[SOLVED] ipv6 not fully disabled ?

[toxic]

Hello,

I have disabled IPv6 on my pve host like this : (and rebooted several times since then)

root@pve:~# tail -n 6 /etc/sysctl.conf
###################################################################
# Disable IPv6
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

Sadly, for some very unknown reason, when I connect my opnSense router and tell it to route through my PIA VPN access (that has IPv6 disabled as well), my pve host suddenly starts to use ipv6...

Here is a curl example, of course, it fails :

curl -v http://ftp.fr.debian.org/
[...]
Expire in 200 ms for 1 (transfer 0x56257088ef50)
*   Trying 212.27.32.66...
* TCP_NODELAY set
* Expire in 149827 ms for 3 (transfer 0x56257088ef50)
* Expire in 200 ms for 4 (transfer 0x56257088ef50)
*   Trying 2a01:e0c:1:1598::2...
* TCP_NODELAY set
* Expire in 149827 ms for 3 (transfer 0x56257088ef50)
* Immediate connect fail for 2a01:e0c:1:1598::2: Cannot assign requested address
*   Trying 2a01:e0c:1:1598::2...

I don't get it, whatever happens on my router, pve should never hear about 2a01:e0c:1:1598::2 or try to connect to it...

Am I missing something here ?

I'm digging on the router to configure my VPN with things like this :

pull-filter ignore redirect-gateway
pull-filter ignore "dhcp-option DNS"
pull-filter ignore "ifconfig-ipv6 "
pull-filter ignore "route-ipv6 "

But I still don't understand how it can happen...
Because once in a while, even with the VPN connected, pve will try to contact the IPv4 for the same host (ftp.fr.debian.org) and when it does, of course it works (and gets routed through the VPN yes, that's according to my policy routing)

Thanks in avance if you can help me shed some light on this strange behaviour...

Best regards,

Toxic

 

[Stoiko Ivanov]

I have disabled IPv6 on my pve host like this : (and rebooted several times since then)

what is the sysctl value after rebooting? (`sysctl -a |grep disable_ipv6`) - it could be a timing issue during system boot

 

[toxic]

Thanks for your help.
Sadly, I checked already and all 3 values are properly set when as sysctl shows after reboot.
My guess is that somehow, the dns living on opnSense VM does pull an IPv6 adress for the ftp.debian url when openVPN is connected to PIA, despite opnSense having IPv6 disabled for the dnsmasq dns server and for the openVPN client...
This would make sense: pve gets an IPv6 returned by the dns and fails to contact it since it's IPv6 stack is disabled.
So the issue in the end is on opnSense and only when the VPN is connected to PIA, but I can't get any help from opnSense side yet...

 

[Stoiko Ivanov]

Disabling ipv6 via sysctl has nothing to do with the responses you get from a DNS-server (it can answer with ipv6 addresses as well - just your system will not try to connect to them)

The question is why your PVE cannot reach:

212.27.32.66

 

[toxic]

Well the fun part about it is that if I insist and keep running te curl command, sometimes, quite randomly, it does decide to contact the 212.27.32.66 and those times it does manage to fetch the index.html page properly.
I think my suricata IDP was maybe slowing things down and causing issues, I've turned it off and will re-test again with the VPN.
But my goal would really be to avoid giving back IPV6 entries on any dns query...
Will be spinning up a pihole VM and force all dns queries to go to piHole soon, hope I can make sure that piHole is never handing out IPv6 results then...
Will keep you posted. If you have any further idea as to why pve tries to use IPv6 despite it being explicitly disabled, all hints are welcome.
And once again, thanks for your kind help, pve forum has a much more welcoming community than opnSense

 

[toxic]

In the end my issues were with my Wireless AP that is running openWRT and that is somehow distributing IPV6 adresses by DHCP despite the config having no IPv6 ULA prefix and DHCP disabled... I got tired of tring to disable IPv6 on the AP and juste plugged it off and replaced by another AP...