Hi Wido The issue solved . Need to configure ra in router vlan. Previously we set "ipv6 nd ra suppress" , for other systems to work, after change to Cloudstack, it need to remove this and make it have announcement of IPv6 to VM.
By the way, This way of configuring IPv6, if IPv6 need to change, how can we replace this IPv6 ? On Sat, May 1, 2021 at 2:37 PM Wido den Hollander <[email protected]> wrote: > Can you check with tcpdump on the host and sniff the vnetX device of the > VM to see if you ICMPv6 packages reach the VM? > > Security Grouping with IPv6 works with KVM, so it has to be a > configuration issue somewhere. > > Wido > > On 4/30/21 8:59 PM, Hean Seng wrote: > > Hi > > > > I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance > with > > SG > > > > I set the Security Group: > > > > ICMP > > -1 -1 ::/0 > > > > But seems still cannot ping the VM. > > > > Or even add in rules for ALL > > > > All . All ::/0 > > > > > > Seems not able to PING. > > > > > > After configure , this is the rules in ip6tables > > > > > > Chain i-2-10-VM (1 references) > > target prot opt source destination > > ACCEPT ipv6-icmp anywhere anywhere > > ACCEPT all anywhere anywhere state NEW > > DROP all anywhere anywhere > > > > > > > > > > Chain i-2-10-VM-eg (1 references) > > > > target prot opt source destination > > > > RETURN all anywhere anywhere > > > > > > Chain i-2-10-def (2 references) > > > > target prot opt source destination > > > > ACCEPT all anywhere anywhere state > > RELATED,ESTABLISHED > > > > ACCEPT ipv6-icmp fe80::/64 ip6-allnodes PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > > router-advertisement HL match HL == 255 > > > > RETURN ipv6-icmp anywhere ip6-allrouters PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > router-solicitation > > HL match HL == 255 > > > > DROP ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > router-advertisement > > > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > > neighbour-solicitation HL match HL == 255 > > > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > > neighbour-solicitation HL match HL == 255 > > > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > > neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255 > > > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > > neighbour-advertisement HL match HL == 255 > > > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > > match-set i-2-10-VM-6 src > > > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > > > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > > destination-unreachable match-set i-2-10-VM-6 src > > > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > > destination-unreachable > > > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded > > match-set i-2-10-VM-6 src > > > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp time-exceeded > > > > RETURN ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp parameter-problem > > match-set i-2-10-VM-6 src > > > > ACCEPT ipv6-icmp anywhere anywhere PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > parameter-problem > > > > RETURN ipv6-icmp anywhere ff02::16 PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged > > > > RETURN udp fe80::1c00:f6ff:fe00:56 ff02::1:2 PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-client > > > > ACCEPT udp fe80::/64 fe80::1c00:f6ff:fe00:56 PHYSDEV > > match --physdev-out vnet3 --physdev-is-bridged udp dpt:dhcpv6-client > > > > DROP udp anywhere !fe80::/64 PHYSDEV > match > > --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-server > > > > RETURN udp anywhere anywhere PHYSDEV > match > > --physdev-in vnet3 --physdev-is-bridged udp dpt:domain match-set > > i-2-10-VM-6 src > > > > RETURN tcp anywhere anywhere PHYSDEV > match > > --physdev-in vnet3 --physdev-is-bridged tcp dpt:domain match-set > > i-2-10-VM-6 src > > > > DROP all anywhere anywhere PHYSDEV > match > > --physdev-in vnet3 --physdev-is-bridged ! match-set i-2-10-VM-6 src > > > > i-2-10-VM-eg all anywhere anywhere PHYSDEV > > match --physdev-in vnet3 --physdev-is-bridged match-set i-2-10-VM-6 src > > > > i-2-10-VM all anywhere anywhere PHYSDEV > match > > --physdev-out vnet3 --physdev-is-bridged > > > > > > > > > > > > On Sat, May 1, 2021 at 1:42 AM Gabriel Bräscher <[email protected]> > > wrote: > > > >> Hi Hean, > >> > >> What version of CloudStack are you using? > >> > >> KVM does support IPv6 indeed when deploying Advanced Networking with > >> Security Groups (SG) enabled. > >> It should work fine. The only difference regarding setting IPv4 rules > for > >> SG is that the CIDR list is an IPv6 CIDR (e.g. cidrlist="::/0", instead > of > >> cidrlist="0.0.0.0/0"). > >> > >> From what you mentioned it is probably missing SG Ingress rules for IPv6 > >> and, by default, it is dropping all the IPv6 packages. > >> > >> Regards, > >> Gabriel. > >> > >> Em sex., 30 de abr. de 2021 às 12:17, Hean Seng <[email protected]> > >> escreveu: > >> > >>> We using share network, on Security Group, KVM . > >>> > >>> On Fri, Apr 30, 2021 at 6:28 PM Alex Mattioli < > >> [email protected] > >>>> > >>> wrote: > >>> > >>>> Hi Hean, > >>>> > >>>> What type of network and hypervisor are you using? Also, which version > >> of > >>>> ACS? > >>>> > >>>> Regards, > >>>> Alex > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> -----Original Message----- > >>>> From: Hean Seng <[email protected]> > >>>> Sent: 30 April 2021 08:34 > >>>> To: [email protected] > >>>> Subject: IPv6 Issue in Cloudstack > >>>> > >>>> Hi > >>>> > >>>> I setup the IPv6 in VM. Outbound form VM is no issue, can ping all > the > >>>> Ipv6 ip outside . > >>>> > >>>> But Inboud th IPv6 IP in VM seems all not accessible . > >>>> > >>>> And seem there no Security Group to manange the IPv6 rules . The SG is > >>>> only for IPv4. > >>>> > >>>> and I saw ipv6tables -L , there is a lot of rules there . Not sure is > >>>> preconfigured by Cloudstack or Default Linux. And I guess that is > >>> blocking > >>>> access > >>>> > >>>> Anybody have experience on enabling IPv6 in Cloudstack VM and the > >>>> Ipv6table rules there ? > >>>> > >>>> > >>>> -- > >>>> Regards, > >>>> Hean Seng > >>>> > >>> > >>> > >>> -- > >>> Regards, > >>> Hean Seng > >>> > >> > > > > > -- Regards, Hean Seng
