[PVE-User] PX4 and IPv6

Guillaume proxmox at shadowprojects.org
Fri Aug 19 12:57:27 CEST 2016 

Thanks for the hint, i found a temporary solution.

Yes, :c705 is an outside server.

None of my containers have inner firewall.

Comparing ipv6 routes from the working container to the non-working one 
indeed shows there is a route missing, but both of their interfaces 
files are similar.

* Working container

~# ip -6 route
2001:41d0:1007:1c79::/64 dev eth0  proto kernel  metric 256  pref medium
2001:41d0:1007:1cff:ff:ff:ff:ff dev eth0  metric 1024  pref medium
2001:41d0:1007:1c00::/56 dev eth0  proto kernel  metric 256 expires 
1771237sec pref medium
fe80::/64 dev eth0  proto kernel  metric 256  pref medium
fe80::/64 dev eth1  proto kernel  metric 256  pref medium
default via 2001:41d0:1007:1cff:ff:ff:ff:ff dev eth0  metric 1024 pref 
medium (MISSING BELOW)

* Non-working container

~# ip -6 route
2001:41d0:1007:1c79::/64 dev eth0  proto kernel  metric 256  pref medium
2001:41d0:1007:1cff:ff:ff:ff:ff dev eth0  metric 1024  pref medium
2001:41d0:1007:1c00::/56 dev eth0  proto kernel  metric 256 expires 
1771280sec pref medium
fe80::/64 dev eth0  proto kernel  metric 256  pref medium
fe80::/64 dev eth1  proto kernel  metric 256  pref medium

Adding the missing route manually fixes the issue :
ip route add default via 2001:41d0:1007:1cff:ff:ff:ff:ff dev eth0

This route should have been added at boot (post-up in interfaces file).

So, i added it manually and rebooted the container.
After the reboot, the route is still missing.

I saw nothing in the containers logs (dmesg included).
That's rather strange.

Le 19/08/2016 à 10:59, Wolfgang Bumiller a écrit :
> tcpdump mail first:
>
>> * Ping on working container
>>
>> ** Host
>> ~# tcpdump -i vmbr0 -vn 'icmp6'
>> tcpdump: listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 16:07:41.527990 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::ec4:7aff:fec4:e422 > 2001:41d0:1007:1cff:ff:ff:ff:ff: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 2001:41d0:1007:1cff:ff:ff:ff:ff source link-address option (1), length 8 (1): 0c:c4:7a:c4:e4:22
>> 16:07:41.529863 IP6 (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:41d0:1007:1cff:ff:ff:ff:ff > fe80::ec4:7aff:fec4:e422: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2001:41d0:1007:1cff:ff:ff:ff:ff, Flags [router, solicited]
>> 16:07:49.499164 IP6 (hlim 61, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1:c705::1 > 2001:41d0:1007:1c79::101: [icmp6 sum ok] ICMP6, echo request, seq 1
>> 16:07:49.499204 IP6 (flowlabel 0x43bf1, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1007:1c79::101 > 2001:41d0:1:c705::1: [icmp6 sum ok] ICMP6, echo reply, seq 1
> (...)
>> ** Working container
>> ~# tcpdump -i eth0 -vn 'icmp6'
>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 16:07:49.499180 IP6 (hlim 61, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1:c705::1 > 2001:41d0:1007:1c79::101: [icmp6 sum ok] ICMP6, echo request, seq 1
>> 16:07:49.499201 IP6 (flowlabel 0x43bf1, hlim 64, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1007:1c79::101 > 2001:41d0:1:c705::1: [icmp6 sum ok] ICMP6, echo reply, seq 1
> This is from :c705::1 => :1c79::101. You haven't mentioned the :c705
> address before, so I assume this is from the outside, not the PVE host,
> to the working container.
>
>> * Ping on non-working container
>>
>> ** Host
>> ~# tcpdump -i vmbr0 -vn 'icmp6'
>> tcpdump: listening on vmbr0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 16:09:17.759338 IP6 (hlim 61, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1:c705::1 > 2001:41d0:1007:1c79::102: [icmp6 sum ok] ICMP6, echo request, seq 1
> (...)
>> ** Non-working container
>> ~# tcpdump -i eth0 -vn 'icmp6'
>> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
>> 16:09:17.759380 IP6 (hlim 61, next-header ICMPv6 (58) payload length: 64) 2001:41d0:1:c705::1 > 2001:41d0:1007:1c79::102: [icmp6 sum ok] ICMP6, echo request, seq 1
> So the container sees the packet. Note that the container itself could
> have an inner firewall, too.  Also maybe try with -e and see if the
> packet's MAC addresses are correct.
>
> Then, try to ping from this container out to the c705::1 address and
> check with tcpdump.
>
> Now:
>
> The rest below looks good, except for the missing `ip -6 route` info.
> A missing route to the outside can stop the container from responding to
> a ping coming it, too.
>
> On Thu, Aug 18, 2016 at 04:12:59PM +0200, Guillaume wrote:
>> Sorry for the line breaks, it should be disabled now.
>> Here's the first results, tcpdump is coming next.
>> All my (previous and current) tests were done with pve-firewall disable to
>> avoid any firewall issue.
>>
>> * Working container
>> ~# ip -6 addr
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
>>      inet6 ::1/128 scope host
>>         valid_lft forever preferred_lft forever
>> 7: eth0 at if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>>      inet6 2001:41d0:1007:1c79::101/64 scope global
>>         valid_lft forever preferred_lft forever
>>      inet6 fe80::ff:fe4d:373c/64 scope link
>>         valid_lft forever preferred_lft forever
>> 12: eth1 at if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>>      inet6 fe80::3031:36ff:fe34:3866/64 scope link
>>         valid_lft forever preferred_lft forever
>>
>> ~# ss -tlnp6
>> State       Recv-Q Send-Q
>> Local Address:Port
>> Peer Address:Port
>> LISTEN      0      128
>> :::80
>> :::*                   users:(("nginx",pid=902,fd=7),("nginx",pid=901,fd=7),("nginx",pid=900,fd=7),("nginx",pid=899,fd=7),("nginx",pid=898,fd=7),("nginx",pid=897,fd=7),("nginx",pid=896,fd=7),("nginx",pid=895,fd=7),("nginx",pid=894,fd=7))
>> LISTEN      0      128
>> :::22
>> :::*                   users:(("sshd",pid=18092,fd=4))
>> LISTEN      0      100
>> ::1:25
>> :::*                   users:(("master",pid=904,fd=13))
>> LISTEN      0      128
>> :::443
>> :::*                   users:(("nginx",pid=902,fd=9),("nginx",pid=901,fd=9),("nginx",pid=900,fd=9),("nginx",pid=899,fd=9),("nginx",pid=898,fd=9),("nginx",pid=897,fd=9),("nginx",pid=896,fd=9),("nginx",pid=895,fd=9),("nginx",pid=894,fd=9))
>>
>>
>> * Non-working container
>> ~# ip -6 addr
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
>>      inet6 ::1/128 scope host
>>         valid_lft forever preferred_lft forever
>> 14: eth0 at if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>>      inet6 2001:41d0:1007:1c79::102/64 scope global
>>         valid_lft forever preferred_lft forever
>>      inet6 fe80::ff:fe79:6389/64 scope link
>>         valid_lft forever preferred_lft forever
>> 19: eth1 at if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
>>      inet6 fe80::6031:32ff:fe34:6561/64 scope link
>>         valid_lft forever preferred_lft forever
>>
>> ~# ss -tlnp6
>> State       Recv-Q Send-Q
>> Local Address:Port
>> Peer Address:Port
>> LISTEN      0      128
>> :::80
>> :::*                   users:(("nginx",pid=907,fd=7),("nginx",pid=906,fd=7),("nginx",pid=904,fd=7),("nginx",pid=903,fd=7),("nginx",pid=902,fd=7),("nginx",pid=901,fd=7),("nginx",pid=900,fd=7),("nginx",pid=899,fd=7),("nginx",pid=898,fd=7))
>> LISTEN      0      128
>> :::22
>> :::*                   users:(("sshd",pid=10346,fd=4))
>> LISTEN      0      100
>> ::1:25
>> :::*                   users:(("master",pid=910,fd=13))
>> LISTEN      0      128
>> :::443
>> :::*                   users:(("nginx",pid=907,fd=9),("nginx",pid=906,fd=9),("nginx",pid=904,fd=9),("nginx",pid=903,fd=9),("nginx",pid=902,fd=9),("nginx",pid=901,fd=9),("nginx",pid=900,fd=9),("nginx",pid=899,fd=9),("nginx",pid=898,fd=9))
>>
>

More information about the pve-user mailing list