KVM virtual machines cannot reach IPv6 web sites

I have a freshly installed Windows Server 2008 R2 SP1 virtual machine which is completely unable to reach any IPv6 web pages, despite apparently having proper IPv6 connectivity. In addition, other Linux VMs cannot reach IPv6 web sites either.

This setup has previously worked, with full IPv6 connectivity in the virtual machines, and has stopped working without obvious reason.

All of my VMs are bridged to the physical Ethernet, and receive announcements from radvd on the host machine. IPv6 works correctly on the host machine, which is also the IPv6 router. Wireshark shows that the host machine is sending back an ICMPv6 Destination Unreachable (Administratively prohibited) after receiving the HTTP SYN packet.

Internet Explorer reports that it cannot display the web page, and Google Chrome only says Oops! Chrome could not connect to the web page, without an error number.

I am even able to ping the local gateway and Google's IPv6 addresses and do IPv6 DNS lookups.

PS C:\Users\Administrator> ping -6 fe80::6e62:6dff:fed1:dfad

Pinging fe80::6e62:6dff:fed1:dfad with 32 bytes of data:
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms

Ping statistics for fe80::6e62:6dff:fed1:dfad:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

PS C:\Users\Administrator> ping -6 www.google.com

Pinging www.l.google.com [2001:4860:800a::67] with 32 bytes of data:
Reply from 2001:4860:800a::67: time=43ms
Reply from 2001:4860:800a::67: time=42ms
Reply from 2001:4860:800a::67: time=46ms
Reply from 2001:4860:800a::67: time=42ms

Ping statistics for 2001:4860:800a::67:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 42ms, Maximum = 46ms, Average = 43ms

My virtual machine's configuration looks like this:

PS C:\Users\Administrator> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WIN-CRLO5NIQB72
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : local

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : local
   Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
   Physical Address. . . . . . . . . : 52-54-00-DD-DF-3E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:db8:1600:80bf:5054:ff:fedd:df3e(Preferred)
   Link-local IPv6 Address . . . . . : fe80::5054:ff:fedd:df3e%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.12.146(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, July 09, 2012 1:59:42 PM
   Lease Expires . . . . . . . . . . : Tuesday, July 10, 2012 1:59:42 PM
   Default Gateway . . . . . . . . . : fe80::6e62:6dff:fed1:dfad%13
                                       192.168.12.1
   DHCP Server . . . . . . . . . . . : 192.168.12.1
   DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
                                       2001:4860:4860::8844
                                       192.168.12.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : local
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:10d1:317d:3f57:f36d(Preferred)
   Link-local IPv6 Address . . . . . : fe80::10d1:317d:3f57:f36d%12(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

PS C:\Users\Administrator> netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       Manual    256  ::/0                       13  fe80::6e62:6dff:fed1:dfad
No       Manual    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    8    2001::/32                  12  Teredo Tunneling Pseudo-Interface
No       Manual    256  2001:0:4137:9e76:10d1:317d:3f57:f36d/128   12  Teredo Tunneling Pseudo-Interface
No       Manual    8    2001:db8:1600:80bf::/64   13  Local Area Connection 2
No       Manual    256  2001:db8:1600:80bf:5054:ff:fedd:df3e/128   13  Local Area Connection 2
No       Manual    256  fe80::/64                  13  Local Area Connection 2
No       Manual    256  fe80::/64                  12  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::5efe:192.168.12.146/128   11  isatap.local
No       Manual    256  fe80::10d1:317d:3f57:f36d/128   12  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::5054:ff:fedd:df3e/128   13  Local Area Connection 2
No       Manual    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       Manual    256  ff00::/8                   13  Local Area Connection 2
No       Manual    256  ff00::/8                   12  Teredo Tunneling Pseudo-Interface

PS C:\Users\Administrator> netsh interface ipv6 show prefixpolicies
Querying active state...

Precedence  Label  Prefix
----------  -----  --------------------------------
        50      0  ::1/128
        40      1  ::/0
        30      2  2002::/16
        20      3  ::/96
        10      4  ::ffff:0:0/96
         5      5  2001::/32

So far in the VM I have tried:

netsh interface ipv6 set global randomizeidentifiers=disabled

No change.

Disabling the Teredo adapter: No change. And it somehow got re-enabled.

Using the Microsoft Fix-It to prefer IPv6 over IPv4: No change.

So far on the host I have tried:

Checked for IPv6 forwarding sysctl:

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.em1.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sixxs.forwarding = 1
net.ipv6.conf.virbr0.forwarding = 1
net.ipv6.conf.virbr0-nic.forwarding = 1
net.ipv6.conf.vnet0.forwarding = 1
net.ipv6.conf.vnet1.forwarding = 1
net.ipv6.conf.vnet2.forwarding = 1

Restarted radvd: No change.


Solution 1:

The ICMPv6 destination unreachable packet helped identify the problem as a firewall issue.

Adding in a rule to forward IPv6 packets on br0 fixed the issue:

ip6tables -I FORWARD 6 -i br0 -s 2001:db8:1600:80bf::/64 -j ACCEPT