[SOLVED] Problems with IPv6 passthrough, can reach vm, but vm cant reach proxmox nor the internet.

[scolastico]

Hi,
i currently have some issues with ipv6. My plan is to create a setup like this: "proxmox <-> opnsense <-> vms". I'v allready successfully setup ipv4 with nat and all stuff, which works fine, but i would also like to use ipv6. With my current setup i can reach opnsense with it's ipv6 from outside and from proxmox, but opnsense cant connect to anything, not proxmox nor the internet with ipv6 as i get 100% packetloss. On the opnsense side everything seems fine, the icmp packet shows up in the logs and is allowed to leave the server, but nothing returns. So my guess is i messed something on the proxmox side up. Maybe someone here has a clue what the problem is. This is my interface file from proxmox:

root@Proxmox-VE ~ # cat /etc/network/interfaces
source /etc/network/interfaces.d/*


auto lo
iface lo inet loopback
iface lo inet6 loopback


auto eno1
iface eno1 inet static
  address <main ipv4>/32
  pointopoint <gateway ipv4>
  gateway <gateway ipv4>
  up sysctl -w net.ipv6.conf.all.forwarding=1
  up sysctl -w net.ipv4.ip_forward=1
  up ip addr add <additional ipv4> dev eno1
  down ip addr del <additional ipv4> dev eno1
# [...] skipped the remaining ipv4 config as it should not be relevant for this


iface eno1 inet6 static
  address <ipv6 net>::2/128
  gateway fe80::1


auto vmbr0
iface vmbr0 inet manual
  ovs_type OVSBridge


auto vmbr1
iface vmbr1 inet static
  address 10.10.10.1/24
  bridge-ports none
  bridge-stp off
  bridge-fd 0


iface vmbr1 inet6 static
  address <ipv6 net>::1336/127
  up ip -6 route add <ipv6 net>::/64 dev vmbr1
  down ip -6 route del <ipv6 net>::/64 dev vmbr1

Edit: as i have also a thread on the unofficial proxmox discord, i copy my response to some questions here.

Also why are you setting up your ipv6 on eno1 instead of your bridge?

In most tutorials, blogs, documentation i read to do so, even on the site of my hoster this is mentiond:
see https://community.hetzner.com/tutor...proxmox_ve#configure-ip-addresses-on-the-host

Why using OVSBridge ?

Every vm is connected to that with an vlan tag, so vms must communicate through opnsense and cant communicate directly with each other

Why is your second ipv6 a /127

Same as first, i read so in some forums, blogs and tutorials, i'v also tried with other sizes without luck

 

[scolastico]

I'v found the problem: While debugging ipv4 and ipv6 i created an explicit allow rule at some point for outgoing ipv6 traffic in opnsense.

Idk why, but it seems like that caused all packages to be lost in after the firewall, as "opnsense (ping) [ok] -> opnsense (firewall) [ok] -> proxmox [ok] -> opnsense(firewall) [ok] -> opnsense (ping) [packet lost]". As a tip if someone has similar problems like i had, google "wireshark through ssh" and/or utilize the package analyze tools from opnsense.

This is the rule which caused all these problems:

 

[eakteam]

I'v found the problem: While debugging ipv4 and ipv6 i created an explicit allow rule at some point for outgoing ipv6 traffic in opnsense.

Idk why, but it seems like that caused all packages to be lost in after the firewall, as "opnsense (ping) [ok] -> opnsense (firewall) [ok] -> proxmox [ok] -> opnsense(firewall) [ok] -> opnsense (ping) [packet lost]". As a tip if someone has similar problems like i had, google "wireshark through ssh" and/or utilize the package analyze tools from opnsense.

This is the rule which caused all these problems:

View attachment 59593

Hi, i am struggling with almost the same comfiguration... Can you please help on how did you create OPNSense WAN, Gateway and other stuff to make this /64 network works fine?

Trying to assign DHCPv6 to LAN connected VMs with an IP from /64 network but no luck....

Thank you!