<div dir="ltr"><div><div><div><div>Thank you Tomas and Brian! <br><br>Here they are (just replace my ipv6 prefix with 2001:DB8). But, I think the problem is with firewall rules (see bellow).<br><br>root@dataexp-network:/# ip netns exec qrouter-eb42f197-8969-4744-<wbr>b226-49653ed2bf48 ifconfig<br>lo Link encap:Local Loopback <br> inet addr:127.0.0.1 Mask:255.0.0.0<br> inet6 addr: ::1/128 Scope:Host<br> UP LOOPBACK RUNNING MTU:65536 Metric:1<br> RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:1 <br> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<br><br><b>qg-69fbbe1a-ee</b> Link encap:Ethernet HWaddr fa:16:3e:d5:c5:f8 <br> inet addr:<IPV4 Address> Bcast:<IPV4 Address> Mask:255.255.255.192<br> inet6 addr: <b>fe80::f816:3eff:fed5:c5f8</b>/64 Scope:Link<br> inet6 addr: fe80::f816:3eff:fe47:364/64 Scope:Link<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> RX packets:673930 errors:0 dropped:0 overruns:0 frame:0<br> TX packets:69034 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:1 <br> RX bytes:45132120 (45.1 MB) TX bytes:7887310 (7.8 MB)<br><br><b>qr-1ee33f03-23 </b>Link encap:Ethernet HWaddr fa:16:3e:47:03:64 <br> inet6 addr: 2001:DB8:1400:c539::1/64 Scope:Global<br> inet6 addr: fe80::f816:3eff:fe47:364/64 Scope:Link<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> RX packets:99 errors:0 dropped:2 overruns:0 frame:0<br> TX packets:350 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:1 <br> RX bytes:9416 (9.4 KB) TX bytes:40556 (40.5 KB)<br><br>qr-9f742219-78 Link encap:Ethernet HWaddr fa:16:3e:6a:5e:b3 <br> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0<br> inet6 addr: fe80::f816:3eff:fe6a:5eb3/64 Scope:Link<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> RX packets:7567 errors:0 dropped:2 overruns:0 frame:0<br> TX packets:2481 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:1 <br> RX bytes:808083 (808.0 KB) TX bytes:243573 (243.5 KB)<br><br>root@dataexp-network:/# ip netns exec qrouter-eb42f197-8969-4744-<wbr>b226-49653ed2bf48 ip -6 route show<br><b>2001:DB8:1400:c539::/64 dev qr-1ee33f03-23</b> proto kernel metric 256 pref medium<br>fe80::/64 dev qg-69fbbe1a-ee proto kernel metric 256 pref medium<br>fe80::/64 dev qr-9f742219-78 proto kernel metric 256 pref medium<br>fe80::/64 dev qr-1ee33f03-23 proto kernel metric 256 pref medium<br><b>default via fe80::215:17ff:fea0:211d</b> dev qg-69fbbe1a-ee metric 1024 pref medium<br><br>fe80::215:17ff:fea0:211d is my firewall/router and this route was learned via RA. <br><br>At this moment my firewall/router has one route to 2001:DB8:1400::1/52 via fe80::f816:3eff:fed5:c5f8 (the path is firewall/router -> br-ex -> br-int -> qg-69fbbe1a-ee). The packets go up to qg-69fbbe1a-ee. <br><br></div>I think these setting are ok!<br><br>---------------<br><br></div>Now, I found something with iptables. See the rules in qrouter namespace:<br><br>root@dataexp-network:~# ip netns exec qrouter-eb42f197-8969-4744-<wbr>b226-49653ed2bf48 ip6tables -L -n -v<br>Chain INPUT (policy ACCEPT 26 packets, 3263 bytes)<br> pkts bytes target prot opt in out source destination <br> 26 3263 neutron-l3-agent-INPUT all * * ::/0 ::/0 <br><br><b>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)</b><br> pkts bytes target prot opt in out source destination <br> 78 4368 neutron-filter-top all * * ::/0 ::/0 <br><b> 78 4368 neutron-l3-agent-FORWARD all * * ::/0 ::/0 </b><br><br>Chain OUTPUT (policy ACCEPT 16 packets, 1367 bytes)<br> pkts bytes target prot opt in out source destination <br> 16 1367 neutron-filter-top all * * ::/0 ::/0 <br> 16 1367 neutron-l3-agent-OUTPUT all * * ::/0 ::/0 <br><br>Chain neutron-filter-top (2 references)<br> pkts bytes target prot opt in out source destination <br> 94 5735 neutron-l3-agent-local all * * ::/0 ::/0 <br><br><b>Chain neutron-l3-agent-FORWARD (1 references)</b><br> pkts bytes target prot opt in out source destination <br> 78 4368 <b>neutron-l3-agent-scope</b> all * * ::/0 ::/0 <br><br>Chain neutron-l3-agent-INPUT (1 references)<br> pkts bytes target prot opt in out source destination <br><br>Chain neutron-l3-agent-OUTPUT (1 references)<br> pkts bytes target prot opt in out source destination <br><br>Chain neutron-l3-agent-local (1 references)<br> pkts bytes target prot opt in out source destination <br><br><b>Chain neutron-l3-agent-scope (1 references)</b><br> pkts bytes target prot opt in out source destination <br> 78 4368 <b>DROP</b> all * qr-1ee33f03-23 ::/0 ::/0 mark match ! 0x4000000/0xffff0000<br><br></div>Packets pass in chain FORWARD -> neutron-filter-top -> neutron-l3-agent-local -> back to FORWARD -> neutron-l3-agent-FORWARD -> neutron-l3-agent-scope -> DROP. <br><br></div>My security group is:<br><br>Direction Ether Type IP Protocol Port Range Remote IP Prefix Remote Security Group Actions<br>Egress IPv6 Any Any ::/0 - <br>Ingress IPv6 Any Any - default <br>Egress IPv4 Any Any <a href="http://0.0.0.0/0">0.0.0.0/0</a> - <br>Ingress IPv4 Any Any - default <br>Ingress IPv6 ICMP Any ::/0 - <br>Ingress IPv4 TCP 22 (SSH) <a href="http://0.0.0.0/0">0.0.0.0/0</a> -<br><div><div><br></div><div>IPv4 rules is very similar but works. Ipv6 is blocking for some reason. <br><br></div><div>I've noted that if I keep a ping and restart the services on network node, 1 icmp echo reply pass, maybe during the time when iptables is being reconfigured. <br><br></div><div>So, I don't know why is dropping when using ipv6. <br></div><div><br>> That external router is giving you the prefix via PD, right? I would
have thought it would have added a route for your /64 when it did that.<br><br></div><div>No, I've tried to do this form but I decided to implement a scenario like described in documentation (the first attempt to use one external PD server didn't work). So, I'm using Dibbler running on network node because the default neutron driver is the dibbler driver. <br><br>This is not working as says documentation, because dibbler should run a script to create one route (for the delegated prefix) and this route is not created. But, as I said, the static route make the packets arrive on qg interface. So, next step would be or try an external PD server or fix this problem with dibbler script. <br><br></div><div>Tks.<br></div><div><div><div><br></div></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">- JLC</div></div></div>
<br><div class="gmail_quote">On Tue, Aug 30, 2016 at 11:44 AM, Tomáš Vondra <span dir="ltr"><<a href="mailto:vondra@homeatcloud.cz" target="_blank">vondra@homeatcloud.cz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="blue" vlink="purple" lang="CS"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi!<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">To debug this</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">, it would be nice to see the interfaces of configured on your Virtual Router and its routing table.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Tomas<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Jorge Luiz Correa [mailto:<a href="mailto:correajl@gmail.com" target="_blank">correajl@gmail.com</a>] <br><b>Sent:</b> Tuesday, August 30, 2016 3:55 PM<br><b>To:</b> <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br><b>Subject:</b> [Openstack] Help with ipv6 route configuration and problem to traverse virtual router.<u></u><u></u></span></p><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Hi! I need some help to understand and configure my network node to provide network access using a dual stack configuration. I've a scenario with one controller, one network node and a lot of compute nodes. The version is Mitaka on Ubuntu 16.04 LTS, Kernel 4.4.0-36.<br><br>The IPv4 is working fine. Instances can get IPv4 inside tenant networks, I can configure floating IPs, access external hosts etc. <br><br>The IPv6 has some features working, but I still didn't got the traffic pass between internal and the external networks.<br><br>I'm using prefix delegation with dibbler as described here:<br><br><a href="http://docs.openstack.org/mitaka/networking-guide/config-ipv6.html" target="_blank">http://docs.openstack.org/<wbr>mitaka/networking-guide/<wbr>config-ipv6.html</a><br><br>I can create IPv6 tenant subnets, they can get a prefix from dibbler and instances on this subnets can configure IPv6 normally. <br><br>I've a default security group with rules passing any IPv4 and IPv6 traffic and any ICMP. <br><br>The problem is that the packages from and to instances don't pass through virtual router. The virtual router has one external interface named qg- (connected to br-int -> br-ex) and one internal interface named qr- connected to tenant network (br-int -> int-br-vlan). When testing connectivity I can see packages (with tcpdump) on my external router/firewall and on qg- interface. For example, when I try to ping my external router/firewall from an instance, echo requests pass to the external network (through the virtual router) but echo reply die on virtual router (last seen on qg-). <br><br>## echo request:<br><br>Instance A<br>|<br>|<br>v<br>br-int<br>|<br>|<br>v <br>qr- interface<br> VIRTUAL ROUTER <br>qg- interface<br>|<br>|<br>v<br>br-int<br>|<br>|<br>v<br>br-ex<br>|<br>|<br>v<br>Router/Firewall (I can see here with tcpdump)<br><br><br>## echo reply:<br><br>Instance A<br>x<br>x<br>x <br>qr- interface (I CAN'T SEE HERE, LOST)<br> VIRTUAL ROUTER <br>qg- interface (I can see here with tcpdump)<br>^<br>|<br>|<br>br-int (ovs bridge, can't do tcpdump, but ok)<br>^<br>|<br>|<br>br-ex (I can see here with tcpdump)<br>^<br>|<br>|<br>Router/Firewall<br><br>Question 1) Where can I start to debug this problem? <br><br>I'm thinking that can be something with ipv6 packet forwarding (configurable with sysctl). Using 'ip6tables -v' I can't see droppings. <br><br>Chain neutron-openvswi-sg-fallback (0 references)<br> pkts bytes target prot opt in out source destination <br> 0 0 DROP all * * ::/0 ::/0 /* Default drop rule for unmatched traffic. */<br><br>Another thing I would like to understand is about how I should configure my router/firewall to send IPv6 packets to Openstack network node. For example, if I have the network 2001:DB8::/52 to use on Openstack. Each project will get a 2001:DB8::/64 range from prefix delegation. When one project get its prefix, the virtual router knows how to send traffic to external world because my router/firewall sends RA. But, on my router/firewall I need to configure a route to 2001:DB8::/52. To do this, I need to inform one next-hop. I'm using de LLA (fe80::...) of br-ex as next-hop. So, all traffic destinated to any network inside 2001:DB8::/52 will be send to br-ex (that is on network node). This configuration seems to work because packets arrive on virtual router as described above. <br><br>Question 2) Is this the right way? <br><br>Thanks for any help!<br><br clear="all"><u></u><u></u></p><div><div><div><p class="MsoNormal">- JLC<u></u><u></u></p></div></div></div></div></div></div></div></div></blockquote></div><br></div>