On 5/1/21 8:48 AM, Hean Seng wrote:
> Hi Wido
>
> The issue solved . Need to configure ra in router vlan. Previously we
> set "ipv6 nd ra suppress" , for other systems to work, after change to
> Cloudstack, it need to remove this and make it have announcement of IPv6 to
> VM.
>
Yes. The Routers need to send IPv6 Router Advertisements in order to
have the VM configure itself and know where to send traffic to.
> By the way, This way of configuring IPv6, if IPv6 need to change, how can
> we replace this IPv6 ?
>
I don't understand this question. Do you mean how to change the IPv6
address of a VM?
If so, that's not possible. You can add secondary IPs, but the primary
IP is based on the MAC of the VM.
Wido
>
>
>
>
>
>
>
>
>
> On Sat, May 1, 2021 at 2:37 PM Wido den Hollander <w...@widodh.nl> wrote:
>
>> Can you check with tcpdump on the host and sniff the vnetX device of the
>> VM to see if you ICMPv6 packages reach the VM?
>>
>> Security Grouping with IPv6 works with KVM, so it has to be a
>> configuration issue somewhere.
>>
>> Wido
>>
>> On 4/30/21 8:59 PM, Hean Seng wrote:
>>> Hi
>>>
>>> I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance
>> with
>>> SG
>>>
>>> I set the Security Group:
>>>
>>> ICMP
>>> -1 -1 ::/0
>>>
>>> But seems still cannot ping the VM.
>>>
>>> Or even add in rules for ALL
>>>
>>> All . All ::/0
>>>
>>>
>>> Seems not able to PING.
>>>
>>>
>>> After configure , this is the rules in ip6tables
>>>
>>>
>>> Chain i-2-10-VM (1 references)
>>> target prot opt source destination
>>> ACCEPT ipv6-icmp anywhere anywhere
>>> ACCEPT all anywhere anywhere state NEW
>>> DROP all anywhere anywhere
>>>
>>>
>>>
>>>
>>> Chain i-2-10-VM-eg (1 references)
>>>
>>> target prot opt source destination
>>>
>>> RETURN all anywhere anywhere
>>>
>>>
>>> Chain i-2-10-def (2 references)
>>>
>>> target prot opt source destination
>>>
>>> ACCEPT all anywhere anywhere state
>>> RELATED,ESTABLISHED
>>>
>>> ACCEPT ipv6-icmp fe80::/64 ip6-allnodes PHYSDEV
>>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp
>>> router-advertisement HL match HL == 255
>>>
>>> RETURN ipv6-icmp anywhere ip6-allrouters PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
>> router-solicitation
>>> HL match HL == 255
>>>
>>> DROP ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
>> router-advertisement
>>>
>>> RETURN ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
>>> neighbour-solicitation HL match HL == 255
>>>
>>> ACCEPT ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp
>>> neighbour-solicitation HL match HL == 255
>>>
>>> RETURN ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
>>> neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255
>>>
>>> ACCEPT ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp
>>> neighbour-advertisement HL match HL == 255
>>>
>>> RETURN ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big
>>> match-set i-2-10-VM-6 src
>>>
>>> ACCEPT ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big
>>>
>>> RETURN ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
>>> destination-unreachable match-set i-2-10-VM-6 src
>>>
>>> ACCEPT ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp
>>> destination-unreachable
>>>
>>> RETURN ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded
>>> match-set i-2-10-VM-6 src
>>>
>>> ACCEPT ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp time-exceeded
>>>
>>> RETURN ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp parameter-problem
>>> match-set i-2-10-VM-6 src
>>>
>>> ACCEPT ipv6-icmp anywhere anywhere PHYSDEV
>>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp
>> parameter-problem
>>>
>>> RETURN ipv6-icmp anywhere ff02::16 PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged
>>>
>>> RETURN udp fe80::1c00:f6ff:fe00:56 ff02::1:2 PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-client
>>>
>>> ACCEPT udp fe80::/64 fe80::1c00:f6ff:fe00:56 PHYSDEV
>>> match --physdev-out vnet3 --physdev-is-bridged udp dpt:dhcpv6-client
>>>
>>> DROP udp anywhere !fe80::/64 PHYSDEV
>> match
>>> --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-server
>>>
>>> RETURN udp anywhere anywhere PHYSDEV
>> match
>>> --physdev-in vnet3 --physdev-is-bridged udp dpt:domain match-set
>>> i-2-10-VM-6 src
>>>
>>> RETURN tcp anywhere anywhere PHYSDEV
>> match
>>> --physdev-in vnet3 --physdev-is-bridged tcp dpt:domain match-set
>>> i-2-10-VM-6 src
>>>
>>> DROP all anywhere anywhere PHYSDEV
>> match
>>> --physdev-in vnet3 --physdev-is-bridged ! match-set i-2-10-VM-6 src
>>>
>>> i-2-10-VM-eg all anywhere anywhere PHYSDEV
>>> match --physdev-in vnet3 --physdev-is-bridged match-set i-2-10-VM-6 src
>>>
>>> i-2-10-VM all anywhere anywhere PHYSDEV
>> match
>>> --physdev-out vnet3 --physdev-is-bridged
>>>
>>>
>>>
>>>
>>>
>>> On Sat, May 1, 2021 at 1:42 AM Gabriel Bräscher <gabrasc...@gmail.com>
>>> wrote:
>>>
>>>> Hi Hean,
>>>>
>>>> What version of CloudStack are you using?
>>>>
>>>> KVM does support IPv6 indeed when deploying Advanced Networking with
>>>> Security Groups (SG) enabled.
>>>> It should work fine. The only difference regarding setting IPv4 rules
>> for
>>>> SG is that the CIDR list is an IPv6 CIDR (e.g. cidrlist="::/0", instead
>> of
>>>> cidrlist="0.0.0.0/0").
>>>>
>>>> From what you mentioned it is probably missing SG Ingress rules for IPv6
>>>> and, by default, it is dropping all the IPv6 packages.
>>>>
>>>> Regards,
>>>> Gabriel.
>>>>
>>>> Em sex., 30 de abr. de 2021 às 12:17, Hean Seng <heans...@gmail.com>
>>>> escreveu:
>>>>
>>>>> We using share network, on Security Group, KVM .
>>>>>
>>>>> On Fri, Apr 30, 2021 at 6:28 PM Alex Mattioli <
>>>> alex.matti...@shapeblue.com
>>>>>>
>>>>> wrote:
>>>>>
>>>>>> Hi Hean,
>>>>>>
>>>>>> What type of network and hypervisor are you using? Also, which version
>>>> of
>>>>>> ACS?
>>>>>>
>>>>>> Regards,
>>>>>> Alex
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Hean Seng <heans...@gmail.com>
>>>>>> Sent: 30 April 2021 08:34
>>>>>> To: users@cloudstack.apache.org
>>>>>> Subject: IPv6 Issue in Cloudstack
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> I setup the IPv6 in VM. Outbound form VM is no issue, can ping all
>> the
>>>>>> Ipv6 ip outside .
>>>>>>
>>>>>> But Inboud th IPv6 IP in VM seems all not accessible .
>>>>>>
>>>>>> And seem there no Security Group to manange the IPv6 rules . The SG is
>>>>>> only for IPv4.
>>>>>>
>>>>>> and I saw ipv6tables -L , there is a lot of rules there . Not sure is
>>>>>> preconfigured by Cloudstack or Default Linux. And I guess that is
>>>>> blocking
>>>>>> access
>>>>>>
>>>>>> Anybody have experience on enabling IPv6 in Cloudstack VM and the
>>>>>> Ipv6table rules there ?
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Hean Seng
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Hean Seng
>>>>>
>>>>
>>>
>>>
>>
>
>
