I've been trying to get IPv6 setup in my environment, but I am running into something I've personally never seen before in 15 years of working on Linux. At least, not without intentionally enabling the behavior.
My environment is Proxmox VE 8.2.5 running BIRD2 which peers with my upstream and announces my /44 prefix. The host can access the internet over individual addresses with my announced prefix, there does not appear to be any internet facing connectivity problems from the host.
The IPs that are being bound to VMs/containers are not receiving traffic. When I tcpdump on the host, I see the packet from the guest flow out the vmbr0 bridged interface to the internet, then I see the return packet come to the host. This is where the host refuses to forward the packet back to the guest that originated the request, and acts as if that guests' address is it's own!
I can ping any unbound IPv6 address within my prefix and the host responds when it should simply time out. I can go to ANY IPv6 address within my prefix at port 8006 and get the proxmox control panel, this essentially means I cannot use IPv6 on these guests as from the guests' perspective, the traffic is being blackholed. The reality is the packets ARE being forwarded by the host to the internet, but the host is not forwarding the responses back, as if there is one way forwarding.
Given everything is happening across the vmbr0 interface, I have proxy ndp disabled. The NIC is also not in promiscuous mode. I also have nonlocal binding disabled.
I'm completely lost at this point, I don't understand the behavior where the system is responding to requests on IPs it's not listening on, or how it's responding to requests sent to addresses in the blackhole.
My environment is Proxmox VE 8.2.5 running BIRD2 which peers with my upstream and announces my /44 prefix. The host can access the internet over individual addresses with my announced prefix, there does not appear to be any internet facing connectivity problems from the host.
The IPs that are being bound to VMs/containers are not receiving traffic. When I tcpdump on the host, I see the packet from the guest flow out the vmbr0 bridged interface to the internet, then I see the return packet come to the host. This is where the host refuses to forward the packet back to the guest that originated the request, and acts as if that guests' address is it's own!
I can ping any unbound IPv6 address within my prefix and the host responds when it should simply time out. I can go to ANY IPv6 address within my prefix at port 8006 and get the proxmox control panel, this essentially means I cannot use IPv6 on these guests as from the guests' perspective, the traffic is being blackholed. The reality is the packets ARE being forwarded by the host to the internet, but the host is not forwarding the responses back, as if there is one way forwarding.
Given everything is happening across the vmbr0 interface, I have proxy ndp disabled. The NIC is also not in promiscuous mode. I also have nonlocal binding disabled.
Code:
root@summit:~# cat /etc/*version*
12.7
root@summit:~# uname -r
6.8.12-2-pve
root@summit:~# sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1
root@summit:~# sysctl net.ipv6.conf.default.forwarding
net.ipv6.conf.default.forwarding = 1
root@summit:~# sysctl net.ipv6.conf.vmbr0.forwarding
net.ipv6.conf.vmbr0.forwarding = 1
root@summit:~# sysctl net.ipv6.ip_nonlocal_bind
net.ipv6.ip_nonlocal_bind = 0
Code:
root@summit:~# ip -6 r add blackhole xxx:xxx:4400::666/128
root@summit:~# ping6 xxx:xxx:4400::666
PING xxx:xxx:4400::666(xxx:xxx:4400::666) 56 data bytes
64 bytes from xxx:xxx:4400::666: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from xxx:xxx:4400::666: icmp_seq=2 ttl=64 time=0.029 ms
^CI'm completely lost at this point, I don't understand the behavior where the system is responding to requests on IPs it's not listening on, or how it's responding to requests sent to addresses in the blackhole.
Last edited: