Yes, I means changing ipv6. Adding secondary IP, seems not adding second IPv6 also .
For my case now, the IPv6 ad MAC is not the same also : MAC: link/ether 1e:00:0d:00:01:ec brd ff:ff:ff:ff:ff:ff IPV6; inet6 x:x:x:x:1c00:dff:fe00:1ec/64 scope global mngtmpaddr dynamic valid_lft 2591848sec preferred_lft 604648sec inet6 fe80::1c00:dff:fe00:1ec/64 scope link It seems last 6 digit same, others is different. On Sat, May 1, 2021 at 3:03 PM Wido den Hollander <w...@widodh.nl> wrote: > > > On 5/1/21 8:48 AM, Hean Seng wrote: > > Hi Wido > > > > The issue solved . Need to configure ra in router vlan. Previously we > > set "ipv6 nd ra suppress" , for other systems to work, after change to > > Cloudstack, it need to remove this and make it have announcement of IPv6 > to > > VM. > > > > Yes. The Routers need to send IPv6 Router Advertisements in order to > have the VM configure itself and know where to send traffic to. > > > By the way, This way of configuring IPv6, if IPv6 need to change, how > can > > we replace this IPv6 ? > > > > I don't understand this question. Do you mean how to change the IPv6 > address of a VM? > > If so, that's not possible. You can add secondary IPs, but the primary > IP is based on the MAC of the VM. > > Wido > > > > > > > > > > > > > > > > > > > > > On Sat, May 1, 2021 at 2:37 PM Wido den Hollander <w...@widodh.nl> > wrote: > > > >> Can you check with tcpdump on the host and sniff the vnetX device of the > >> VM to see if you ICMPv6 packages reach the VM? > >> > >> Security Grouping with IPv6 works with KVM, so it has to be a > >> configuration issue somewhere. > >> > >> Wido > >> > >> On 4/30/21 8:59 PM, Hean Seng wrote: > >>> Hi > >>> > >>> I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance > >> with > >>> SG > >>> > >>> I set the Security Group: > >>> > >>> ICMP > >>> -1 -1 ::/0 > >>> > >>> But seems still cannot ping the VM. > >>> > >>> Or even add in rules for ALL > >>> > >>> All . All ::/0 > >>> > >>> > >>> Seems not able to PING. > >>> > >>> > >>> After configure , this is the rules in ip6tables > >>> > >>> > >>> Chain i-2-10-VM (1 references) > >>> target prot opt source destination > >>> ACCEPT ipv6-icmp anywhere anywhere > >>> ACCEPT all anywhere anywhere state NEW > >>> DROP all anywhere anywhere > >>> > >>> > >>> > >>> > >>> Chain i-2-10-VM-eg (1 references) > >>> > >>> target prot opt source destination > >>> > >>> RETURN all anywhere anywhere > >>> > >>> > >>> Chain i-2-10-def (2 references) > >>> > >>> target prot opt source destination > >>> > >>> ACCEPT all anywhere anywhere state > >>> RELATED,ESTABLISHED > >>> > >>> ACCEPT ipv6-icmp fe80::/64 ip6-allnodes > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > >>> router-advertisement HL match HL == 255 > >>> > >>> RETURN ipv6-icmp anywhere ip6-allrouters > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > >> router-solicitation > >>> HL match HL == 255 > >>> > >>> DROP ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > >> router-advertisement > >>> > >>> RETURN ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > >>> neighbour-solicitation HL match HL == 255 > >>> > >>> ACCEPT ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > >>> neighbour-solicitation HL match HL == 255 > >>> > >>> RETURN ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > >>> neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255 > >>> > >>> ACCEPT ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > >>> neighbour-advertisement HL match HL == 255 > >>> > >>> RETURN ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > >>> match-set i-2-10-VM-6 src > >>> > >>> ACCEPT ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big > >>> > >>> RETURN ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > >>> destination-unreachable match-set i-2-10-VM-6 src > >>> > >>> ACCEPT ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > >>> destination-unreachable > >>> > >>> RETURN ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded > >>> match-set i-2-10-VM-6 src > >>> > >>> ACCEPT ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp time-exceeded > >>> > >>> RETURN ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp > parameter-problem > >>> match-set i-2-10-VM-6 src > >>> > >>> ACCEPT ipv6-icmp anywhere anywhere > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp > >> parameter-problem > >>> > >>> RETURN ipv6-icmp anywhere ff02::16 > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged > >>> > >>> RETURN udp fe80::1c00:f6ff:fe00:56 ff02::1:2 > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-client > >>> > >>> ACCEPT udp fe80::/64 fe80::1c00:f6ff:fe00:56 > PHYSDEV > >>> match --physdev-out vnet3 --physdev-is-bridged udp dpt:dhcpv6-client > >>> > >>> DROP udp anywhere !fe80::/64 PHYSDEV > >> match > >>> --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-server > >>> > >>> RETURN udp anywhere anywhere PHYSDEV > >> match > >>> --physdev-in vnet3 --physdev-is-bridged udp dpt:domain match-set > >>> i-2-10-VM-6 src > >>> > >>> RETURN tcp anywhere anywhere PHYSDEV > >> match > >>> --physdev-in vnet3 --physdev-is-bridged tcp dpt:domain match-set > >>> i-2-10-VM-6 src > >>> > >>> DROP all anywhere anywhere PHYSDEV > >> match > >>> --physdev-in vnet3 --physdev-is-bridged ! match-set i-2-10-VM-6 src > >>> > >>> i-2-10-VM-eg all anywhere anywhere > PHYSDEV > >>> match --physdev-in vnet3 --physdev-is-bridged match-set i-2-10-VM-6 src > >>> > >>> i-2-10-VM all anywhere anywhere PHYSDEV > >> match > >>> --physdev-out vnet3 --physdev-is-bridged > >>> > >>> > >>> > >>> > >>> > >>> On Sat, May 1, 2021 at 1:42 AM Gabriel Bräscher <gabrasc...@gmail.com> > >>> wrote: > >>> > >>>> Hi Hean, > >>>> > >>>> What version of CloudStack are you using? > >>>> > >>>> KVM does support IPv6 indeed when deploying Advanced Networking with > >>>> Security Groups (SG) enabled. > >>>> It should work fine. The only difference regarding setting IPv4 rules > >> for > >>>> SG is that the CIDR list is an IPv6 CIDR (e.g. cidrlist="::/0", > instead > >> of > >>>> cidrlist="0.0.0.0/0"). > >>>> > >>>> From what you mentioned it is probably missing SG Ingress rules for > IPv6 > >>>> and, by default, it is dropping all the IPv6 packages. > >>>> > >>>> Regards, > >>>> Gabriel. > >>>> > >>>> Em sex., 30 de abr. de 2021 às 12:17, Hean Seng <heans...@gmail.com> > >>>> escreveu: > >>>> > >>>>> We using share network, on Security Group, KVM . > >>>>> > >>>>> On Fri, Apr 30, 2021 at 6:28 PM Alex Mattioli < > >>>> alex.matti...@shapeblue.com > >>>>>> > >>>>> wrote: > >>>>> > >>>>>> Hi Hean, > >>>>>> > >>>>>> What type of network and hypervisor are you using? Also, which > version > >>>> of > >>>>>> ACS? > >>>>>> > >>>>>> Regards, > >>>>>> Alex > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> -----Original Message----- > >>>>>> From: Hean Seng <heans...@gmail.com> > >>>>>> Sent: 30 April 2021 08:34 > >>>>>> To: users@cloudstack.apache.org > >>>>>> Subject: IPv6 Issue in Cloudstack > >>>>>> > >>>>>> Hi > >>>>>> > >>>>>> I setup the IPv6 in VM. Outbound form VM is no issue, can ping all > >> the > >>>>>> Ipv6 ip outside . > >>>>>> > >>>>>> But Inboud th IPv6 IP in VM seems all not accessible . > >>>>>> > >>>>>> And seem there no Security Group to manange the IPv6 rules . The SG > is > >>>>>> only for IPv4. > >>>>>> > >>>>>> and I saw ipv6tables -L , there is a lot of rules there . Not sure > is > >>>>>> preconfigured by Cloudstack or Default Linux. And I guess that is > >>>>> blocking > >>>>>> access > >>>>>> > >>>>>> Anybody have experience on enabling IPv6 in Cloudstack VM and the > >>>>>> Ipv6table rules there ? > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Regards, > >>>>>> Hean Seng > >>>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Regards, > >>>>> Hean Seng > >>>>> > >>>> > >>> > >>> > >> > > > > > -- Regards, Hean Seng