Recently I’ve been trying to configure IPv6 NAT access on LXC 5.x. IPv4 NAT works as intended, however when IPv6 NAT is enabled in lxc-net, and with all guest slices having IPv6 addresses allocated, trying to access IPv6 addresses inside the slices always fail, as there seems to be no route given to the container slices.
System information
- Host: Debian 12,
Linux test.local 6.1.0-35-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.137-1 (2025-05-07) x86_64 GNU/Linux - Guest: Alpine 3.20
- LXC:
1:5.0.2-1+deb12u3
Configs
Container
# Template used to create this container: /usr/share/lxc/templates/lxc-download
# Parameters passed to the template: --dist alpine --release 3.20 --arch amd64
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64
# Container specific configuration
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.rootfs.path = dir:/var/lib/lxc/[redacted]/rootfs
lxc.uts.name = [redacted]
lxc.start.order = 3
lxc.start.auto = 1
lxc.start.delay = 4
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,rw 0 0
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup2.devices.allow = c 10:200 rwm
lxc.net.0.hwaddr = [redacted]
lxc.include = /usr/share/lxc/config/userns.conf
lxc.idmap = u 0 [redacted] [redacted]
lxc.idmap = g 0 [redacted] [redacted]
lxc.mount.entry = [redacted] [redacted] none ro,bind 0 0
lxc-net
LXC_IPV6_ADDR="fc11:4514:1919:810::1"
LXC_IPV6_MASK="64"
LXC_IPV6_NETWORK="fc11:4514:1919:810::/64"
LXC_IPV6_NAT="true"
Relevant info
# ip route get 2606:4700:4700::1001
RTNETLINK answers: Network unreachable
# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0@if69: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether [redacted] brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.3.5/24 brd 10.0.3.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fc11:4514:1919:810:xxxx:xxxx:xxxx:xxxx/64 scope global dynamic mngtmpaddr proto kernel_ra
valid_lft forever preferred_lft forever
inet6 fe80::xxxx:xxxx:xxxx:xxxx/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever