LXC and IPv6

[datenimperator]

Hi all,

I'm trying to get IPv6 working on a fresh install of Proxmox VE 4.2 on an OVH server. I can ping6 www.google.com from inside a LXC container. Trying this from the host gives me

root@s7:~# ping6 www.google.com
connect: Network is unreachable

Pinging a IPv6 assigned to a LXC from outside returns

$ ping6 2001:41d0:1000:0b87::101
ping6: UDP connect: No route to host

The manual reads:

To enable filtering of IPv6 traffic, first ensure the host has a working IPv6 address configured on vmbr0 (or whichever WAN facing interface you are using) and that it has an IPv6 loopback interface ('iface lo inet6 loopback'). You can then enable the IPv6 macros as needed, which will ensure that any IPv4 rules will also be applied to IPv6.

I did add a IPv6 to vmbr0 and made sure there a IPv6 loopback device by adding that line to /etc/network/interfaces and restart. Which IPv6 macros is this referring to? Regards

Christian

 

[wbumiller]

Did you configure ipv6 on the host and have you activated it after changing the interfaces file? (iow. rebooted) This looks like you're missing routes and possibly an address, too.

 

[datenimperator]

In my network config i have

• iface lo inet6 loopback

• the standard inet6 config from the OVH template, with default IPv6 routes on vmbr0

and rebooted after the change. Do I need to pick an address from the /64 for my host, too? I tried with <my net>::1 but that didn't change anything. Outbound IPv6 from a container works.

 

[wbumiller]

Why yes, if you want to connect to the ipv6 world from your host, then your host needs an ipv6 address from your ipv6 range, too, including routes.

 

[datenimperator]

Why yes, if you want to connect to the ipv6 world from your host, then your host needs an ipv6 address from your ipv6 range, too, including routes.

As I stated before: I tried both the original OVH setup that's identical to http://pve.proxmox.com/wiki/OVH#IPv6 as well as adding "1" after the :: of the address stance. It did not make a difference after a restart. Currently my config looks just as described in the Wiki.

 

[wbumiller]

Can you post the runtime configuration? Output of:

# ip -6 a
# ip -6 r

 

[datenimperator]

Can you post the runtime configuration? Output of:

# ip -6 a
# ip -6 r

Sure, please see here: https://gist.github.com/datenimperator/cee2651d6362992db8ebeb427b0c6354

 

[wbumiller]

Okay, this seems to include the address and network route - no default route though so you're limited to talking to the containers. (Are the post-up commands correct? Since you're using routing, you should be able to do an `ifdown vmbr0 ; ifup vmbr0` remotely to see any error messages happening during the setting up of the bridge. Note that this will unlink all running guests from that bridge.)
A 'no route to host' error with this runtime configuration makes no sense though, are you sure those were the same conditions as when you pasted the output of attempting to ping a container?
General questsions:
Do you use the firewall? Is NDP traffic allowed to the host?
Can you check with tcpdump where the packets get lost?
Can you ping the container's link-local addresses (The fe80... addresses from inside (not the one you see on the tap devices))? (You'll have to pass the network device with the -I switch to ping, or use 'address%interface' notation on BSDs)
Can the containers ping the host's vmbr0's link-local address?

 

[datenimperator]

After enabling the NDP option as well as accepting NDP traffic both on cluster and host level I'm now able to connect to the IPv6 addresses.

I'd like to add that I find that firewall setup very confusing. What belongs where? Also documentation is sparse. Thank you anyway.