IPv6 forwarding enabled by default on one interface

[Compizfox]

I was pulling my hair out on why one of my interfaces on a fresh Proxmox VE 7.2-1 install did not get a IPv6 SLAAC address, until I found out that IPv6 forwarding was enabled for that one interface. E.g.:

root@eos:~# cat /proc/sys/net/ipv6/conf/vmbr0/forwarding                                                                              
1

After setting this to 0 (as it should be), IPv6 SLAAC was working as expected.

Now, why (and where) is this set to 1 by default, and where can I turn off this behavior?

For reference, the relevant part in my /etc/network/interfaces is:

auto vmbr0
iface vmbr0 inet static
        address 192.168.4.2/24
        gateway 192.168.4.1
        bridge-ports enp4s0.1 enp4s0.5
        bridge-stp off
        bridge-fd 0

 

[Compizfox]

Every reboot, IPv6 forwarding for this interface gets enabled again.

Can anyone tell me where this is being set from? Both /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf are empty (well, only comments).

 

[wintered]

Was there any answer here?

 

[_gabriel]

adding a post-up to vmbr0 section of /etc/network/interfaces should work :
post-up echo 0 > /proc/sys/net/ipv6/conf/vmbr0/forwarding

 

[anutrix]

This seems to be cause of my 'IPv6 via SLAAC on Proxmox host' woes. Was any reason for this found out? Or how this was implemented since sysctl.d is empty?

 

[RianKellyIT]

The root cause is the Proxmox firewall service (pve-firewall). When it starts, it sets net.ipv6.conf.all.forwarding=1 globally because VMs and containers need IPv6 packet forwarding to work. This happens even if the firewall is technically "disabled" in the GUI, because the pve-firewall service still runs and applies base networking sysctls.

You can verify this by checking:

sysctl net.ipv6.conf.all.forwarding

If it returns 1, that is pve-firewall's doing. The problem is that Linux by design stops accepting Router Advertisements (and therefore SLAAC) on any interface where IPv6 forwarding is enabled. This is an intentional kernel behavior: a device that forwards packets is considered a router, and routers should not autoconfigure from other routers' RAs.

The post-up workaround _gabriel mentioned works but needs an extra step. After disabling forwarding per-interface, you also need to tell the kernel to accept RAs again on that interface:

post-up echo 0 > /proc/sys/net/ipv6/conf/vmbr0/forwarding
post-up echo 1 > /proc/sys/net/ipv6/conf/vmbr0/accept_ra

Without the accept_ra line, the interface may still not pick up SLAAC addresses even with forwarding disabled, because the accept_ra default changes when forwarding has been toggled.

If you need both IPv6 forwarding for VMs and SLAAC on the host, set accept_ra to 2 instead of 1. The value 2 means "accept RAs even when forwarding is enabled", which is specifically designed for this use case:

post-up echo 2 > /proc/sys/net/ipv6/conf/vmbr0/accept_ra