IPv6 forwarding problem


Aug 17, 2019
Dear forum members,

since a few days I am trying to setup IPv6 for my containers, but I am having troubles. This is a typical dedicated server setup, with a single IPv4 address and a /64 IPv6 subnet in a routed configuration.

The host IPv6 setup seems to be alright, I can ping/connect to other internet hosts and can be pinged from the outside.

My containers can ping each other as well as the host, but cannot connect to any IPv6 internet hosts. It seems like the IP forwarding is not working.

My /etc/sysctl.conf has these values set

This is how my host /etc/network/interfaces looks like.

auto enp1s0f0
iface enp1s0f0 inet static
iface  enp1s0f0 inet6 static
        address  2001:db8:ffed:0119::0
        netmask  128 # although this IP belongs to my /64 net

        post-up /sbin/ip -f inet6 route add  2001:db8:ffed:1:beef::1 dev enp1s0f0
        post-up /sbin/ip -f inet6 route add default via  2001:db8:ffed:1:beef::1
        pre-down /sbin/ip -f inet6 route del default via  2001:db8:ffed:1:beef::1
        pre-down /sbin/ip -f inet6 route del  2001:db8:ffed:1:beef::1 dev enp1s0f0

auto vmbr0
iface vmbr0 inet static
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '' -o enp1s0f0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '' -o enp1s0f0 -j MASQUERADE

iface vmbr0 inet6 static
        address 2001:db8:ffed:0119::1:1
        netmask  64
        up ip -6 route add 2001:db8:ffed:0119::/64 dev vmbr0

And in a container like this:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static

iface eth0 inet6 static
        address 2001:4BA0:FFED:0119::1:100
        netmask 64
        gateway 2001:4BA0:FFED:0119::1:1

My test containers have the IPs 2001:db8:ffed:0119::1:100 and 2001:db8:ffed:0119::1:101 and as I said they can ping the host itself with the IP 2001:db8:ffed:0119::1:1 and each other, but no hosts on the internet.
A traceroute shows me as first and only accessible hop the gateway address of vmbr0.
BTW all firewalling is switched off.

The documentation on this is a little scarce and I don't know how I could further debug it.

Any help greatly appreciated.

Best regards
So after almost two weeks no reply at all.

This can mean two things:

1. My question is so so stupid that no one wants to tell me the truth about my stupidity.
2. My config seems to be correct, but further debugging is hard... and needs a lot of expert knowledge.

In either case, please give me a quick hint on what I could do / read / learn ...

Thank you very much!
address 2001:db8:ffed:0119::0
While this might not be so relevant anymore for ipv6 - I problably would not use the first address (network address) as ip on the host
up ip -6 route add 2001:db8:ffed:0119::/64 dev vmbr0
That should not be necessary (by giving an explicit address in the same network with the same netmask this route gets added automatically)

This is a quite different network than
address 2001:db8:ffed:0119::1:1
(second quad is 4ba0 vs. db8) - is this by accident?

If not I'd suggest to start tcpdump along the way and see whether packets get out (and whether answers arrive)

I hope this helps!
New server -- better luck!
I found out that in the Host Firewall Option NDS was switched off!

Enabling it, did the trick!


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!