New to IPv6, issues with routing

fendix

I have a dedicated server with 1x IPv4 and 1x IPv6/64. So far I have always used NAT for access, but now I want each VM to have its own IPv6 in Proxmox.

I cannot reach the Internet from my VM. I have already read through countless wikis on Google, but without success.

Proxmox Host

# /etc/network/interfaces
source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

iface lo inet6 loopback

auto enp9s0
iface enp9s0 inet static
    address xx.xxx.xxx.229/26
    gateway xx.xxx.xxx.193
    up route add -net xx.xxx.xxx.192 netmask 255.255.255.192 gw xx.xxx.xxx.193 dev enp9s0

iface enp9s0 inet6 static
    address prefix::2
    netmask 64
    gateway fe80::1

auto vmbr0
iface vmbr0 inet static
    address 192.168.1.1
    netmask 255.255.255.0
    bridge-ports none
    bridge-stp off
    bridge-fd 0

    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o enp9s0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o enp9s0 -j MASQUERADE

iface vmbr0 inet6 static
    address prefix::3
    netmask 64
    up ip -6 route add prefix::/64 dev enp9s0

/etc/sysctl.conf

root@ax41 ~ # sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
root@ax41 ~ # sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1

VM network config

auto lo
iface lo inet loopback

allow-hotplug ens18
iface ens18 inet static
    address 192.168.1.2/24
    gateway 192.168.1.1
    dns-nameservers 8.8.8.8 8.8.4.4

iface ens18 inet6 static
    address prefix::4
    netmask 64
    gateway prefix::3

Ping from VM to Gateway ::3 works. ::1 and ::2 outputs Destination unreachable: Address unreachable.

root@debian:~# ping prefix::1
PING prefix::1(prefix::1) 56 data bytes
From prefix::4 icmp_seq=1 Destination unreachable: Address unreachable
From prefix::4 icmp_seq=2 Destination unreachable: Address unreachable
From prefix::4 icmp_seq=3 Destination unreachable: Address unreachable

root@debian:~# ping prefix::2
PING prefix::2(prefix::2) 56 data bytes
From prefix::4 icmp_seq=1 Destination unreachable: Address unreachable
From prefix::4 icmp_seq=2 Destination unreachable: Address unreachable
From prefix::4 icmp_seq=3 Destination unreachable: Address unreachable

root@debian:~# ping prefix::3
PING prefix::3(prefix::3) 56 data bytes
64 bytes from prefix::3: icmp_seq=1 ttl=64 time=0.080 ms
64 bytes from prefix::3: icmp_seq=2 ttl=64 time=0.085 ms

ping6 google.com on VM and tcpdump -i vmbr0 ip6 results in:

root@ax41 ~ # tcpdump -i vmbr0 ip6
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vmbr0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:24:26.880180 IP6 prefix::4 > hem08s07-in-x0e.1e100.net: ICMP6, echo request, id 61238, seq 20, length 64
21:24:27.904189 IP6 prefix::4 > hem08s07-in-x0e.1e100.net: ICMP6, echo request, id 61238, seq 21, length 64

root@debian:~# ping6 google.com
PING google.com(hem08s07-in-x0e.1e100.net (2a00:1450:4026:805::200e)) 56 data bytes
No further output...

Why am I not getting a response to my ping, although as far as I know everything is going out correctly. Has anyone had a similar problem or knows how to fix it?

kevinds

Can you get your provider to assign you a /56 or /48?

Are all the systems on the same layer2 network? Do they share an IPv4 /24? Can those ping each other?

fendix

@kevinds said:
Is anything using ::2 for example?

Can you get your provider to assign you a /56 or /48?

Only the Proxmox Host uses ::2. I'm not sure if Hetzner can do this for me.

kevinds

@fendix said:
Only the Proxmox Host uses ::2. I'm not sure if Hetzner can do this for me.

Find out/request it..

post-up echo 1 > /proc/sys/net/ipv4/ip_forward

Do you have something similar set for IPv6?

babywhale

im not sure if you can use ndppd for proxmox but id give it a look if i were you

fendix

@kevinds said:
Can you get your provider to assign you a /56 or /48?

Are all the systems on the same layer2 network? Do they share an IPv4 /24? Can those ping each other?

Yes. I can ping my internal IPs from Host and vice versa.

@kevinds said: Do you have something similar set for IPv6?

In /etc/sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

@babywhale said:
im not sure if you can use ndppd for proxmox but id give it a look if i were you

I'll take a look at it, thanks

spiritlhl

If for Hetzner's Cloud, the following method for this project works, but unknown if it holds true on a dedicated server, you can check the relevant configurations to set up a dedicated server on your own after testing it on Cloud: https://www.spiritlhl.net/en/guide/pve/pve_install.html

vsys_host

Listen tcpdump on the physical interface of your bare metal, and check if icmp6 request from the VM goes outside

lowenduser1

I have a dedicated server with 1x IPv4 and 1x IPv6/64.

/64s are a bit pain. See if you can get a /48, it will make life easier and you can do all the cool IPv6 stuff. Have the outside interface on /48 and do some /64s to bridges. That should work right away. Sometimes IPv6 is not routed which is pain and it doesn't work, at that point you need to proxy arp the neighbors with something like ip -6 neigh add proxy

FatGrizzly

@yoursunny will help, god of v6.

fendix

Solved it by changing the netmask to /128 and changing the route up ip -6 route add prefix::/64 dev enp9s0 from prefix::/64 to prefix::2/64.

Thanks y'all