IPv6 forwarding problem

[eds]

Dear forum members,

since a few days I am trying to setup IPv6 for my containers, but I am having troubles. This is a typical dedicated server setup, with a single IPv4 address and a /64 IPv6 subnet in a routed configuration.

The host IPv6 setup seems to be alright, I can ping/connect to other internet hosts and can be pinged from the outside.

My containers can ping each other as well as the host, but cannot connect to any IPv6 internet hosts. It seems like the IP forwarding is not working.

My /etc/sysctl.conf has these values set
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.proxy_ndp=1

This is how my host /etc/network/interfaces looks like.

auto enp1s0f0
iface enp1s0f0 inet static
        address  1.1.3.14
        netmask  255.255.255.128
        gateway  1.2.3.1
iface  enp1s0f0 inet6 static
        address  2001:db8:ffed:0119::0
        netmask  128 # although this IP belongs to my /64 net

        post-up /sbin/ip -f inet6 route add  2001:db8:ffed:1:beef::1 dev enp1s0f0
        post-up /sbin/ip -f inet6 route add default via  2001:db8:ffed:1:beef::1
        pre-down /sbin/ip -f inet6 route del default via  2001:db8:ffed:1:beef::1
        pre-down /sbin/ip -f inet6 route del  2001:db8:ffed:1:beef::1 dev enp1s0f0

auto vmbr0
iface vmbr0 inet static
        address  192.168.100.1
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '192.168.100.0/24' -o enp1s0f0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.100.0/24' -o enp1s0f0 -j MASQUERADE

iface vmbr0 inet6 static
        address 2001:db8:ffed:0119::1:1
        netmask  64
        up ip -6 route add 2001:db8:ffed:0119::/64 dev vmbr0

And in a container like this:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address 192.168.100.100
        netmask 255.255.255.0
        gateway 192.168.100.1

iface eth0 inet6 static
        address 2001:4BA0:FFED:0119::1:100
        netmask 64
        gateway 2001:4BA0:FFED:0119::1:1

My test containers have the IPs 2001:db8:ffed:0119::1:100 and 2001:db8:ffed:0119::1:101 and as I said they can ping the host itself with the IP 2001:db8:ffed:0119::1:1 and each other, but no hosts on the internet.
A traceroute shows me as first and only accessible hop the gateway address of vmbr0.
BTW all firewalling is switched off.

The documentation on this is a little scarce and I don't know how I could further debug it.

Any help greatly appreciated.

Best regards
eds

 

[eds]

So after almost two weeks no reply at all.

This can mean two things:

1. My question is so so stupid that no one wants to tell me the truth about my stupidity.
2. My config seems to be correct, but further debugging is hard... and needs a lot of expert knowledge.

In either case, please give me a quick hint on what I could do / read / learn ...

Thank you very much!

 

[Stoiko Ivanov]

address 2001:db8:ffed:0119::0

While this might not be so relevant anymore for ipv6 - I problably would not use the first address (network address) as ip on the host

up ip -6 route add 2001:db8:ffed:0119::/64 dev vmbr0

That should not be necessary (by giving an explicit address in the same network with the same netmask this route gets added automatically)

2001:4BA0:FFED:0119::1:100

This is a quite different network than

address 2001:db8:ffed:0119::1:1

(second quad is 4ba0 vs. db8) - is this by accident?

If not I'd suggest to start tcpdump along the way and see whether packets get out (and whether answers arrive)

I hope this helps!

 

[eds]

New server -- better luck!
I found out that in the Host Firewall Option NDS was switched off!

Enabling it, did the trick!