Configure IPv6 with NAT

pajot · April 20, 2022, 1:19pm

I understand that IPv6 is supposed to make NAT superfluous, but I’m running containers on VPS and I am still trying to get my head around IPv6.

According to this post from @tomp, it should be possible to use IPv6 with NAT by setting ipv6.dhcp.stateful="true" in the lxc network config:

$ lxc network show lxdbr0
config:
  ipv4.address: 10.23.21.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:774b:2bac:da6::1/64
  ipv6.dhcp.stateful: "true"
  ipv6.nat: "true"
description: ""
name: lxdbr0
type: bridge
used_by:
- /1.0/instances/equal-parakeet
- /1.0/profiles/default
managed: true
status: Created
locations:
- none

eth0 on the host has a valid and working IPv6 address and tests performed on the host succeed.

Although I can make outbound IPv4 connections from the container to the outside world:

equal-parakeet ~ $ LANG=C ping -c 4 wikipedia.org    
PING wikipedia.org (91.198.174.192) 56(84) bytes of data.
64 bytes from text-lb.esams.wikimedia.org (91.198.174.192): icmp_seq=1 ttl=58 time=16.7 ms
64 bytes from text-lb.esams.wikimedia.org (91.198.174.192): icmp_seq=2 ttl=58 time=16.4 ms
64 bytes from text-lb.esams.wikimedia.org (91.198.174.192): icmp_seq=3 ttl=58 time=16.3 ms
64 bytes from text-lb.esams.wikimedia.org (91.198.174.192): icmp_seq=4 ttl=58 time=16.3 ms

--- wikipedia.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 16.298/16.432/16.693/0.155 ms

That does not work for IPv6:

equal-parakeet ~ $ LANG=C ping6 -c 4 wikipedia.org
PING wikipedia.org(text-lb.esams.wikimedia.org (2620:0:862:ed1a::1)) 56 data bytes
From b03921hp (fe80::216:3eff:fe8a:916%eth0) icmp_seq=1 Destination unreachable: Beyond scope of source address
From b03921hp (fe80::216:3eff:fe8a:916%eth0) icmp_seq=2 Destination unreachable: Beyond scope of source address
From b03921hp (fe80::216:3eff:fe8a:916%eth0) icmp_seq=3 Destination unreachable: Beyond scope of source address
From b03921hp (fe80::216:3eff:fe8a:916%eth0) icmp_seq=4 Destination unreachable: Beyond scope of source address

--- wikipedia.org ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3004ms

What have I missed here?

tomp · April 20, 2022, 1:28pm

Please show ip a on the host?

pajot · April 20, 2022, 2:44pm

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether da:54:75:aa:84:a8 brd ff:ff:ff:ff:ff:ff
    inet 83.171.236.43/24 brd 83.171.236.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2a05:8b81:1000:1::b0bf:7e86/48 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::d854:75ff:feaa:84a8/64 scope link 
       valid_lft forever preferred_lft forever
3: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:8a:09:16 brd ff:ff:ff:ff:ff:ff
    inet 10.23.21.1/24 scope global lxdbr0
       valid_lft forever preferred_lft forever
    inet6 fd42:774b:2bac:da6::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fe8a:916/64 scope link 
       valid_lft forever preferred_lft forever
5: vethb7a58b1b@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master lxdbr0 state UP group default qlen 1000
    link/ether fa:99:bd:22:3e:21 brd ff:ff:ff:ff:ff:ff link-netnsid 0

tomp · April 20, 2022, 2:47pm

What is ip a inside the container?

pajot · April 20, 2022, 2:48pm

equal-parakeet ~ $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:16:3e:fc:a6:28 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.23.21.100/24 brd 10.23.21.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::216:3eff:fefc:a628/64 scope link 
       valid_lft forever preferred_lft forever

tomp · April 20, 2022, 2:54pm

Ah ok so you only have a link-local (no routable, and thus non-natable) address.

Looks like your container isn’t doing DHCPv6 to get an IP address from the bridge.

tomp · April 20, 2022, 2:56pm

This is related to IPv6 address is not appearing in 'lxc list' output

pajot · April 20, 2022, 3:02pm

Should the container need DHCP6 to get an address from the bridge?

pajot · April 20, 2022, 3:03pm

So if the container were pulling a routable address, then we would expect to see it in the ‘lxc list’ table, yes?

tomp · April 20, 2022, 3:04pm

If you set ipv6.dhcp.stateful: "true" yes.

tomp · April 20, 2022, 3:04pm

Yes