[PVE-User] PX4 and IPv6

Wolfgang Bumiller w.bumiller at proxmox.com
Fri Aug 19 10:59:03 CEST 2016


tcpdump mail first:

>* Ping on working container
>
>** Host
>~# tcpdump -i vmbr0 -vn 'icmp6'
>tcpdump: listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
>16:07:41.527990 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::ec4:7aff:fec4:e422 > 2001:41d0:1008:1cff:ff:ff:ff:ff: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:41d0:1008:1cff:ff:ff:ff:ff source link-address option (1), length 8 (1): 0c:c4:7a:c4:e4:22
>16:07:41.529863 IP6 (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:41d0:1008:1cff:ff:ff:ff:ff > fe80::ec4:7aff:fec4:e422: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2001:41d0:1008:1cff:ff:ff:ff:ff, Flags [router, solicited]
>16:07:49.499164 IP6 (hlim 61, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1:c705::1 > 2001:41d0:1007:1c79::101: [icmp6 sum ok] ICMP6, echo request, seq 1
>16:07:49.499204 IP6 (flowlabel 0x43bf1, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1007:1c79::101 > 2001:41d0:1:c705::1: [icmp6 sum ok] ICMP6, echo reply, seq 1
(...)
>** Working container
>~# tcpdump -i eth0 -vn 'icmp6'
>tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>16:07:49.499180 IP6 (hlim 61, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1:c705::1 > 2001:41d0:1007:1c79::101: [icmp6 sum ok] ICMP6, echo request, seq 1
>16:07:49.499201 IP6 (flowlabel 0x43bf1, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1007:1c79::101 > 2001:41d0:1:c705::1: [icmp6 sum ok] ICMP6, echo reply, seq 1

This is from :c705::1 => :1c79::101. You haven't mentioned the :c705
address before, so I assume this is from the outside, not the PVE host,
to the working container.

> * Ping on non-working container
> 
> ** Host
> ~# tcpdump -i vmbr0 -vn 'icmp6'
> tcpdump: listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 16:09:17.759338 IP6 (hlim 61, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1:c705::1 > 2001:41d0:1007:1c79::102: [icmp6 sum ok] ICMP6, echo request, seq 1
(...)
>** Non-working container
>~# tcpdump -i eth0 -vn 'icmp6'
>tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>16:09:17.759380 IP6 (hlim 61, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1:c705::1 > 2001:41d0:1007:1c79::102: [icmp6 sum ok] ICMP6, echo request, seq 1

So the container sees the packet. Note that the container itself could
have an inner firewall, too.  Also maybe try with -e and see if the
packet's MAC addresses are correct.

Then, try to ping from this container out to the c705::1 address and
check with tcpdump.

Now:

The rest below looks good, except for the missing `ip -6 route` info.
A missing route to the outside can stop the container from responding to
a ping coming it, too.

On Thu, Aug 18, 2016 at 04:12:59PM +0200, Guillaume wrote:
> Sorry for the line breaks, it should be disabled now.
> Here's the first results, tcpdump is coming next.
> All my (previous and current) tests were done with pve-firewall disable to
> avoid any firewall issue.
> 
> * Working container
> ~# ip -6 addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 7: eth0 at if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>     inet6 2001:41d0:1007:1c79::101/64 scope global
>        valid_lft forever preferred_lft forever
>     inet6 fe80::ff:fe4d:373c/64 scope link
>        valid_lft forever preferred_lft forever
> 12: eth1 at if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>     inet6 fe80::3031:36ff:fe34:3866/64 scope link
>        valid_lft forever preferred_lft forever
> 
> ~# ss -tlnp6
> State       Recv-Q Send-Q
> Local Address:Port
> Peer Address:Port
> LISTEN      0      128
> :::80
> :::*                   users:(("nginx",pid=902,fd=7),("nginx",pid=901,fd=7),("nginx",pid=900,fd=7),("nginx",pid=899,fd=7),("nginx",pid=898,fd=7),("nginx",pid=897,fd=7),("nginx",pid=896,fd=7),("nginx",pid=895,fd=7),("nginx",pid=894,fd=7))
> LISTEN      0      128
> :::22
> :::*                   users:(("sshd",pid=18092,fd=4))
> LISTEN      0      100
> ::1:25
> :::*                   users:(("master",pid=904,fd=13))
> LISTEN      0      128
> :::443
> :::*                   users:(("nginx",pid=902,fd=9),("nginx",pid=901,fd=9),("nginx",pid=900,fd=9),("nginx",pid=899,fd=9),("nginx",pid=898,fd=9),("nginx",pid=897,fd=9),("nginx",pid=896,fd=9),("nginx",pid=895,fd=9),("nginx",pid=894,fd=9))
> 
> 
> * Non-working container
> ~# ip -6 addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
> 14: eth0 at if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>     inet6 2001:41d0:1007:1c79::102/64 scope global
>        valid_lft forever preferred_lft forever
>     inet6 fe80::ff:fe79:6389/64 scope link
>        valid_lft forever preferred_lft forever
> 19: eth1 at if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>     inet6 fe80::6031:32ff:fe34:6561/64 scope link
>        valid_lft forever preferred_lft forever
> 
> ~# ss -tlnp6
> State       Recv-Q Send-Q
> Local Address:Port
> Peer Address:Port
> LISTEN      0      128
> :::80
> :::*                   users:(("nginx",pid=907,fd=7),("nginx",pid=906,fd=7),("nginx",pid=904,fd=7),("nginx",pid=903,fd=7),("nginx",pid=902,fd=7),("nginx",pid=901,fd=7),("nginx",pid=900,fd=7),("nginx",pid=899,fd=7),("nginx",pid=898,fd=7))
> LISTEN      0      128
> :::22
> :::*                   users:(("sshd",pid=10346,fd=4))
> LISTEN      0      100
> ::1:25
> :::*                   users:(("master",pid=910,fd=13))
> LISTEN      0      128
> :::443
> :::*                   users:(("nginx",pid=907,fd=9),("nginx",pid=906,fd=9),("nginx",pid=904,fd=9),("nginx",pid=903,fd=9),("nginx",pid=902,fd=9),("nginx",pid=901,fd=9),("nginx",pid=900,fd=9),("nginx",pid=899,fd=9),("nginx",pid=898,fd=9))
> 




More information about the pve-user mailing list