Hi I am using 4.15 , hypervisor is ubuntu 18 , KVM , yes, I am on advance with SG
I set the Security Group: ICMP -1 -1 ::/0 But seems still cannot ping the VM. Or even add in rules for ALL All . All ::/0 Seems not able to PING. After configure , this is the rules in ip6tables Chain i-2-10-VM (1 references) target prot opt source destination ACCEPT ipv6-icmp anywhere anywhere ACCEPT all anywhere anywhere state NEW DROP all anywhere anywhere Chain i-2-10-VM-eg (1 references) target prot opt source destination RETURN all anywhere anywhere Chain i-2-10-def (2 references) target prot opt source destination ACCEPT all anywhere anywhere state RELATED,ESTABLISHED ACCEPT ipv6-icmp fe80::/64 ip6-allnodes PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp router-advertisement HL match HL == 255 RETURN ipv6-icmp anywhere ip6-allrouters PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp router-solicitation HL match HL == 255 DROP ipv6-icmp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp router-advertisement RETURN ipv6-icmp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp neighbour-solicitation HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp neighbour-solicitation HL match HL == 255 RETURN ipv6-icmp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp neighbour-advertisement match-set i-2-10-VM-6 src HL match HL == 255 ACCEPT ipv6-icmp anywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp neighbour-advertisement HL match HL == 255 RETURN ipv6-icmp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp packet-too-big match-set i-2-10-VM-6 src ACCEPT ipv6-icmp anywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp packet-too-big RETURN ipv6-icmp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp destination-unreachable match-set i-2-10-VM-6 src ACCEPT ipv6-icmp anywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp destination-unreachable RETURN ipv6-icmp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp time-exceeded match-set i-2-10-VM-6 src ACCEPT ipv6-icmp anywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp time-exceeded RETURN ipv6-icmp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ipv6-icmp parameter-problem match-set i-2-10-VM-6 src ACCEPT ipv6-icmp anywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged ipv6-icmp parameter-problem RETURN ipv6-icmp anywhere ff02::16 PHYSDEV match --physdev-in vnet3 --physdev-is-bridged RETURN udp fe80::1c00:f6ff:fe00:56 ff02::1:2 PHYSDEV match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-client ACCEPT udp fe80::/64 fe80::1c00:f6ff:fe00:56 PHYSDEV match --physdev-out vnet3 --physdev-is-bridged udp dpt:dhcpv6-client DROP udp anywhere !fe80::/64 PHYSDEV match --physdev-in vnet3 --physdev-is-bridged udp spt:dhcpv6-server RETURN udp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged udp dpt:domain match-set i-2-10-VM-6 src RETURN tcp anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged tcp dpt:domain match-set i-2-10-VM-6 src DROP all anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged ! match-set i-2-10-VM-6 src i-2-10-VM-eg all anywhere anywhere PHYSDEV match --physdev-in vnet3 --physdev-is-bridged match-set i-2-10-VM-6 src i-2-10-VM all anywhere anywhere PHYSDEV match --physdev-out vnet3 --physdev-is-bridged On Sat, May 1, 2021 at 1:42 AM Gabriel Bräscher <gabrasc...@gmail.com> wrote: > Hi Hean, > > What version of CloudStack are you using? > > KVM does support IPv6 indeed when deploying Advanced Networking with > Security Groups (SG) enabled. > It should work fine. The only difference regarding setting IPv4 rules for > SG is that the CIDR list is an IPv6 CIDR (e.g. cidrlist="::/0", instead of > cidrlist="0.0.0.0/0"). > > From what you mentioned it is probably missing SG Ingress rules for IPv6 > and, by default, it is dropping all the IPv6 packages. > > Regards, > Gabriel. > > Em sex., 30 de abr. de 2021 às 12:17, Hean Seng <heans...@gmail.com> > escreveu: > > > We using share network, on Security Group, KVM . > > > > On Fri, Apr 30, 2021 at 6:28 PM Alex Mattioli < > alex.matti...@shapeblue.com > > > > > wrote: > > > > > Hi Hean, > > > > > > What type of network and hypervisor are you using? Also, which version > of > > > ACS? > > > > > > Regards, > > > Alex > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: Hean Seng <heans...@gmail.com> > > > Sent: 30 April 2021 08:34 > > > To: users@cloudstack.apache.org > > > Subject: IPv6 Issue in Cloudstack > > > > > > Hi > > > > > > I setup the IPv6 in VM. Outbound form VM is no issue, can ping all the > > > Ipv6 ip outside . > > > > > > But Inboud th IPv6 IP in VM seems all not accessible . > > > > > > And seem there no Security Group to manange the IPv6 rules . The SG is > > > only for IPv4. > > > > > > and I saw ipv6tables -L , there is a lot of rules there . Not sure is > > > preconfigured by Cloudstack or Default Linux. And I guess that is > > blocking > > > access > > > > > > Anybody have experience on enabling IPv6 in Cloudstack VM and the > > > Ipv6table rules there ? > > > > > > > > > -- > > > Regards, > > > Hean Seng > > > > > > > > > -- > > Regards, > > Hean Seng > > > -- Regards, Hean Seng
