Re: IPv6 Issue in Cloudstack
Yes, I means changing ipv6. Adding secondary IP, seems not adding second IPv6 also . For my case now, the IPv6 ad MAC is not the same also : MAC: link/ether 1e:00:0d:00:01:ec brd ff:ff:ff:ff:ff:ff IPV6; inet6 x:x:x:x:1c00:dff:fe00:1ec/64 scope global mngtmpaddr dynamic valid_lft 2591848sec preferred_lft 604648sec inet6 fe80::1c00:dff:fe00:1ec/64 scope link It seems last 6 digit same, others is different. On Sat, May 1, 2021 at 3:03 PM Wido den Hollander wrote: > > > On 5/1/21 8:48 AM, Hean Seng wrote: > > Hi Wido > > > > The issue solved . Need to configure ra in router vlan. Previously we > > set "ipv6 nd ra suppress" , for other systems to work, after change to > > Cloudstack, it need to remove this and make it have announcement of IPv6 > to > > VM. > > > > Yes. The Routers need to send IPv6 Router Advertisements in order to > have the VM configure itself and know where to send traffic to. > > > By the way, This way of configuring IPv6, if IPv6 need to change, how > can > > we replace this IPv6 ? > > > > I don't understand this question. Do you mean how to change the IPv6 > address of a VM? > > If so, that's not possible. You can add secondary IPs, but the primary > IP is based on the MAC of the VM. > > Wido > > > > > > > > > > > > > > > > > > > > > On Sat, May 1, 2021 at 2:37 PM Wido den Hollander > wrote: > > > >> Can you check with tcpdump on the host and sniff the vnetX device of the > >> VM to see if you ICMPv6 packages reach the VM? > >> > >> Security Grouping with IPv6 works with KVM, so it has to be a > >> configuration issue somewhere. > >> > >> Wido > >> > >> On 4/30/21 8:59 PM, Hean Seng wrote: > >>> Hi > >>> > >>> I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance > >> with > >>> SG > >>> > >>> I set the Security Group: > >>> > >>> ICMP > >>> -1 -1 ::/0 > >>> > >>> But seems still cannot ping the VM. > >>> > >>> Or even add in rules for ALL > >>> > >>> All . All ::/0 > >>> > >>> > >>> Seems not able to PING. > >>> > >>> > >>> After configure , this is the rules in ip6tables > >>> > >>> > >>> Chain i-2-10-VM (1 references) > >>> target prot opt source destination > >>> ACCEPT ipv6-icmpanywhere anywhere > >>> ACCEPT all anywhere anywhere state NEW > >>> DROP all anywhere anywhere > >>> > >>> > >>> > >>> > >>> Chain i-2-10-VM-eg (1 references) > >>> > >>> target prot opt source destination > >>> > >>> RETURN all anywhere anywhere > >>> > >>> > >>> Chain i-2-10-def (2 references) > >>> > >>> target prot opt source destination > >>> > >>> ACCEPT all anywhere anywhere state > >>> RELATED,ESTABLISHED > >>> > >>> ACCEPT ipv6-icmpfe80::/64ip6-allnodes > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > >>> router-advertisement HL match HL == 255 > >>> > >>> RETURN ipv6-icmpanywhere ip6-allrouters > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > >> router-solicitation > >>> HL match HL == 255 > >>> > >>> DROP ipv6-icmpanywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > >> router-advertisement > >>> > >>> RETURN ipv6-icmpanywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > >>> neighbour-solicitation HL match HL == 255 > >>> > >>> ACCEPT ipv6-icmpanywhere anywhere > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > >>> neighbour-solicitation HL match HL == 255 > >>> > >>> RETURN ipv6-icmpanywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > >>> neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255 > >>> > >>> ACCEPT ipv6-icmpanywhere anywhere > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > >>> neighbour-advertisement HL match HL == 255 > >>> > >>> RETURN ipv6-icmpanywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > >>> match-set i-2-10-VM-6 src > >>> > >>> ACCEPT ipv6-icmpanywhere anywhere > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > >>> > >>> RETURN ipv6-icmpanywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > >>> destination-unreachable match-set i-2-10-VM-6 src > >>> > >>> ACCEPT ipv6-icmpanywhere anywhere > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > >>> destination-unreachable > >>> > >>> RETURN ipv6-icmpanywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded >
Re: IPv6 Issue in Cloudstack
On 5/1/21 8:48 AM, Hean Seng wrote: > Hi Wido > > The issue solved . Need to configure ra in router vlan. Previously we > set "ipv6 nd ra suppress" , for other systems to work, after change to > Cloudstack, it need to remove this and make it have announcement of IPv6 to > VM. > Yes. The Routers need to send IPv6 Router Advertisements in order to have the VM configure itself and know where to send traffic to. > By the way, This way of configuring IPv6, if IPv6 need to change, how can > we replace this IPv6 ? > I don't understand this question. Do you mean how to change the IPv6 address of a VM? If so, that's not possible. You can add secondary IPs, but the primary IP is based on the MAC of the VM. Wido > > > > > > > > > > On Sat, May 1, 2021 at 2:37 PM Wido den Hollander wrote: > >> Can you check with tcpdump on the host and sniff the vnetX device of the >> VM to see if you ICMPv6 packages reach the VM? >> >> Security Grouping with IPv6 works with KVM, so it has to be a >> configuration issue somewhere. >> >> Wido >> >> On 4/30/21 8:59 PM, Hean Seng wrote: >>> Hi >>> >>> I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance >> with >>> SG >>> >>> I set the Security Group: >>> >>> ICMP >>> -1 -1 ::/0 >>> >>> But seems still cannot ping the VM. >>> >>> Or even add in rules for ALL >>> >>> All . All ::/0 >>> >>> >>> Seems not able to PING. >>> >>> >>> After configure , this is the rules in ip6tables >>> >>> >>> Chain i-2-10-VM (1 references) >>> target prot opt source destination >>> ACCEPT ipv6-icmpanywhere anywhere >>> ACCEPT all anywhere anywhere state NEW >>> DROP all anywhere anywhere >>> >>> >>> >>> >>> Chain i-2-10-VM-eg (1 references) >>> >>> target prot opt source destination >>> >>> RETURN all anywhere anywhere >>> >>> >>> Chain i-2-10-def (2 references) >>> >>> target prot opt source destination >>> >>> ACCEPT all anywhere anywhere state >>> RELATED,ESTABLISHED >>> >>> ACCEPT ipv6-icmpfe80::/64ip6-allnodes PHYSDEV >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp >>> router-advertisement HL match HL == 255 >>> >>> RETURN ipv6-icmpanywhere ip6-allrouters PHYSDEV >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp >> router-solicitation >>> HL match HL == 255 >>> >>> DROP ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp >> router-advertisement >>> >>> RETURN ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp >>> neighbour-solicitation HL match HL == 255 >>> >>> ACCEPT ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp >>> neighbour-solicitation HL match HL == 255 >>> >>> RETURN ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp >>> neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255 >>> >>> ACCEPT ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp >>> neighbour-advertisement HL match HL == 255 >>> >>> RETURN ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big >>> match-set i-2-10-VM-6 src >>> >>> ACCEPT ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big >>> >>> RETURN ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp >>> destination-unreachable match-set i-2-10-VM-6 src >>> >>> ACCEPT ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp >>> destination-unreachable >>> >>> RETURN ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded >>> match-set i-2-10-VM-6 src >>> >>> ACCEPT ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp time-exceeded >>> >>> RETURN ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp parameter-problem >>> match-set i-2-10-VM-6 src >>> >>> ACCEPT ipv6-icmpanywhere anywhere PHYSDEV >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp >> parameter-problem >>> >>> RETURN ipv6-icmpanywhere ff02::16 PHYSDEV >>> match --physdev-in vnet3
Re: IPv6 Issue in Cloudstack
Hi Wido The issue solved . Need to configure ra in router vlan. Previously we set "ipv6 nd ra suppress" , for other systems to work, after change to Cloudstack, it need to remove this and make it have announcement of IPv6 to VM. By the way, This way of configuring IPv6, if IPv6 need to change, how can we replace this IPv6 ? On Sat, May 1, 2021 at 2:37 PM Wido den Hollander wrote: > Can you check with tcpdump on the host and sniff the vnetX device of the > VM to see if you ICMPv6 packages reach the VM? > > Security Grouping with IPv6 works with KVM, so it has to be a > configuration issue somewhere. > > Wido > > On 4/30/21 8:59 PM, Hean Seng wrote: > > Hi > > > > I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance > with > > SG > > > > I set the Security Group: > > > > ICMP > > -1 -1 ::/0 > > > > But seems still cannot ping the VM. > > > > Or even add in rules for ALL > > > > All . All ::/0 > > > > > > Seems not able to PING. > > > > > > After configure , this is the rules in ip6tables > > > > > > Chain i-2-10-VM (1 references) > > target prot opt source destination > > ACCEPT ipv6-icmpanywhere anywhere > > ACCEPT all anywhere anywhere state NEW > > DROP all anywhere anywhere > > > > > > > > > > Chain i-2-10-VM-eg (1 references) > > > > target prot opt source destination > > > > RETURN all anywhere anywhere > > > > > > Chain i-2-10-def (2 references) > > > > target prot opt source destination > > > > ACCEPT all anywhere anywhere state > > RELATED,ESTABLISHED > > > > ACCEPT ipv6-icmpfe80::/64ip6-allnodes PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > > router-advertisement HL match HL == 255 > > > > RETURN ipv6-icmpanywhere ip6-allrouters PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > router-solicitation > > HL match HL == 255 > > > > DROP ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > router-advertisement > > > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > > neighbour-solicitation HL match HL == 255 > > > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > > neighbour-solicitation HL match HL == 255 > > > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > > neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255 > > > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > > neighbour-advertisement HL match HL == 255 > > > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > > match-set i-2-10-VM-6 src > > > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > > > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > > destination-unreachable match-set i-2-10-VM-6 src > > > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > > destination-unreachable > > > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded > > match-set i-2-10-VM-6 src > > > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp time-exceeded > > > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp parameter-problem > > match-set i-2-10-VM-6 src > > > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > parameter-problem > > > > RETURN ipv6-icmpanywhere ff02::16 PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged > > > > RETURN udp fe80::1c00:f6ff:fe00:56 ff02::1:2PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-client > > > > ACCEPT udp fe80::/64fe80::1c00:f6ff:fe00:56 PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged udp dpt:dhcpv6-client > > > > DROP udp anywhere!fe80::/64PHYSDEV > match > > --physdev-in
Re: IPv6 Issue in Cloudstack
Can you check with tcpdump on the host and sniff the vnetX device of the VM to see if you ICMPv6 packages reach the VM? Security Grouping with IPv6 works with KVM, so it has to be a configuration issue somewhere. Wido On 4/30/21 8:59 PM, Hean Seng wrote: > Hi > > I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance with > SG > > I set the Security Group: > > ICMP > -1 -1 ::/0 > > But seems still cannot ping the VM. > > Or even add in rules for ALL > > All . All ::/0 > > > Seems not able to PING. > > > After configure , this is the rules in ip6tables > > > Chain i-2-10-VM (1 references) > target prot opt source destination > ACCEPT ipv6-icmpanywhere anywhere > ACCEPT all anywhere anywhere state NEW > DROP all anywhere anywhere > > > > > Chain i-2-10-VM-eg (1 references) > > target prot opt source destination > > RETURN all anywhere anywhere > > > Chain i-2-10-def (2 references) > > target prot opt source destination > > ACCEPT all anywhere anywhere state > RELATED,ESTABLISHED > > ACCEPT ipv6-icmpfe80::/64ip6-allnodes PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > router-advertisement HL match HL == 255 > > RETURN ipv6-icmpanywhere ip6-allrouters PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp router-solicitation > HL match HL == 255 > > DROP ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp router-advertisement > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > neighbour-solicitation HL match HL == 255 > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > neighbour-solicitation HL match HL == 255 > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255 > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > neighbour-advertisement HL match HL == 255 > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > match-set i-2-10-VM-6 src > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > destination-unreachable match-set i-2-10-VM-6 src > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > destination-unreachable > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded > match-set i-2-10-VM-6 src > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp time-exceeded > > RETURN ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp parameter-problem > match-set i-2-10-VM-6 src > > ACCEPT ipv6-icmpanywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp parameter-problem > > RETURN ipv6-icmpanywhere ff02::16 PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged > > RETURN udp fe80::1c00:f6ff:fe00:56 ff02::1:2PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-client > > ACCEPT udp fe80::/64fe80::1c00:f6ff:fe00:56 PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged udp dpt:dhcpv6-client > > DROP udp anywhere!fe80::/64PHYSDEV match > --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-server > > RETURN udp anywhere anywhere PHYSDEV match > --physdev-in vnet3 --physdev-is-bridged udp dpt:domain match-set > i-2-10-VM-6 src > > RETURN tcp anywhere anywhere PHYSDEV match > --physdev-in vnet3 --physdev-is-bridged tcp dpt:domain match-set > i-2-10-VM-6 src > > DROP all anywhere anywhere PHYSDEV match > --physdev-in vnet3 --physdev-is-bridged ! match-set i-2-10-VM-6 src > > i-2-10-VM-eg all anywhere anywhere PHYSDEV >
Re: IPv6 Issue in Cloudstack
Hi I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance with SG I set the Security Group: ICMP -1 -1 ::/0 But seems still cannot ping the VM. Or even add in rules for ALL All . All ::/0 Seems not able to PING. After configure , this is the rules in ip6tables Chain i-2-10-VM (1 references) target prot opt source destination ACCEPT ipv6-icmpanywhere anywhere ACCEPT all anywhere anywhere state NEW DROP all anywhere anywhere Chain i-2-10-VM-eg (1 references) target prot opt source destination RETURN all anywhere anywhere Chain i-2-10-def (2 references) target prot opt source destination ACCEPT all anywhere anywhere state RELATED,ESTABLISHED ACCEPT ipv6-icmpfe80::/64ip6-allnodes PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp router-advertisement HL match HL == 255 RETURN ipv6-icmpanywhere ip6-allrouters PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp router-solicitation HL match HL == 255 DROP ipv6-icmpanywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp router-advertisement RETURN ipv6-icmpanywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icmpanywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp neighbour-solicitation HL match HL == 255 RETURN ipv6-icmpanywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255 ACCEPT ipv6-icmpanywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp neighbour-advertisement HL match HL == 255 RETURN ipv6-icmpanywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big match-set i-2-10-VM-6 src ACCEPT ipv6-icmpanywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big RETURN ipv6-icmpanywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp destination-unreachable match-set i-2-10-VM-6 src ACCEPT ipv6-icmpanywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp destination-unreachable RETURN ipv6-icmpanywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded match-set i-2-10-VM-6 src ACCEPT ipv6-icmpanywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp time-exceeded RETURN ipv6-icmpanywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp parameter-problem match-set i-2-10-VM-6 src ACCEPT ipv6-icmpanywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp parameter-problem RETURN ipv6-icmpanywhere ff02::16 PHYSDEV match --physdev-in vnet3 --physdev-is-bridged RETURN udp fe80::1c00:f6ff:fe00:56 ff02::1:2PHYSDEV match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-client ACCEPT udp fe80::/64fe80::1c00:f6ff:fe00:56 PHYSDEV match --physdev-out vnet3 --physdev-is-bridged udp dpt:dhcpv6-client DROP udp anywhere!fe80::/64PHYSDEV match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-server RETURN udp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged udp dpt:domain match-set i-2-10-VM-6 src RETURN tcp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged tcp dpt:domain match-set i-2-10-VM-6 src DROP all anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ! match-set i-2-10-VM-6 src i-2-10-VM-eg all anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged match-set i-2-10-VM-6 src i-2-10-VM all anywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged On Sat, May 1, 2021 at 1:42 AM Gabriel Bräscher wrote: > Hi Hean, > > What version of CloudStack are you using? > > KVM does support IPv6 indeed when deploying Advanced Networking with > Security Groups (SG) enabled. > It should work fine. The only difference regarding setting IPv4 rules for > SG is that the CIDR
Re: IPv6 Issue in Cloudstack
We using share network, on Security Group, KVM . On Fri, Apr 30, 2021 at 6:28 PM Alex Mattioli wrote: > Hi Hean, > > What type of network and hypervisor are you using? Also, which version of > ACS? > > Regards, > Alex > > > > > > -Original Message- > From: Hean Seng > Sent: 30 April 2021 08:34 > To: users@cloudstack.apache.org > Subject: IPv6 Issue in Cloudstack > > Hi > > I setup the IPv6 in VM. Outbound form VM is no issue, can ping all the > Ipv6 ip outside . > > But Inboud th IPv6 IP in VM seems all not accessible . > > And seem there no Security Group to manange the IPv6 rules . The SG is > only for IPv4. > > and I saw ipv6tables -L , there is a lot of rules there . Not sure is > preconfigured by Cloudstack or Default Linux. And I guess that is blocking > access > > Anybody have experience on enabling IPv6 in Cloudstack VM and the > Ipv6table rules there ? > > > -- > Regards, > Hean Seng > -- Regards, Hean Seng
RE: IPv6 Issue in Cloudstack
Hi Hean, What type of network and hypervisor are you using? Also, which version of ACS? Regards, Alex -Original Message- From: Hean Seng Sent: 30 April 2021 08:34 To: users@cloudstack.apache.org Subject: IPv6 Issue in Cloudstack Hi I setup the IPv6 in VM. Outbound form VM is no issue, can ping all the Ipv6 ip outside . But Inboud th IPv6 IP in VM seems all not accessible . And seem there no Security Group to manange the IPv6 rules . The SG is only for IPv4. and I saw ipv6tables -L , there is a lot of rules there . Not sure is preconfigured by Cloudstack or Default Linux. And I guess that is blocking access Anybody have experience on enabling IPv6 in Cloudstack VM and the Ipv6table rules there ? -- Regards, Hean Seng