Assign ipv6 address to KVM guests on bridge mode

Question

System: CentOS 6.5

Network: Bridge on br0

IPv6: ISP Native /64 block.

IPv4: ISP address (not internal LAN)

Purpose: To assign IPv6 only to guests (manually), I don't want ipv4 address to be assigned to guest OS.

On Host:

/etc/sysctl.conf:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1 
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.default.forwarding = 1

brctl show

bridge name     bridge id               STP enabled     interfaces
br0             8000.e840f2ecdfed       no              eth0
                                                        vnet0
virbr0          8000.52540051ef3c       yes             virbr0-nic

ifconfig:

br0       Link encap:Ethernet  HWaddr E8:40:F2:EC:DF:ED  
      inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.255  Mask:255.255.255.0
      inet6 addr: 2607:beef:be:beef::1/64 Scope:Global
      inet6 addr: fe80::ea40:f2ff:feec:dfed/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:365707 errors:0 dropped:0 overruns:0 frame:0
      TX packets:470458 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0 
      RX bytes:28867567 (27.5 MiB)  TX bytes:574512176 (547.8 MiB)

eth0      Link encap:Ethernet  HWaddr E8:40:F2:EC:DF:ED  
      inet6 addr: fe80::ea40:f2ff:feec:dfed/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:392675 errors:0 dropped:0 overruns:0 frame:0
      TX packets:608319 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000 
      RX bytes:46359514 (44.2 MiB)  TX bytes:586262036 (559.1 MiB)
      Interrupt:20 Memory:fe500000-fe520000

/etc/sysconfig/networt-scripts/ifcfg-br0:

DEVICE=br0
BOOTPROTO=static
IPADDR=xxx.xxx.xxx.xxx
NETMASK=255.255.255.0
ONBOOT=yes
GATEWAY=xxx.xxx.xxx.xxx
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6ADDR=2607:beef:be:beef::1/64
TYPE=Bridge
DELAY=0

cat /etc/sysconfig/network-scripts/route6-br0

2607:beef:be:bff:ff:ff:ff:ff dev br0
default via 2607:beef:be:bff:ff:ff:ff:ff

route -A inet6 -n

Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
2607:beef:be:beef::/64                       ::                                      U     256    0        0 br0     
2607:beef:be:bff:ff:ff:ff:ff/128            ::                                      U     1024   1        0 br0     
fe80::/64                                   ::                                      U     256    0        0 virbr0  
fe80::/64                                   ::                                      U     256    0        0 vnet0   
fe80::/64                                   ::                                      U     256    0        0 br0     
fe80::/64                                   ::                                      U     256    0        0 eth0    
::/0                                        2607:beef:be:bff:ff:ff:ff:ff            UG    1024   20281       4 br0     
::1/128                                     ::                                      U     0      1        1 lo      
2607:beef:be:beef::/128                      ::                                      U     0      0        1 lo      
2607:beef:be:beef::1/128                     ::                                      U     0      36128       1 lo     
...

ip6tables -S:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p ipv6-icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8888 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited 
-A FORWARD -s 2607:beef:be:beef::/64 -i br0 -j ACCEPT

On Guest:

OS: CentOS 6.5 minimal

Network: Manual

cat /etc/sysconfig/network-scripts/ifcfg-eth0:

ONBOOT=yes
NM_CONTROLLED=no
IPV6INIT=yes
IPV6ADDR=2607:beef:be:beef::2/64
IPV6_DEFAULTGW=2607:beef:be:beef::1 (The host's ipv6 address)

Behaviour:

On Host, I can ping guest's ipv6 address, vise-vesa.

I cannot ping any other ipv6 address from guest, including google dns 2001:4860:4860::8888/8844. (Timed out)

I cannot ping from any non-assigned ISP ipv6 address to guest. (Timed out)

ping6 from Hosts to outside is OK.

Update:

If I change Guest's gateway to 2607:beef:be:bff:ff:ff:ff:ff (Host's gateway), the guest will complain "no route to host". Even I added the static route info (route6-eth0) to the Guest, it still won't connect.

Could anyone help me figure out what is going on please? Thanks.

Did you ever figure this out? – Mark Lopez Sep 04 '15 at 00:19 — Mark Lopez, Sep 04 '15 at 00:19
@MarkLopez, Yes I did. I'll describe it below. – hlx98007 Sep 11 '15 at 02:48 — hlx98007, Sep 11 '15 at 02:48

hlx98007 · Accepted Answer · 2015-09-11T03:27:38.547

So with the notice from Mark, I will answer my own question.

Host setup:

Assign the IPv6 sub block to your virtual bridge, in my example:

Add

<ip family='ipv6' address='2607:beef:be:beef:1::' prefix='96'>

To /etc/libvirt/qemu/networks/default.xml, use virsh destroy and rebuild the virbr0 device, in my case it generated a virbr1 device.

Add ip6tables rule:

ip6tables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT

ip6tables -A FORWARD -i br0 -j ACCEPT

On the VM side:

Add the selected IPv6 Address to your configuration file:

IPV6INIT=yes
IPV6ADDR=2607:beef:be:beef:1::253:8/128

Restart your VM's network interface, it just works.

I guess that because the VM is connecting with outside world via virbr1 interface at host. The gateway on host is br0. With ip6tables rule it will all sort out.

I've compiled step by step guide in my blog, https://luxing.im/adding-ipv6-support-for-kvm-vms/

Not sure if something changed but this doesn't work for me and I literally copied/pasted your stuff. Answers are usually more useful if you include text that explains why the steps are supposed to work so the reader can revise them in such a case. As it stands, I'm not sure why we're adding firewall rules, the only rejects that appear in my FORWARD chain have packet counts of zero. — Bratchley, Feb 19 '20 at 03:01

score 1 · Answer 2 · answered Dec 27 '13 at 05:52

1

Your gateway is wrong in your guest.

Since you bridged your network connection, it is as if the VM is on the same subnet (LAN) as the host. Thus it needs to use the same gateway address as the host.

answered Dec 27 '13 at 05:52

Michael Hampton

244,070
43
506
972

I tried this before, it gives me "[ipv6_add_route]" 'No route to host' " error. – hlx98007 Dec 27 '13 at 14:05
Then how did you get it to work on the host? Also it doesn't help that you obfuscated all of your addresses. – Michael Hampton Dec 27 '13 at 18:31
I think the Hosting ISP has a MAC whitelist which controls what is allowed and what's not. That's all I can guess now. Sorry for the obfuscated IPs. I am looking for another way to achieve the same purpose, possibly using virbr0 NAT. I will open another topic if problems occur. I will use true ipv6 address in my next questions. – hlx98007 Dec 27 '13 at 21:23
You should name them, too. – Michael Hampton Dec 27 '13 at 21:32

Assign ipv6 address to KVM guests on bridge mode

2 Answers2