Loosing IPv6 connectivity after some time

[Aiko Barz]

Does anybody else have this Problem?

Our virtual machines loose their IPv6-connectivity after a period time. To be precise: They loose internet connectivity. They are still able to access neighbors within their broadcast domain. After a direct PING to the public IPv6 address of the Cisco router, they gain access again for some time.

I also have a workaround, that I have to apply to the Proxmox host:

$ cd /sys/class/net; for i in vmbr*; do echo 0 > $i/bridge/multicast_snooping; done​

I have to do this after every reboot. I am puzzled why this is all necessary.

The proxmox server creates a bridge on a 802.1Q VLAN. Example:

auto vmbr2
iface vmbr2 inet manual
bridge_ports eth1.2
bridge_stp off
bridge_fd 0​

On the other end, we use switch stacks from Cisco.

Kind regards,
Aiko

 

[abma]

I've hit the same problem.

https://pve.proxmox.com/wiki/Multicast_notes#Linux:_Disabling_Multicast_snooping_on_bridges

/etc/network/interfaces:

  post-up ( echo 1 > /sys/devices/virtual/net/$IFACE/bridge/multicast_querier )
  post-up ( echo 0 > /sys/class/net/$IFACE/bridge/multicast_snooping )

 

[scyto]

are your VMs statically IPv6 addressed, using slacc or using dhcp-v6?

have you modified any sysctls for IPv6?

have you enabled NDP on the host and VM firewalls?

have you tested with firewall off and input policy set to accept on both?

 

[abma]

are your VMs statically IPv6 addressed, using slacc or using dhcp-v6?

dhcp-v6

have you modified any sysctls for IPv6?

no.

have you enabled NDP on the host and VM firewalls?

firewall is disabled.

have you tested with firewall off and input policy set to accept on both?

no need to test as the firewall is disabled. Disabling multicast_snooping clearly fixed the problem: before every 3-5h the connection was lost.

 

[scyto]

Things is, I have same setup, don’t have same issue. Difference maybe I have NDP forwarding turned on in the kernel.

 

[abma]

I'm pretty sure the problem depends on the gateway / switch. As the gateway is configured by my provider idk whats configured there.

https://pve.proxmox.com/wiki/Multicast_notes#Disabling_IGMP_Snooping_.28not_recommended.29 :

"Snooping should be enabled on either the router / switch or on the linux bridge, but it may not work if enabled on both. If you have a hosting provider that has igmp snooping enabled on the multicast switch, it may be necessary to disable snooping on the linux bridge. ..."

 

[anutrix]

Facing this exact issue. I have snooping disabled and querier enabled:

❯ cat /sys/class/net/vmbr0/bridge/multicast_snooping
0

❯ cat /sys/class/net/vmbr0/bridge/multicast_querier
1

Tried querier disabled too. Same issue.

Contents of my /etc/network/interfaces:

auto lo
iface lo inet loopback

iface enp2s0 inet manual

iface wlo1 inet manual

iface wlan0 inet manual

auto vmbr0
iface vmbr0 inet static
        address 192.168.1.150/24
        gateway 192.168.1.1
        bridge-ports enp2s0
        bridge-stp off
        bridge-fd 0
        bridge-mcsnoop no
        bridge-mcquerier yes

# IPv6 via SLAAC configuration depends on 'net.ipv6.conf.vmbr0.accept_ra = 2' in /etc/sysctl.d/99-proxmox-host-ipv6-slaac.conf file
iface vmbr0 inet6 auto
        autoconf 1
        accept_ra 2

Notes:
- Cannot access or ping any public ipv6 addresses(e.g, google.com 2001:4860:482d:7700: from any lxc.
- Can ping host ipv6 address from lxc and lxc ipv6 address from host.
- Cannot ping host or lxc IPv6 addresses from devices in the local subnet.
- Issue goes away for short time on restarting the lxcs or host.

 

[_gabriel]

try

R

Post in thread 'IPv6 forwarding enabled by default on one interface'

Apr 6, 2026

The root cause is the Proxmox firewall service (pve-firewall). When it starts, it sets net.ipv6.conf.all.forwarding=1 globally because VMs and containers need IPv6 packet forwarding to work. This happens even if the firewall is technically "disabled" in the GUI, because the pve-firewall service still runs and applies base networking sysctls.

You can verify this by checking:

sysctl net.ipv6.conf.all.forwarding

If it returns 1, that is pve-firewall's doing. The problem is that Linux by design stops accepting Router Advertisements (and therefore SLAAC) on any interface where IPv6...

• RianKellyIT

•