Can ping using IPv4 but not using IPv6 from another host

guillomep · November 12, 2024, 1:00pm

Hello,

I have a bridge configured for IPv4 and IPv6. This bridge advertise routes using BGP to my router.
From the incus host I’m able to ping the container in IPv4 and IPv6.
From another host I’m able to ping IPv4 and IPv6 addresses of the bridge.
From another host, I am able to ping the container using its IPv4 address but not using its IPv6 address.

I see that the routes are correctly advertised.

Bridge configuration

config:
  bgp.ipv6.nexthop: 2a01:cb1c:***
  bgp.peers.openwrt.address: 10.10.10.1
  bgp.peers.openwrt.asn: "65000"
  ipv4.address: 10.100.1.1/24
  ipv4.firewall: "true"
  ipv4.nat: "false"
  ipv6.address: fd12:3456:7890:1::1/64
  ipv6.firewall: "true"
  ipv6.nat: "false"

The container

+------+---------+---------------------+--------------------------------------------+-----------+-----------+
| NAME |  STATE  |        IPV4         |                    IPV6                    |   TYPE    | SNAPSHOTS |
+------+---------+---------------------+--------------------------------------------+-----------+-----------+
| c1   | RUNNING | 10.100.1.106 (eth0) | fd12:3456:7890:1:216:3eff:fee9:b863 (eth0) | CONTAINER | 0         |
+------+---------+---------------------+--------------------------------------------+-----------+-----------+

Ping from incus host

$ ping 10.100.1.106
PING 10.100.1.106 (10.100.1.106) 56(84) bytes of data.
64 bytes from 10.100.1.106: icmp_seq=1 ttl=64 time=0.196 ms
$ ping6 fd12:3456:7890:1:216:3eff:fee9:b863
PING fd12:3456:7890:1:216:3eff:fee9:b863 (fd12:3456:7890:1:216:3eff:fee9:b863) 56 data bytes
64 bytes from fd12:3456:7890:1:216:3eff:fee9:b863: icmp_seq=1 ttl=64 time=0.426 ms

Ping from another host

$ ping  10.100.1.106
PING 10.100.1.106 (10.100.1.106): 56 data bytes
64 bytes from 10.100.1.106: icmp_seq=0 ttl=63 time=9.917 ms
$ ping6 fd12:3456:7890:1:216:3eff:fee9:b863
PING6(56=40+8+8 bytes) 2a01:cb1c:e08:4900:31b6:f4a3:6f47:8a4c --> fd12:3456:7890:1:216:3eff:fee9:b863
^C
--- fd12:3456:7890:1:216:3eff:fee9:b863 ping6 statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

Ping incus host from another one (works)

ping6 fd12:3456:7890:1::1                
PING6(56=40+8+8 bytes) 2a01:cb1c:e08:4900:31b6:f4a3:6f47:8a4c --> fd12:3456:7890:1::1
16 bytes from fd12:3456:7890:1::1, icmp_seq=0 hlim=64 time=96.388 ms

Routes advertised

{
	"peers": [
		{
			"address": "10.10.10.1",
			"asn": 65000,
			"count": 1,
			"holdtime": 0,
			"password": ""
		}
	],
	"prefixes": [
		{
			"nexthop": "0.0.0.0",
			"owner": "network_5",
			"prefix": "10.100.1.0/24"
		},
		{
			"nexthop": "2a01:cb1c:***",
			"owner": "network_5",
			"prefix": "fd12:3456:7890:1::/64"
		}
	],
	"server": {
		"address": "10.10.10.2:179",
		"asn": 65001,
		"router_id": "10.10.10.2",
		"running": true
	}
}

I don’t understand why I can ping fd12:3456:7890:1::1 but not the container inside the subnet.

Also I have verified and net.ipv6.conf.all.forwarding=1.

candlerb · November 12, 2024, 5:33pm

Are you sure the announcement fd12:3456:7890:1::/64 is getting accepted by the router, along with the correct next hop? (It seems likely, given that you are pinging the “inside” address, but I’ve seen strange configs where the same IPv6 subnet is used on different interfaces).

What does traceroute fd12:3456:7890:1:216:3eff:fee9:b863 from that other host show?

If you run ping fd12:3456:7890:1:216:3eff:fee9:b863 from that other host, and at the same time on the incus host run tcpdump -i incusbr0 -nn icmp6, do you see the pings arriving and/or the responses going out? What about inside the container?

guillomep · November 13, 2024, 8:02am

Yes I’m sure, if I remove the announcement of this in incus I cannot ping fd12:3456:7890:1::1 anymore.
Also I see it on my router:

Table master4:
10.100.1.0/24        unicast [incus 07:53:38.706] * (100) [AS65001i]
	via 10.10.10.2 on br-lan.1010
	Type: BGP univ
	BGP.origin: IGP
	BGP.as_path: 65001
	BGP.next_hop: 10.10.10.2
	BGP.local_pref: 100

Table master6:
fd12:3456:7890:1::/64 unicast [incus 07:53:38.706 from 10.10.10.2] * (100) [AS65001i]
	via 2a01:cb1c:*** on br-lan.1010
	Type: BGP univ
	BGP.origin: IGP
	BGP.as_path: 65001
	BGP.next_hop: 2a01:cb1c:***
	BGP.local_pref: 100

I get tha, the first is my router, the second is the “hop” which is the host of incus

traceroute6 to fd12:3456:7890:1:216:3eff:fee9:b863 (fd12:3456:7890:1:216:3eff:fee9:b863), 64 hops max, 28 byte packets
 1  2a01:cb1c::bad  9.420 ms  4.710 ms  3.892 ms
 2  2a01:cb1c:****  3.869 ms  4.126 ms  4.119 ms
 3  * * *
 4  * * *

I got nothing on incus host nor inside the container.

candlerb · November 13, 2024, 8:43am

What about tcpdump on the external interface of the incus host? Do you see the pings arriving?

If so, then it’s something to do with routing or firewalling on the incus host itself. Check iptables/nftables

Also I have verified and net.ipv6.conf.all.forwarding=1 .

What about net.ipv6.conf.XXX.forwarding, where XXX is the external interface? The all setting works in weird and mysterious ways.

guillomep · November 13, 2024, 9:55am

Yup, I see them

tcpdump -i br1010 -nn icmp6
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br1010, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:40:59.627603 IP6 2a01:cb1c:*** > fd12:3456:7890:1:216:3eff:fee9:b863: ICMP6, echo request, id 17929, seq 5, length 16

That’s what I think, routing or firewall.
I have explicitly enable forwarding on external interface, but still not able to do ping.

For the iptables rules I have that

# Generated by ip6tables-save v1.8.10 (nf_tables) on Wed Nov 13 09:51:17 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [3:168]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d fd00:db8:5::242:ac11:5/128 ! -i docker0 -o docker0 -p tcp -m tcp --dport 3000 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-a3ef2299c3c8 ! -o br-a3ef2299c3c8 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-37eb839c33f3 ! -o br-37eb839c33f3 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-a3ef2299c3c8 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-37eb839c33f3 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Wed Nov 13 09:51:17 2024
# Generated by ip6tables-save v1.8.10 (nf_tables) on Wed Nov 13 09:51:17 2024
*nat
:PREROUTING ACCEPT [49:9244]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [10:828]
:POSTROUTING ACCEPT [10:828]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s fd00:db8:5::/64 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s fd00:db8:5::242:ac11:5/128 -d fd00:db8:5::242:ac11:5/128 -p tcp -m tcp --dport 3000 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 3000 -j DNAT --to-destination [fd00:db8:5::242:ac11:5]:3000
COMMIT

candlerb · November 13, 2024, 10:19am

Docker has put in its own firewall rules.

There is a DROP policy on the FORWARD chain, and I don’t see any explicit rule which would allow traffic to or from incusbr0.

There are suggestions on how to deal with this here:

(although they only give examples for iptables, not ip6tables, it should be easy enough to convert)

guillomep · November 13, 2024, 1:00pm

Thank you I didn’t see the DROP I was only looking at the docker rules and since it was working on v4 side I was looking for something related to IPv6 directly.