Yes, I means changing ipv6.
Adding secondary IP, seems not adding second IPv6 also .
For my case now, the IPv6 ad MAC is not the same also :
MAC: link/ether 1e:00:0d:00:01:ec brd ff:ff:ff:ff:ff:ff
IPV6;
inet6 x:x:x:x:1c00:dff:fe00:1ec/64 scope global mngtmpaddr dynamic
valid_lft 2591848sec preferred_lft 604648sec
inet6 fe80::1c00:dff:fe00:1ec/64 scope link
It seems last 6 digit same, others is different.
On Sat, May 1, 2021 at 3:03 PM Wido den Hollander <w...@widodh.nl> wrote:
>
>
> On 5/1/21 8:48 AM, Hean Seng wrote:
> > Hi Wido
> >
> > The issue solved . Need to configure ra in router vlan. Previously we
> > set "ipv6 nd ra suppress" , for other systems to work, after change to
> > Cloudstack, it need to remove this and make it have announcement of IPv6
> to
> > VM.
> >
>
> Yes. The Routers need to send IPv6 Router Advertisements in order to
> have the VM configure itself and know where to send traffic to.
>
> > By the way, This way of configuring IPv6, if IPv6 need to change, how
> can
> > we replace this IPv6 ?
> >
>
> I don't understand this question. Do you mean how to change the IPv6
> address of a VM?
>
> If so, that's not possible. You can add secondary IPs, but the primary
> IP is based on the MAC of the VM.
>
> Wido
>
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Sat, May 1, 2021 at 2:37 PM Wido den Hollander <w...@widodh.nl>
> wrote:
> >
> >> Can you check with tcpdump on the host and sniff the vnetX device of the
> >> VM to see if you ICMPv6 packages reach the VM?
> >>
> >> Security Grouping with IPv6 works with KVM, so it has to be a
> >> configuration issue somewhere.
> >>
> >> Wido
> >>
> >> On 4/30/21 8:59 PM, Hean Seng wrote:
> >>> Hi
> >>>
> >>> I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance
> >> with
> >>> SG
> >>>
> >>> I set the Security Group:
> >>>
> >>> ICMP
> >>> -1 -1 ::/0
> >>>
> >>> But seems still cannot ping the VM.
> >>>
> >>> Or even add in rules for ALL
> >>>
> >>> All . All ::/0
> >>>
> >>>
> >>> Seems not able to PING.
> >>>
> >>>
> >>> After configure , this is the rules in ip6tables
> >>>
> >>>
> >>> Chain i-2-10-VM (1 references)
> >>> target prot opt source destination
> >>> ACCEPT ipv6-icmp anywhere anywhere
> >>> ACCEPT all anywhere anywhere state NEW
> >>> DROP all anywhere anywhere
> >>>
> >>>
> >>>
> >>>
> >>> Chain i-2-10-VM-eg (1 references)
> >>>
> >>> target prot opt source destination
> >>>
> >>> RETURN all anywhere anywhere
> >>>
> >>>
> >>> Chain i-2-10-def (2 references)
> >>>
> >>> target prot opt source destination
> >>>
> >>> ACCEPT all anywhere anywhere state
> >>> RELATED,ESTABLISHED
> >>>
> >>> ACCEPT ipv6-icmp fe80::/64 ip6-allnodes
> PHYSDEV
> >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp
> >>> router-advertisement HL match HL == 255
> >>>
> >>> RETURN ipv6-icmp anywhere ip6-allrouters
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
> >> router-solicitation
> >>> HL match HL == 255
> >>>
> >>> DROP ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
> >> router-advertisement
> >>>
> >>> RETURN ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
> >>> neighbour-solicitation HL match HL == 255
> >>>
> >>> ACCEPT ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp
> >>> neighbour-solicitation HL match HL == 255
> >>>
> >>> RETURN ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
> >>> neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255
> >>>
> >>> ACCEPT ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp
> >>> neighbour-advertisement HL match HL == 255
> >>>
> >>> RETURN ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big
> >>> match-set i-2-10-VM-6 src
> >>>
> >>> ACCEPT ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big
> >>>
> >>> RETURN ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
> >>> destination-unreachable match-set i-2-10-VM-6 src
> >>>
> >>> ACCEPT ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp
> >>> destination-unreachable
> >>>
> >>> RETURN ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded
> >>> match-set i-2-10-VM-6 src
> >>>
> >>> ACCEPT ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp time-exceeded
> >>>
> >>> RETURN ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp
> parameter-problem
> >>> match-set i-2-10-VM-6 src
> >>>
> >>> ACCEPT ipv6-icmp anywhere anywhere
> PHYSDEV
> >>> match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp
> >> parameter-problem
> >>>
> >>> RETURN ipv6-icmp anywhere ff02::16
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged
> >>>
> >>> RETURN udp fe80::1c00:f6ff:fe00:56 ff02::1:2
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-client
> >>>
> >>> ACCEPT udp fe80::/64 fe80::1c00:f6ff:fe00:56
> PHYSDEV
> >>> match --physdev-out vnet3 --physdev-is-bridged udp dpt:dhcpv6-client
> >>>
> >>> DROP udp anywhere !fe80::/64 PHYSDEV
> >> match
> >>> --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-server
> >>>
> >>> RETURN udp anywhere anywhere PHYSDEV
> >> match
> >>> --physdev-in vnet3 --physdev-is-bridged udp dpt:domain match-set
> >>> i-2-10-VM-6 src
> >>>
> >>> RETURN tcp anywhere anywhere PHYSDEV
> >> match
> >>> --physdev-in vnet3 --physdev-is-bridged tcp dpt:domain match-set
> >>> i-2-10-VM-6 src
> >>>
> >>> DROP all anywhere anywhere PHYSDEV
> >> match
> >>> --physdev-in vnet3 --physdev-is-bridged ! match-set i-2-10-VM-6 src
> >>>
> >>> i-2-10-VM-eg all anywhere anywhere
> PHYSDEV
> >>> match --physdev-in vnet3 --physdev-is-bridged match-set i-2-10-VM-6 src
> >>>
> >>> i-2-10-VM all anywhere anywhere PHYSDEV
> >> match
> >>> --physdev-out vnet3 --physdev-is-bridged
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Sat, May 1, 2021 at 1:42 AM Gabriel Bräscher <gabrasc...@gmail.com>
> >>> wrote:
> >>>
> >>>> Hi Hean,
> >>>>
> >>>> What version of CloudStack are you using?
> >>>>
> >>>> KVM does support IPv6 indeed when deploying Advanced Networking with
> >>>> Security Groups (SG) enabled.
> >>>> It should work fine. The only difference regarding setting IPv4 rules
> >> for
> >>>> SG is that the CIDR list is an IPv6 CIDR (e.g. cidrlist="::/0",
> instead
> >> of
> >>>> cidrlist="0.0.0.0/0").
> >>>>
> >>>> From what you mentioned it is probably missing SG Ingress rules for
> IPv6
> >>>> and, by default, it is dropping all the IPv6 packages.
> >>>>
> >>>> Regards,
> >>>> Gabriel.
> >>>>
> >>>> Em sex., 30 de abr. de 2021 às 12:17, Hean Seng <heans...@gmail.com>
> >>>> escreveu:
> >>>>
> >>>>> We using share network, on Security Group, KVM .
> >>>>>
> >>>>> On Fri, Apr 30, 2021 at 6:28 PM Alex Mattioli <
> >>>> alex.matti...@shapeblue.com
> >>>>>>
> >>>>> wrote:
> >>>>>
> >>>>>> Hi Hean,
> >>>>>>
> >>>>>> What type of network and hypervisor are you using? Also, which
> version
> >>>> of
> >>>>>> ACS?
> >>>>>>
> >>>>>> Regards,
> >>>>>> Alex
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Hean Seng <heans...@gmail.com>
> >>>>>> Sent: 30 April 2021 08:34
> >>>>>> To: users@cloudstack.apache.org
> >>>>>> Subject: IPv6 Issue in Cloudstack
> >>>>>>
> >>>>>> Hi
> >>>>>>
> >>>>>> I setup the IPv6 in VM. Outbound form VM is no issue, can ping all
> >> the
> >>>>>> Ipv6 ip outside .
> >>>>>>
> >>>>>> But Inboud th IPv6 IP in VM seems all not accessible .
> >>>>>>
> >>>>>> And seem there no Security Group to manange the IPv6 rules . The SG
> is
> >>>>>> only for IPv4.
> >>>>>>
> >>>>>> and I saw ipv6tables -L , there is a lot of rules there . Not sure
> is
> >>>>>> preconfigured by Cloudstack or Default Linux. And I guess that is
> >>>>> blocking
> >>>>>> access
> >>>>>>
> >>>>>> Anybody have experience on enabling IPv6 in Cloudstack VM and the
> >>>>>> Ipv6table rules there ?
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> Regards,
> >>>>>> Hean Seng
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Regards,
> >>>>> Hean Seng
> >>>>>
> >>>>
> >>>
> >>>
> >>
> >
> >
>
--
Regards,
Hean Seng
