unifios-utilities icon indicating copy to clipboard operation
unifios-utilities copied to clipboard

Published 20 hours ago verified publisher icon unifi-utilities

Ipv6 not passing through upstream on MACVLAN Debian NSPAWN container

Open zs311521 opened this issue 1 year ago • 2 comments

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior:

Even after enabling forwarding on interfaces, following the instructions, PING -6 google.com or other sites do not work.

AA records are resolved. IPV6 works internally across clients. MACVLAN is set up.

Can we set up bridge mode instead? For pi-hole like applications. Or, is there a way to get ipv6 working - or not in MACVLAN?

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

UDM Information

  • Variant [e.g. Dream Machine, Dream Machine Pro]
  • Firmware Version: [e.g. 1.6.3, 1.7.2-rc4]
  • Controller Version [e.g 5.14.9]

Additional context Add any other context about the problem here.

zs311521 avatar Sep 27 '24 13:09 zs311521

Any update? I have the same problem, can ping internal hosts back and forth, but cannot access the internet via ipv6. route -6 uses the configured next hop macvlan address of the udm.

cwildfoerster avatar Nov 26 '24 10:11 cwildfoerster

same for me

imTHAI avatar May 17 '25 18:05 imTHAI

I suspect this issue is caused by interface autoconfiguration via SLAAC, which assigns a secondary IPv6 address based on the interface's MAC address.

1. Verifying IP Addresses in the Container

Check the IP addresses assigned to your container:

root@debian-custom:~# ip -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128
mv-br5@if21      UP             10.0.5.3/24 2001:aaaa:bbbb:cccc:eeee:ffff:aaaa:bbbb/64 2001:aaaa:bbbb:cccc::3/64 fe80::aaaa:bbbb:cccc:dddd/64

The automatically configured address 2001:aaaa:bbbb:cccc:eeee:ffff:aaaa:bbbb/64 is used by default for outgoing traffic when present.

2.a Temporary Test: Remove the Address in the Container

To test without making permanent changes, remove the auto-configured address in the container:

ip addr del 2001:aaaa:bbbb:cccc:eeee:ffff:aaaa:bbbb/64 dev mv-br5

A ping6 should work immediately after this change.

2.b Alternative Solution: Add a Route on the Router

If you prefer not to change the container configuration, you can add a route for this secondary address on your router:

ip -6 route add "2001:aaaa:bbbb:cccc:eeee:ffff:aaaa:bbbb/128" dev "br5.mac"

How to Prevent Automatic SLAAC Address Assignment in an nspawn Container

Based on the original documentation: nspawn-container documentation, Step 2a

1. Configure the Container Network

Create a network configuration file in /etc/systemd/network inside your container's directory. The filename should be mv-brX.network, where X is the VLAN number (for example, mv-br5.network):

cd /data/custom/machines/debian-custom/etc/systemd/network
vim mv-br5.network

Here is an example configuration based on the default settings in 10-setup-network.sh:

[Match]
Name=mv-br5

[Network]
IPForward=yes
Address=10.0.5.3/24
Gateway=10.0.5.1
Address=2001:aaaa:bbbb:cccc::3/64
Gateway=2001:aaaa:bbbb:cccc::2
IPv6AcceptRA=yes

[IPv6AcceptRA]
UseAutonomousPrefix=no
UseDelegatedPrefix=no

AlexpFr avatar Jul 11 '25 11:07 AlexpFr

This issue is stale because it has been open for 30 days with no activity.

bslatyer avatar Nov 23 '25 02:11 bslatyer