Today, I had a strange issue with IPv6 on my Proxmox VE based Hypervisors. I configured IPv6 for a customer by using a transfer subnet between our gateway router and the virtuel firewall. Additionally, I’ve routed a /56 subnet to be used by the customer onto the firewall and added a few /64s onto the internal interfaces of the customer. Once I configured static addresses on the servers running behind the firewall, they were able to reach the IPv6 internet without any issues.
A few hours later, my monitoring reported the servers as being offline, whilst the firewall was still reachable via IPv6. I did some checks on the systems to ensure the configuration is still present, as it’s windows servers running behind the firewall, but everything was still as I left it. Interestingly, it seemed that only Global Unicast IPv6 where not working while connections via the Link-Local addresses were still working fine. I checked the firewall and did not find any issues either.
That’s when I started to run some tcpdumps. The incoming interfaces from the virtual machines showed the ICMP neighbor solicitation requests correctly and the same goes for the virtual bridge connecting the virtual machines. But I couldn’t see the requests on the outgoing inteface to the firewall. While digging deeper into the issue, I stumbled over a post in the Proxmox forum showing the exact same issue. Once multicast snooping is disabled on the bridge, the traffic flows correctly through the virtual network and into the IPv6 world.
This post is primarily intend to remind my future me of the solution to the issue…