Can you check with tcpdump on the host and sniff the vnetX device of the VM to see if you ICMPv6 packages reach the VM?
Security Grouping with IPv6 works with KVM, so it has to be a configuration issue somewhere. Wido On 4/30/21 8:59 PM, Hean Seng wrote: > Hi > > I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance with > SG > > I set the Security Group: > > ICMP > -1 -1 ::/0 > > But seems still cannot ping the VM. > > Or even add in rules for ALL > > All . All ::/0 > > > Seems not able to PING. > > > After configure , this is the rules in ip6tables > > > Chain i-2-10-VM (1 references) > target prot opt source destination > ACCEPT ipv6-icmp anywhere anywhere > ACCEPT all anywhere anywhere state NEW > DROP all anywhere anywhere > > > > > Chain i-2-10-VM-eg (1 references) > > target prot opt source destination > > RETURN all anywhere anywhere > > > Chain i-2-10-def (2 references) > > target prot opt source destination > > ACCEPT all anywhere anywhere state > RELATED,ESTABLISHED > > ACCEPT ipv6-icmp fe80::/64 ip6-allnodes PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > router-advertisement HL match HL == 255 > > RETURN ipv6-icmp anywhere ip6-allrouters PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp router-solicitation > HL match HL == 255 > > DROP ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp router-advertisement > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > neighbour-solicitation HL match HL == 255 > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > neighbour-solicitation HL match HL == 255 > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255 > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > neighbour-advertisement HL match HL == 255 > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > match-set i-2-10-VM-6 src > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > destination-unreachable match-set i-2-10-VM-6 src > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > destination-unreachable > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded > match-set i-2-10-VM-6 src > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp time-exceeded > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp parameter-problem > match-set i-2-10-VM-6 src > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp parameter-problem > > RETURN ipv6-icmp anywhere ff02::16 PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged > > RETURN udp fe80::1c00:f6ff:fe00:56 ff02::1:2 PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-client > > ACCEPT udp fe80::/64 fe80::1c00:f6ff:fe00:56 PHYSDEV > match --physdev-out vnet3 --physdev-is-bridged udp dpt:dhcpv6-client > > DROP udp anywhere !fe80::/64 PHYSDEV match > --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-server > > RETURN udp anywhere anywhere PHYSDEV match > --physdev-in vnet3 --physdev-is-bridged udp dpt:domain match-set > i-2-10-VM-6 src > > RETURN tcp anywhere anywhere PHYSDEV match > --physdev-in vnet3 --physdev-is-bridged tcp dpt:domain match-set > i-2-10-VM-6 src > > DROP all anywhere anywhere PHYSDEV match > --physdev-in vnet3 --physdev-is-bridged ! match-set i-2-10-VM-6 src > > i-2-10-VM-eg all anywhere anywhere PHYSDEV > match --physdev-in vnet3 --physdev-is-bridged match-set i-2-10-VM-6 src > > i-2-10-VM all anywhere anywhere PHYSDEV match > --physdev-out vnet3 --physdev-is-bridged > > > > > > On Sat, May 1, 2021 at 1:42 AM Gabriel Bräscher <gabrasc...@gmail.com> > wrote: > >> Hi Hean, >> >> What version of CloudStack are you using? >> >> KVM does support IPv6 indeed when deploying Advanced Networking with >> Security Groups (SG) enabled. >> It should work fine. The only difference regarding setting IPv4 rules for >> SG is that the CIDR list is an IPv6 CIDR (e.g. cidrlist="::/0", instead of >> cidrlist="0.0.0.0/0"). >> >> From what you mentioned it is probably missing SG Ingress rules for IPv6 >> and, by default, it is dropping all the IPv6 packages. >> >> Regards, >> Gabriel. >> >> Em sex., 30 de abr. de 2021 às 12:17, Hean Seng <heans...@gmail.com> >> escreveu: >> >>> We using share network, on Security Group, KVM . >>> >>> On Fri, Apr 30, 2021 at 6:28 PM Alex Mattioli < >> alex.matti...@shapeblue.com >>>> >>> wrote: >>> >>>> Hi Hean, >>>> >>>> What type of network and hypervisor are you using? Also, which version >> of >>>> ACS? >>>> >>>> Regards, >>>> Alex >>>> >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: Hean Seng <heans...@gmail.com> >>>> Sent: 30 April 2021 08:34 >>>> To: users@cloudstack.apache.org >>>> Subject: IPv6 Issue in Cloudstack >>>> >>>> Hi >>>> >>>> I setup the IPv6 in VM. Outbound form VM is no issue, can ping all the >>>> Ipv6 ip outside . >>>> >>>> But Inboud th IPv6 IP in VM seems all not accessible . >>>> >>>> And seem there no Security Group to manange the IPv6 rules . The SG is >>>> only for IPv4. >>>> >>>> and I saw ipv6tables -L , there is a lot of rules there . Not sure is >>>> preconfigured by Cloudstack or Default Linux. And I guess that is >>> blocking >>>> access >>>> >>>> Anybody have experience on enabling IPv6 in Cloudstack VM and the >>>> Ipv6table rules there ? >>>> >>>> >>>> -- >>>> Regards, >>>> Hean Seng >>>> >>> >>> >>> -- >>> Regards, >>> Hean Seng >>> >> > >
