Proxmox Backup Server "breaks" when disabling ipv6.

https://forum.proxmox.com/threads/disable-ipv6-within-lcx-container.124697/#post-561783

 

[bryzgalov]

~# diff /usr/share/perl5/PVE/Firewall.pm.orig /usr/share/perl5/PVE/Firewall.pm.ipv6-disabled
1913c1913
< run_command(['ip6tables-restore', '-T', $table, '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");
---
> #run_command(['ip6tables-restore', '-T', $table, '-n'], input => $cmdlist, errmsg => "iptables_restore_cmdlist");

After making changes reboot or (/usr/sbin/pve-firewall stop;/usr/sbin/pve-firewall start)

 

[lxiosjao]

Thank you Stoiko, I previously added those settings to /etc/sysctl.conf, and it did not seem to work, so in desperation I thought I'd try adding ipv6.disable=1 to the kernel boot sequence. I have now followed the simple instructions in the sysadmin docs, and it works as I would expect (no IPv6 devices in "ip a" output) and I can restart and shutdown VM/CTs from the web gui. For futureme, the settings are...

~ cat /etc/sysctl.d/disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Hi,
Does this method break proxmox backup server ?

 

[_gabriel]

Hi,
Does this method break proxmox backup server ?

I had noted with default.disable_ipv6=1 break PBS but with all.disable_ipv6=1 alone PBS works.