<div dir="ltr">Hi Antonio. Yes, it is<div><br></div><div><font face="monospace">$ sysctl net.ipv6.conf.all.forwarding <br>net.ipv6.conf.all.forwarding = 1</font><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Sep 14, 2019 at 6:02 AM Antonio Ojea <<a href="mailto:antonio.ojea.garcia@gmail.com">antonio.ojea.garcia@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Can you check if ipv6 forwarding is enabled in the router namespace?<br>
<br>
net.ipv6.conf.all.forwarding=1<br>
<br>
On Sat, 14 Sep 2019 at 02:13, Lucio Seki <<a href="mailto:lucioseki@gmail.com" target="_blank">lucioseki@gmail.com</a>> wrote:<br>
><br>
> I recreated my security group rules, to set remote_ip_prefix to ::/0 instead of None as in Donny's environment, but made no difference. :-(<br>
><br>
> On Fri, Sep 13, 2019 at 3:55 PM Donny Davis <<a href="mailto:donny@fortnebula.com" target="_blank">donny@fortnebula.com</a>> wrote:<br>
>><br>
>> So outbound traffic works, but inbound traffic doesn't?<br>
>><br>
>> Here is my icmp security group rule for ipv6.<br>
>> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>> | Field             | Value                                                                                                                                                                                              |<br>
>> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>> | created_at        | 2019-07-30T00:50:25Z                                                                                                                                                                               |<br>
>> | description       |                                                                                                                                                                                                    |<br>
>> | direction         | ingress                                                                                                                                                                                            |<br>
>> | ether_type        | IPv6                                                                                                                                                                                               |<br>
>> | id                | b6df5801-8c2c-4ba4-afe1-2cbaa2922dfa                                                                                                                                                               |<br>
>> | location          | Munch({'cloud': '', 'region_name': 'regionOne', 'zone': None, 'project': Munch({'id': 'e8fd161dc34c421a979a9e6421f823e9', 'name': 'openstackzuul', 'domain_id': None, 'domain_name': 'Default'})}) |<br>
>> | name              | None                                                                                                                                                                                               |<br>
>> | port_range_max    | None                                                                                                                                                                                               |<br>
>> | port_range_min    | None                                                                                                                                                                                               |<br>
>> | project_id        | e8fd161dc34c421a979a9e6421f823e9                                                                                                                                                                   |<br>
>> | protocol          | icmp                                                                                                                                                                                               |<br>
>> | remote_group_id   | None                                                                                                                                                                                               |<br>
>> | remote_ip_prefix  | ::/0                                                                                                                                                                                               |<br>
>> | revision_number   | 0                                                                                                                                                                                                  |<br>
>> | security_group_id | bcedc0e0-e2e8-41fc-aeaa-afd2e10c7ab6                                                                                                                                                               |<br>
>> | tags              | []                                                                                                                                                                                                 |<br>
>> | updated_at        | 2019-07-30T00:50:25Z                                                                                                                                                                               |<br>
>> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>><br>
>><br>
>><br>
>> On Fri, Sep 13, 2019 at 2:48 PM Lucio Seki <<a href="mailto:lucioseki@gmail.com" target="_blank">lucioseki@gmail.com</a>> wrote:<br>
>>><br>
>>> Hmm OK, I'll try to figure out what hacking create_neutron_initial_network does...<br>
>>><br>
>>> BTW, I noticed that I can ping6 the router interface at private subnet from the DevStack host:<br>
>>><br>
>>> $ ping6 fd12:67:1:1::1<br>
>>> PING fd12:67:1:1::1(fd12:67:1:1::1) 56 data bytes<br>
>>> 64 bytes from fd12:67:1:1::1: icmp_seq=1 ttl=64 time=0.646 ms<br>
>>> 64 bytes from fd12:67:1:1::1: icmp_seq=2 ttl=64 time=0.095 ms<br>
>>> 64 bytes from fd12:67:1:1::1: icmp_seq=3 ttl=64 time=0.106 ms<br>
>>> 64 bytes from fd12:67:1:1::1: icmp_seq=4 ttl=64 time=0.129 ms<br>
>>><br>
>>> And also I can ping6 the public subnet interface from the VM:<br>
>>><br>
>>> root@ubuntu:~# ping6 fd12:67:1::3c<br>
>>> PING fd12:67:1::3c (fd12:67:1::3c): 56 data bytes<br>
>>> ping: getnameinfo: Temporary failure in name resolution<br>
>>> 64 bytes from unknown: icmp_seq=0 ttl=64 time=2.079 ms<br>
>>> ping: getnameinfo: Temporary failure in name resolution<br>
>>> 64 bytes from unknown: icmp_seq=1 ttl=64 time=1.385 ms<br>
>>> ping: getnameinfo: Temporary failure in name resolution<br>
>>> 64 bytes from unknown: icmp_seq=2 ttl=64 time=0.881 ms<br>
>>><br>
>>> Not sure if it means that there's something missing within the router itself...<br>
>>><br>
>>> On Fri, Sep 13, 2019 at 2:24 PM Donny Davis <<a href="mailto:donny@fortnebula.com" target="_blank">donny@fortnebula.com</a>> wrote:<br>
>>>><br>
>>>> Also I have no v6 address on my br-ex<br>
>>>><br>
>>>> On Fri, Sep 13, 2019 at 1:22 PM Donny Davis <<a href="mailto:donny@fortnebula.com" target="_blank">donny@fortnebula.com</a>> wrote:<br>
>>>>><br>
>>>>> Well here is the output from my rule list that is in prod right now with ipv6<br>
>>>>> +--------------------------------------+-------------+-----------+------------+-----------------------+<br>
>>>>> | ID                                   | IP Protocol | IP Range  | Port Range | Remote Security Group |<br>
>>>>> +--------------------------------------+-------------+-----------+------------+-----------------------+<br>
>>>>> | 9ab00b6f-2bc2-4554-818d-eff6e0570943 | None        | <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> |            | None                  |<br>
>>>>> | b6df5801-8c2c-4ba4-afe1-2cbaa2922dfa | icmp        | ::/0      |            | None                  |<br>
>>>>> | e7fd4840-5fbd-4709-b918-f80eac5cb6da | None        | ::/0      |            | None                  |<br>
>>>>> | e9968d53-7efe-4a9e-ad42-1092ffaf52e7 | None        | None      |            | None                  |<br>
>>>>> | ec1ea961-9025-4229-92cf-618026a1851b | None        | None      |            | None                  |<br>
>>>>> +--------------------------------------+-------------+-----------+------------+-----------------------+<br>
>>>>><br>
>>>>> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>> | Field             | Value                                                                                                                                                                                              |<br>
>>>>> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>> | created_at        | 2019-07-30T00:50:25Z                                                                                                                                                                               |<br>
>>>>> | description       |                                                                                                                                                                                                    |<br>
>>>>> | direction         | ingress                                                                                                                                                                                            |<br>
>>>>> | ether_type        | IPv6                                                                                                                                                                                               |<br>
>>>>> | id                | b6df5801-8c2c-4ba4-afe1-2cbaa2922dfa                                                                                                                                                               |<br>
>>>>> | location          | Munch({'cloud': '', 'region_name': 'regionOne', 'zone': None, 'project': Munch({'id': 'e8fd161dc34c421a979a9e6421f823e9', 'name': 'openstackzuul', 'domain_id': None, 'domain_name': 'Default'})}) |<br>
>>>>> | name              | None                                                                                                                                                                                               |<br>
>>>>> | port_range_max    | None                                                                                                                                                                                               |<br>
>>>>> | port_range_min    | None                                                                                                                                                                                               |<br>
>>>>> | project_id        | e8fd161dc34c421a979a9e6421f823e9                                                                                                                                                                   |<br>
>>>>> | protocol          | icmp                                                                                                                                                                                               |<br>
>>>>> | remote_group_id   | None                                                                                                                                                                                               |<br>
>>>>> | remote_ip_prefix  | ::/0                                                                                                                                                                                               |<br>
>>>>> | revision_number   | 0                                                                                                                                                                                                  |<br>
>>>>> | security_group_id | bcedc0e0-e2e8-41fc-aeaa-afd2e10c7ab6                                                                                                                                                               |<br>
>>>>> | tags              | []                                                                                                                                                                                                 |<br>
>>>>> | updated_at        | 2019-07-30T00:50:25Z                                                                                                                                                                               |<br>
>>>>> +-------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>>> On Fri, Sep 13, 2019 at 9:24 AM Lucio Seki <<a href="mailto:lucioseki@gmail.com" target="_blank">lucioseki@gmail.com</a>> wrote:<br>
>>>>>><br>
>>>>>> Hi Donny, following are the rules:<br>
>>>>>><br>
>>>>>> $ openstack security group list --project admin<br>
>>>>>> +--------------------------------------+---------+------------------------+----------------------------------+------+<br>
>>>>>> | ID                                   | Name    | Description            | Project                          | Tags |<br>
>>>>>> +--------------------------------------+---------+------------------------+----------------------------------+------+<br>
>>>>>> | d0136b0e-ee51-461c-afa0-c5adb88dd0dd | default | Default security group | 68e3942285a24fb5bd1aed30e166aaee | []   |<br>
>>>>>> +--------------------------------------+---------+------------------------+----------------------------------+------+<br>
>>>>>><br>
>>>>>> $ openstack security group rule list d0136b0e-ee51-461c-afa0-c5adb88dd0dd<br>
>>>>>> +--------------------------------------+-------------+----------+------------+--------------------------------------+<br>
>>>>>> | ID                                   | IP Protocol | IP Range | Port Range | Remote Security Group                |<br>
>>>>>> +--------------------------------------+-------------+----------+------------+--------------------------------------+<br>
>>>>>> | 38394345-3e44-4284-a519-cdd8af020f30 | tcp         | ::/0     | 22:22      | None                                 |<br>
>>>>>> | 40881f76-c87f-4685-b3af-c3497dd44837 | None        | None     |            | d0136b0e-ee51-461c-afa0-c5adb88dd0dd |<br>
>>>>>> | 56d4ae52-195e-48df-871e-dc70b899b7ba | None        | None     |            | d0136b0e-ee51-461c-afa0-c5adb88dd0dd |<br>
>>>>>> | 759edd06-b698-45ca-94cd-44e0cc2cc848 | ipv6-icmp   | None     |            | None                                 |<br>
>>>>>> | 762effae-b8e5-42ac-ba99-e85a7bc42455 | tcp         | ::/0     | 22:22      | None                                 |<br>
>>>>>> | 81f3588d-4159-4af2-ad50-ff6b76add9cf | ipv6-icmp   | None     |            | None                                 |<br>
>>>>>> +--------------------------------------+-------------+----------+------------+--------------------------------------+<br>
>>>>>><br>
>>>>>> $ openstack security group rule show 759edd06-b698-45ca-94cd-44e0cc2cc848<br>
>>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>>> | Field             | Value                                                                                                                                                                                       |<br>
>>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>>> | created_at        | 2019-09-03T16:51:41Z                                                                                                                                                                        |<br>
>>>>>> | description       |                                                                                                                                                                                             |<br>
>>>>>> | direction         | egress                                                                                                                                                                                      |<br>
>>>>>> | ether_type        | IPv6                                                                                                                                                                                        |<br>
>>>>>> | id                | 759edd06-b698-45ca-94cd-44e0cc2cc848                                                                                                                                                        |<br>
>>>>>> | location          | Munch({'project': Munch({'domain_id': 'default', 'id': u'68e3942285a24fb5bd1aed30e166aaee', 'name': 'admin', 'domain_name': None}), 'cloud': '', 'region_name': 'RegionOne', 'zone': None}) |<br>
>>>>>> | name              | None                                                                                                                                                                                        |<br>
>>>>>> | port_range_max    | None                                                                                                                                                                                        |<br>
>>>>>> | port_range_min    | None                                                                                                                                                                                        |<br>
>>>>>> | project_id        | 68e3942285a24fb5bd1aed30e166aaee                                                                                                                                                            |<br>
>>>>>> | protocol          | ipv6-icmp                                                                                                                                                                                   |<br>
>>>>>> | remote_group_id   | None                                                                                                                                                                                        |<br>
>>>>>> | remote_ip_prefix  | None                                                                                                                                                                                        |<br>
>>>>>> | revision_number   | 0                                                                                                                                                                                           |<br>
>>>>>> | security_group_id | d0136b0e-ee51-461c-afa0-c5adb88dd0dd                                                                                                                                                        |<br>
>>>>>> | tags              | []                                                                                                                                                                                          |<br>
>>>>>> | updated_at        | 2019-09-03T16:51:41Z                                                                                                                                                                        |<br>
>>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>>><br>
>>>>>> $ openstack security group rule show 81f3588d-4159-4af2-ad50-ff6b76add9cf<br>
>>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>>> | Field             | Value                                                                                                                                                                                       |<br>
>>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>>> | created_at        | 2019-09-03T16:51:30Z                                                                                                                                                                        |<br>
>>>>>> | description       |                                                                                                                                                                                             |<br>
>>>>>> | direction         | ingress                                                                                                                                                                                     |<br>
>>>>>> | ether_type        | IPv6                                                                                                                                                                                        |<br>
>>>>>> | id                | 81f3588d-4159-4af2-ad50-ff6b76add9cf                                                                                                                                                        |<br>
>>>>>> | location          | Munch({'project': Munch({'domain_id': 'default', 'id': u'68e3942285a24fb5bd1aed30e166aaee', 'name': 'admin', 'domain_name': None}), 'cloud': '', 'region_name': 'RegionOne', 'zone': None}) |<br>
>>>>>> | name              | None                                                                                                                                                                                        |<br>
>>>>>> | port_range_max    | None                                                                                                                                                                                        |<br>
>>>>>> | port_range_min    | None                                                                                                                                                                                        |<br>
>>>>>> | project_id        | 68e3942285a24fb5bd1aed30e166aaee                                                                                                                                                            |<br>
>>>>>> | protocol          | ipv6-icmp                                                                                                                                                                                   |<br>
>>>>>> | remote_group_id   | None                                                                                                                                                                                        |<br>
>>>>>> | remote_ip_prefix  | None                                                                                                                                                                                        |<br>
>>>>>> | revision_number   | 0                                                                                                                                                                                           |<br>
>>>>>> | security_group_id | d0136b0e-ee51-461c-afa0-c5adb88dd0dd                                                                                                                                                        |<br>
>>>>>> | tags              | []                                                                                                                                                                                          |<br>
>>>>>> | updated_at        | 2019-09-03T16:51:30Z                                                                                                                                                                        |<br>
>>>>>> +-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>>><br>
>>>>>><br>
>>>>>> On Fri, Sep 13, 2019 at 10:16 AM Donny Davis <<a href="mailto:donny@fortnebula.com" target="_blank">donny@fortnebula.com</a>> wrote:<br>
>>>>>>><br>
>>>>>>> Security group rules?<br>
>>>>>>><br>
>>>>>>> Donny Davis<br>
>>>>>>> c: 805 814 6800<br>
>>>>>>><br>
>>>>>>> On Thu, Sep 12, 2019, 5:53 PM Lucio Seki <<a href="mailto:lucioseki@gmail.com" target="_blank">lucioseki@gmail.com</a>> wrote:<br>
>>>>>>>><br>
>>>>>>>> Hi folks, I'm having troubles to ping6 a VM running over DevStack from its hypervisor.<br>
>>>>>>>> Could you please help me troubleshooting it?<br>
>>>>>>>><br>
>>>>>>>> I deployed DevStack with NEUTRON_CREATE_INITIAL_NETWORKS=False,<br>
>>>>>>>> and manually created the networks, subnets and router. Following is my router:<br>
>>>>>>>><br>
>>>>>>>> $ openstack router show router1 -c external_gateway_info -c interfaces_info<br>
>>>>>>>> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>>>>> | Field                 | Value                                                                                                                                                                                                                                                                        |<br>
>>>>>>>> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>>>>> | external_gateway_info | {"network_id": "b87048ed-1be9-4f31-8d7e-fe74921aeec4", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "28a00bc3-b30b-456f-b26a-44b50d37183f", "ip_address": "10.2.0.199"}, {"subnet_id": "a9729beb-b297-4fec-8ec3-7703f7f6f4bc", "ip_address": "fd12:67:1::3c"}]} |<br>
>>>>>>>> | interfaces_info       | [{"subnet_id": "081e8508-4ceb-4aaf-bf91-36a1e22a768c", "ip_address": "fd12:67:1:1::1", "port_id": "75391abd-8ac8-41f8-acf8-3dfaf2a6b08f"}]                                                                                                                                   |<br>
>>>>>>>> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+<br>
>>>>>>>><br>
>>>>>>>> I'm trying to ping6 the following VM:<br>
>>>>>>>><br>
>>>>>>>> $ openstack server list<br>
>>>>>>>> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+<br>
>>>>>>>> | ID                                   | Name    | Status | Networks                                 | Image  | Flavor |<br>
>>>>>>>> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+<br>
>>>>>>>> | 938854d0-80e9-45b2-bc29-8fe7651ffa93 | manila1 | ACTIVE | private1=fd12:67:1:1:f816:3eff:fe0e:17c3 | manila | manila |<br>
>>>>>>>> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+<br>
>>>>>>>><br>
>>>>>>>> I intend to reach it via br-ex interface of the hypervisor:<br>
>>>>>>>><br>
>>>>>>>> $ ip a show dev br-ex<br>
>>>>>>>> 9: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000<br>
>>>>>>>>     link/ether 0e:82:a1:ba:77:4c brd ff:ff:ff:ff:ff:ff<br>
>>>>>>>>     inet6 fd12:67:1::1/64 scope global<br>
>>>>>>>>        valid_lft forever preferred_lft forever<br>
>>>>>>>>     inet6 fe80::c82:a1ff:feba:774c/64 scope link<br>
>>>>>>>>        valid_lft forever preferred_lft forever<br>
>>>>>>>><br>
>>>>>>>> The hypervisor has the following routes:<br>
>>>>>>>><br>
>>>>>>>> $ ip -6 route<br>
>>>>>>>> fd12:67:1:1::/64 via fd12:67:1::3c dev br-ex metric 1024 pref medium<br>
>>>>>>>> fe80::/64 dev ens3 proto kernel metric 256 pref medium<br>
>>>>>>>> fe80::/64 dev br-ex proto kernel metric 256 pref medium<br>
>>>>>>>> fe80::/64 dev br-int proto kernel metric 256 pref medium<br>
>>>>>>>> fe80::/64 dev tapa5cf4799-9f proto kernel metric 256 pref medium<br>
>>>>>>>><br>
>>>>>>>> And within the VM has the following routes:<br>
>>>>>>>><br>
>>>>>>>> root@ubuntu:~# ip -6 route<br>
>>>>>>>> root@ubuntu:~# ip -6 route<br>
>>>>>>>> fd12:67:1::/64 via fd12:67:1:1::1 dev ens3 metric 1024 pref medium<br>
>>>>>>>> fd12:67:1:1::/64 dev ens3 proto kernel metric 256 expires 86360sec pref medium<br>
>>>>>>>> fe80::/64 dev ens3 proto kernel metric 256 pref medium<br>
>>>>>>>> default via fe80::f816:3eff:feb3:bd56 dev ens3 proto ra metric 1024 expires 260sec hoplimit 64 pref medium<br>
>>>>>>>><br>
>>>>>>>> Though the ping6 from VM to hypervisor doesn't work:<br>
>>>>>>>> root@ubuntu:~# ping6 fd12:67:1::1 -c4<br>
>>>>>>>> PING fd12:67:1::1 (fd12:67:1::1): 56 data bytes<br>
>>>>>>>> --- fd12:67:1::1 ping statistics ---<br>
>>>>>>>> 4 packets transmitted, 0 packets received, 100% packet loss<br>
>>>>>>>><br>
>>>>>>>> I'm able to tcpdump inside the router1 netns and see that request packet is passing there, but can't see any reply packets:<br>
>>>>>>>><br>
>>>>>>>> $ sudo ip netns exec qrouter-5172472c-bbe7-4907-832a-e2239c8badb4 tcpdump -l -i any icmp6<br>
>>>>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
>>>>>>>> listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes<br>
>>>>>>>> 21:29:29.351358 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1: ICMP6, echo request, seq 0, length 64<br>
>>>>>>>> 21:29:30.033316 IP6 fe80::f816:3eff:feb3:bd56 > fe80::f816:3eff:fe0e:17c3: ICMP6, neighbor solicitation, who has fe80::f816:3eff:fe0e:17c3, length 32<br>
>>>>>>>> 21:29:30.035807 IP6 fe80::f816:3eff:fe0e:17c3 > fe80::f816:3eff:feb3:bd56: ICMP6, neighbor advertisement, tgt is fe80::f816:3eff:fe0e:17c3, length 24<br>
>>>>>>>> 21:29:30.353646 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1: ICMP6, echo request, seq 1, length 64<br>
>>>>>>>> 21:29:31.355410 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1: ICMP6, echo request, seq 2, length 64<br>
>>>>>>>> 21:29:32.357239 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1: ICMP6, echo request, seq 3, length 64<br>
>>>>>>>><br>
>>>>>>>> The same happens from hypervisor to VM. I only acan see the request packets, but no reply packets.<br>
>>>>>>>><br>
>>>>>>>> Thanks in advance,<br>
>>>>>>>> Lucio Seki<br>
</blockquote></div>