Linux

KVM 虛擬機無法訪問 IPv6 網站

  • July 16, 2012

我有一個新安裝的 Windows Server 2008 R2 SP1 虛擬機,它完全無法訪問任何 IPv6 網頁,儘管顯然具有正確的 IPv6 連接。此外,其他 Linux VM 也無法訪問 IPv6 網站。

此設置之前在虛擬機中具有完整的 IPv6 連接,並且在沒有明顯原因的情況下停止工作。

我所有的虛擬機都橋接到物理乙太網,並在主機上接收來自 radvd 的通知。IPv6 在主機上正常工作,主機也是 IPv6 路由器。Wireshark 顯示主機在收到 HTTP SYN 數據包後正在發回 ICMPv6 Destination Unreachable(管理禁止)。

Internet Explorer 報告它無法顯示網頁,而Google瀏覽器只說 Oops!Chrome 無法連接到網頁,沒有錯誤號。

我什至可以 ping 本地網關和 Google 的 IPv6 地址並進行 IPv6 DNS 查找。

PS C:\Users\Administrator> ping -6 fe80::6e62:6dff:fed1:dfad

Pinging fe80::6e62:6dff:fed1:dfad with 32 bytes of data:
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms

Ping statistics for fe80::6e62:6dff:fed1:dfad:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 0ms, Maximum = 0ms, Average = 0ms

PS C:\Users\Administrator> ping -6 www.google.com

Pinging www.l.google.com [2001:4860:800a::67] with 32 bytes of data:
Reply from 2001:4860:800a::67: time=43ms
Reply from 2001:4860:800a::67: time=42ms
Reply from 2001:4860:800a::67: time=46ms
Reply from 2001:4860:800a::67: time=42ms

Ping statistics for 2001:4860:800a::67:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 42ms, Maximum = 46ms, Average = 43ms

我的虛擬機配置如下:

PS C:\Users\Administrator> ipconfig /all

Windows IP Configuration

  Host Name . . . . . . . . . . . . : WIN-CRLO5NIQB72
  Primary Dns Suffix  . . . . . . . :
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : local

Ethernet adapter Local Area Connection 2:

  Connection-specific DNS Suffix  . : local
  Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
  Physical Address. . . . . . . . . : 52-54-00-DD-DF-3E
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  IPv6 Address. . . . . . . . . . . : 2001:db8:1600:80bf:5054:ff:fedd:df3e(Preferred)
  Link-local IPv6 Address . . . . . : fe80::5054:ff:fedd:df3e%13(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.12.146(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : Monday, July 09, 2012 1:59:42 PM
  Lease Expires . . . . . . . . . . : Tuesday, July 10, 2012 1:59:42 PM
  Default Gateway . . . . . . . . . : fe80::6e62:6dff:fed1:dfad%13
                                      192.168.12.1
  DHCP Server . . . . . . . . . . . : 192.168.12.1
  DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
                                      2001:4860:4860::8844
                                      192.168.12.1
  NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.local:

  Media State . . . . . . . . . . . : Media disconnected
  Connection-specific DNS Suffix  . : local
  Description . . . . . . . . . . . : Microsoft ISATAP Adapter
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
  Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
  DHCP Enabled. . . . . . . . . . . : No
  Autoconfiguration Enabled . . . . : Yes
  IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:10d1:317d:3f57:f36d(Preferred)
  Link-local IPv6 Address . . . . . : fe80::10d1:317d:3f57:f36d%12(Preferred)
  Default Gateway . . . . . . . . . :
  NetBIOS over Tcpip. . . . . . . . : Disabled

PS C:\Users\Administrator> netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       Manual    256  ::/0                       13  fe80::6e62:6dff:fed1:dfad
No       Manual    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    8    2001::/32                  12  Teredo Tunneling Pseudo-Interface
No       Manual    256  2001:0:4137:9e76:10d1:317d:3f57:f36d/128   12  Teredo Tunneling Pseudo-Interface
No       Manual    8    2001:db8:1600:80bf::/64   13  Local Area Connection 2
No       Manual    256  2001:db8:1600:80bf:5054:ff:fedd:df3e/128   13  Local Area Connection 2
No       Manual    256  fe80::/64                  13  Local Area Connection 2
No       Manual    256  fe80::/64                  12  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::5efe:192.168.12.146/128   11  isatap.local
No       Manual    256  fe80::10d1:317d:3f57:f36d/128   12  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::5054:ff:fedd:df3e/128   13  Local Area Connection 2
No       Manual    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       Manual    256  ff00::/8                   13  Local Area Connection 2
No       Manual    256  ff00::/8                   12  Teredo Tunneling Pseudo-Interface

PS C:\Users\Administrator> netsh interface ipv6 show prefixpolicies
Querying active state...

Precedence  Label  Prefix
----------  -----  --------------------------------
       50      0  ::1/128
       40      1  ::/0
       30      2  2002::/16
       20      3  ::/96
       10      4  ::ffff:0:0/96
        5      5  2001::/32

到目前為止,在我嘗試過的虛擬機中:

netsh interface ipv6 set global randomizeidentifiers=disabled

不用找了。

禁用 Teredo 適配器:沒有變化。它以某種方式重新啟用。

使用Microsoft Fix-It 比 IPv4 更喜歡 IPv6:沒有變化。

到目前為止,在我嘗試過的主機上:

檢查 IPv6 轉發 sysctl:

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.em1.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sixxs.forwarding = 1
net.ipv6.conf.virbr0.forwarding = 1
net.ipv6.conf.virbr0-nic.forwarding = 1
net.ipv6.conf.vnet0.forwarding = 1
net.ipv6.conf.vnet1.forwarding = 1
net.ipv6.conf.vnet2.forwarding = 1

重新啟動 radvd:沒有變化。

ICMPv6 目標不可達數據包有助於將問題辨識為防火牆問題。

添加規則以在 br0 上轉發 IPv6 數據包修復了該問題:

ip6tables -I FORWARD 6 -i br0 -s 2001:db8:1600:80bf::/64 -j ACCEPT

引用自:https://serverfault.com/questions/406141