IPv6 only works after pinging the default gateway

Jan 21, 2022
2
0
1
Hello community,

we observe a strange problem here (Cluster on PVE 7.2-3 with open vSwitch): The ICMPv6 NS (Neighbor Solicitation) packet does not seem to arrive inside the VM (it is a Cisco C9800-CL Wireless Controller) when the vNIC has "firewall=1" set. As soon as we remove the "firewall=1" option, everything works.

"firewall=1" causes the problem that a VM (or in this case a Wireless Client attached to an Access Point that tunnels the traffic through the Wireless Controller) is unable to communicate via IPv6 before it has pinged the gateway. After pinging, everything works normally. Gateway-ping is not needed, if "firewall=1" is removed from the vNIC, so it does not seem to be a problem inside the VM but instead on the Proxmox host.

We don't use any firewall functionality of Proxmox, so we left all settings at their defaults:
- "firewall=1" on every vNIC
- "Firewall" is set to "No" in the VM Firewall Options
- "Firewall" is set to "Yes" on every cluster node

The described behaviour seems to be new (with PVE 7.2?) because we did not change anything in the options and IPv6 worked fine until a few weeks ago.

It seems to me that either the firewall is not entirely disabled or there is some sort of a bug, maybe in open vSwitch?

Has anything changed in the firewall code that could cause the misbehaviour? What can we do to assist in troubleshooting?

Kind regards,

Robin Därmann
(Network Operation Center RUB)
 

shrdlicka

Proxmox Staff Member
Staff member
May 2, 2022
522
59
28
Hi :),
Did you check if NDP filtering is enabled in the firewall options. It just says "NDP" with a checkbox, maybe try toggling that when the firewall is enabled.
 
Jan 21, 2022
2
0
1
Hi,

yes, NDP is enabled on all levels (Datacenter, Host and VM). It makes no difference disabling it at any place, I checked every combination. Even disabled firewall on Host (it is already disabled on Datacenter level) makes no difference. Only removing "firewall=1" from tne vNIC helps.

Removing "firewall=1" from a vNIC removes the corresponding interfaces on the Proxmox host too:

Code:
Jun  1 13:33:14 virt-2 kernel: [702173.436272] fwbr1046i1: port 1(tap1046i1) entered disabled state
Jun  1 13:33:14 virt-2 kernel: [702173.478573] fwbr1046i1: port 2(fwln1046o1) entered disabled state
Jun  1 13:33:14 virt-2 kernel: [702173.478893] device fwln1046o1 left promiscuous mode
Jun  1 13:33:14 virt-2 kernel: [702173.478897] fwbr1046i1: port 2(fwln1046o1) entered disabled state

Re-enabling, of course, re-creates the interfaces.

Any idea about what may be causing this behaviour?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!