KVM virtual machines cannot reach IPv6 web sites
I have a freshly installed Windows Server 2008 R2 SP1 virtual machine which is completely unable to reach any IPv6 web pages, despite apparently having proper IPv6 connectivity. In addition, other Linux VMs cannot reach IPv6 web sites either.
This setup has previously worked, with full IPv6 connectivity in the virtual machines, and has stopped working without obvious reason.
All of my VMs are bridged to the physical Ethernet, and receive announcements from radvd on the host machine. IPv6 works correctly on the host machine, which is also the IPv6 router. Wireshark shows that the host machine is sending back an ICMPv6 Destination Unreachable (Administratively prohibited) after receiving the HTTP SYN packet.
Internet Explorer reports that it cannot display the web page, and Google Chrome only says Oops! Chrome could not connect to the web page, without an error number.
I am even able to ping the local gateway and Google's IPv6 addresses and do IPv6 DNS lookups.
PS C:\Users\Administrator> ping -6 fe80::6e62:6dff:fed1:dfad
Pinging fe80::6e62:6dff:fed1:dfad with 32 bytes of data:
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Ping statistics for fe80::6e62:6dff:fed1:dfad:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
PS C:\Users\Administrator> ping -6 www.google.com
Pinging www.l.google.com [2001:4860:800a::67] with 32 bytes of data:
Reply from 2001:4860:800a::67: time=43ms
Reply from 2001:4860:800a::67: time=42ms
Reply from 2001:4860:800a::67: time=46ms
Reply from 2001:4860:800a::67: time=42ms
Ping statistics for 2001:4860:800a::67:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 42ms, Maximum = 46ms, Average = 43ms
My virtual machine's configuration looks like this:
PS C:\Users\Administrator> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WIN-CRLO5NIQB72
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : local
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : local
Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
Physical Address. . . . . . . . . : 52-54-00-DD-DF-3E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:db8:1600:80bf:5054:ff:fedd:df3e(Preferred)
Link-local IPv6 Address . . . . . : fe80::5054:ff:fedd:df3e%13(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.12.146(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, July 09, 2012 1:59:42 PM
Lease Expires . . . . . . . . . . : Tuesday, July 10, 2012 1:59:42 PM
Default Gateway . . . . . . . . . : fe80::6e62:6dff:fed1:dfad%13
192.168.12.1
DHCP Server . . . . . . . . . . . : 192.168.12.1
DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
2001:4860:4860::8844
192.168.12.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.local:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : local
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:10d1:317d:3f57:f36d(Preferred)
Link-local IPv6 Address . . . . . : fe80::10d1:317d:3f57:f36d%12(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
PS C:\Users\Administrator> netsh interface ipv6 show route
Publish Type Met Prefix Idx Gateway/Interface Name
------- -------- --- ------------------------ --- ------------------------
No Manual 256 ::/0 13 fe80::6e62:6dff:fed1:dfad
No Manual 256 ::1/128 1 Loopback Pseudo-Interface 1
No Manual 8 2001::/32 12 Teredo Tunneling Pseudo-Interface
No Manual 256 2001:0:4137:9e76:10d1:317d:3f57:f36d/128 12 Teredo Tunneling Pseudo-Interface
No Manual 8 2001:db8:1600:80bf::/64 13 Local Area Connection 2
No Manual 256 2001:db8:1600:80bf:5054:ff:fedd:df3e/128 13 Local Area Connection 2
No Manual 256 fe80::/64 13 Local Area Connection 2
No Manual 256 fe80::/64 12 Teredo Tunneling Pseudo-Interface
No Manual 256 fe80::5efe:192.168.12.146/128 11 isatap.local
No Manual 256 fe80::10d1:317d:3f57:f36d/128 12 Teredo Tunneling Pseudo-Interface
No Manual 256 fe80::5054:ff:fedd:df3e/128 13 Local Area Connection 2
No Manual 256 ff00::/8 1 Loopback Pseudo-Interface 1
No Manual 256 ff00::/8 13 Local Area Connection 2
No Manual 256 ff00::/8 12 Teredo Tunneling Pseudo-Interface
PS C:\Users\Administrator> netsh interface ipv6 show prefixpolicies
Querying active state...
Precedence Label Prefix
---------- ----- --------------------------------
50 0 ::1/128
40 1 ::/0
30 2 2002::/16
20 3 ::/96
10 4 ::ffff:0:0/96
5 5 2001::/32
So far in the VM I have tried:
netsh interface ipv6 set global randomizeidentifiers=disabled
No change.
Disabling the Teredo adapter: No change. And it somehow got re-enabled.
Using the Microsoft Fix-It to prefer IPv6 over IPv4: No change.
So far on the host I have tried:
Checked for IPv6 forwarding sysctl:
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.em1.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sixxs.forwarding = 1
net.ipv6.conf.virbr0.forwarding = 1
net.ipv6.conf.virbr0-nic.forwarding = 1
net.ipv6.conf.vnet0.forwarding = 1
net.ipv6.conf.vnet1.forwarding = 1
net.ipv6.conf.vnet2.forwarding = 1
Restarted radvd: No change.
Solution 1:
The ICMPv6 destination unreachable packet helped identify the problem as a firewall issue.
Adding in a rule to forward IPv6 packets on br0 fixed the issue:
ip6tables -I FORWARD 6 -i br0 -s 2001:db8:1600:80bf::/64 -j ACCEPT