Hi all,
I’ve a working setup on a virtualization host with two NIC’s, one for LAN and the other for DMZ. The host itself is only accessible on the LAN NIC. The containers (openvz) are connected to either one of the NIC’s. Both NIC’s are connected to a router/firewall that routes between WAN, DMZ and LAN. My network is dual stack. This setup is currently working for both IPv4 and IPv6, but has two strange issues with IPv6: 1. IPv6 only works if I disable RA’s on the DMZ side of the router. When enabled, the DMZ NIC, that does not have IP’s configured for the hardware node itself, will auto configure IPv6, even if I set net.ipv6.conf.all.accept_ra = 0. The LAN NIC that has an IPv6 address and all containers will lose their IPv6 connectivity both on DMZ and on the LAN side. Disabling RA on the router’s DMZ interface is no problem, but it’s still strange. What could be the cause? 2. Without the RA, the containers have full IPv6 connectivity. The hardware node however does have a LAN IPv6 address, but can’t be reached. On the LAN I get a ‘no route to host’ error. It seems as even though the LAN NIC / bridge has an IPv6, it doesn’t advertise itself accordingly on the LAN. The setup seems fine, the routing seems fine, but I can neither ssh -6 nor ping6 to or from the hardware node. What could I do / test to solve this issue? The setup in interfaces: # The loopback network interface auto lo iface lo inet loopback # The primary LAN network interface iface eth0 inet manual iface eth0 inet6 manual auto vzbr_lan iface vzbr_lan inet static address 192.168.1.xx netmask 255.255.255.0 gateway 192.168.1.1 dns-nameservers 192.168.1.1 dns-search somedomain.tld bridge_ports eth0 bridge_stp off bridge_waitport 0 bridge_df 0 iface vzbr_lan inet6 static address aaaa:bbbb:cccc:3::xx netmask 64 gateway aaaa:bbbb:cccc:3::1 dns-nameservers aaaa:bbbb:cccc:3::1 dns-search somedomain.tld # The primary DMZ network interface iface eth1 inet manual iface eth1 inet6 manual auto vzbr_dmz iface vzbr_dmz inet manual bridge_ports eth1 bridge_stp off bridge_waitport 0 bridge_fd 0 iface vzbr_dmz inet6 manual The resulting routing: $ ip -6 route show aaaa:bbbb:cccc:3::/64 dev vzbr_lan proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 aaaa:bbbb:cccc:3::/64 dev vzbr_lan proto kernel metric 256 expires 2591598sec mtu 1500 advmss 1440 hoplimit 0 fe80::1 dev venet0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev vzbr_lan proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev vzbr_dmz proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev venet0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev veth115.0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev veth114.0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev veth111.0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev veth112.0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev veth113.0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev veth103.0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 fe80::/64 dev veth102.0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0 default via aaaa:bbbb:cccc:3::1 dev vzbr_lan metric 1024 mtu 1500 advmss 1440 hoplimit 0 default via fe80::204:76ff:fe21:8122 dev vzbr_lan proto kernel metric 1024 expires 22sec mtu 1500 advmss 1440 hoplimit 64 thanks, P. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
