Hello,
I've been trying to add ipv6 conectivity to a vm in kvm with libvirt, starting with the default NAT ipV4 virtual network.
ipv6 works fine on the host.
The ipv4 nat to the vm (named "test0") works.
I first tried to add an ipv6 block into the default network configuration, but since NAT with ipv6 sounds weird, and I wanted to make sure it wasn't the source of my problems, I created a second network "ipv6bridge", using this ipv6 only configuration :
Code:
<network>
<name>ipv6bridge</name>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:b5:04:bf'/>
<forward mode="route" />
<ip family='ipv6' address='<my ipv6 block>::' prefix='120'>
<dhcp>
<range start='<my ipv6 block>::10' end='<my ipv6 block>::ff'/>
<host id='<the host id for ipv6>' name='test0' ip='<my ipv6 block>::10'/>
</dhcp>
</ip>
</network>
But with both (ipv6 in default NAT, or ipv6bridge network), I get the same error when I start them (using virsh net-start <network-name>
Code:
error: Failed to start network ipv6bridge
error: internal error: Check the host setup: enabling IPv6 forwarding with RA routes without accept_ra set to 2 is likely to cause routes loss. Interfaces to look at: eno1
So I guess this is about packet forwarding and not about converting the the ancient egyptian god.
I can change it using sysctl, but I don't manage to make it persistant through reboot, not even by putting it in the sysctl.conf file or sysctl.d.
There is no trace of it in the syslog, and the command netplan apply seems to reset any change I make with sysctl, so I guess netplan erases at boot any change I make.
Otherwise, if I set in netplan
eno1:
accept_ra: false
The value of net.ipv6.conf.eno1.accept_ra will still be 0, but virsh won't complain while starting the network, which is completely counterintuitive.
Anyway, if I go further, by forcing sysctl -w net.ipv6.conf.eno1.accept_ra=2
the virtual network seems to work and gives the right ipv6 address to the vm, as shown by the virsh net-dhcp-leases command :
Code:
Expiry Time MAC address Protocol IP address Hostname Client ID or DUID
---------------------------------------------------------------------------------------------------------------------------------------
2021-05-30 14:57:22 52:54:00:79:3d:43 ipv6 <my ipv6 block>::10/120 test0 00:02:00:00:ab:11:48:86:57:70:35:90:a2:ed
the "ip -6 route show command " also shows that libvirt did its job by creating the route:
Code:
<my ipv6 block>::/120 dev virbr1 proto kernel metric 256 pref medium
the guest VM has its second interface set to the right ip as shown by ifconfig:
Code:
enp6s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::5054:ff:fe79:3d43 prefixlen 64 scopeid 0x20<link>
inet6 <my ipv6 block>::10 prefixlen 128 scopeid 0x0<global>
ether 52:54:00:79:3d:43 txqueuelen 1000 (Ethernet)
RX packets 157 bytes 9189 (9.1 KB)
RX errors 0 dropped 141 overruns 0 frame 0
TX packets 20 bytes 1879 (1.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
But it won't have any connectivity, pinging the host or google won't do anything.
Trying to ping the guest from the host, I get
PING <my ipv6 block>::10(<my ipv6 block>::10) 56 data bytes
From <my ipv6 block>:ff:ff:ff:fd icmp_seq=1 Destination unreachable: Address unreachable
Trying a traceroute, even with forcing the virbr1 interface, it will send packets to the outside.
ip6tables -L outputs :
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_INP all anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LIBVIRT_FWX all anywhere anywhere
LIBVIRT_FWI all anywhere anywhere
LIBVIRT_FWO all anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_OUT all anywhere anywhere
Chain LIBVIRT_FWI (1 references)
target prot opt source destination
ACCEPT all anywhere <my ipv6 block>::/120
REJECT all anywhere anywhere reject-with icmp6-port-unreachable
Chain LIBVIRT_FWO (1 references)
target prot opt source destination
ACCEPT all <my ipv6 block>::/120 anywhere
REJECT all anywhere anywhere reject-with icmp6-port-unreachable
Chain LIBVIRT_FWX (1 references)
target prot opt source destination
ACCEPT all anywhere anywhere
Chain LIBVIRT_INP (1 references)
target prot opt source destination
ACCEPT udp anywhere anywhere udp dpt:dhcpv6-server
ACCEPT udp anywhere anywhere udp dpt:domain
ACCEPT tcp anywhere anywhere tcp dpt:domain
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT udp anywhere anywhere udp dpt:dhcpv6-client
ACCEPT udp anywhere anywhere udp dpt:domain
ACCEPT tcp anywhere anywhere tcp dpt:domain
That's as far as I go.
When I try to define virbr1 in netplan, libvirt will refuse to start, it seems it wants to create it itself.
I guess there's something about setting forwarding in eno1 and virbr1, but I don't know if I can do it in Netplan, especially if libvirt creates virbr1 afterwards.
Thanks in advance if you can provide me with any explanation.
Bookmarks