题 KVM虚拟机无法访问IPv6网站


我有一个新安装的Windows Server 2008 R2 SP1虚拟机,尽管显然具有正确的IPv6连接,但它完全无法访问任何IPv6网页。此外,其他Linux VM也无法访问IPv6网站。

此设置以前已在虚拟机中实现完全IPv6连接,并且在没有明显原因的情况下停止工作。

我的所有虚拟机都桥接到物理以太网,并从主机上的radvd接收通知。 IPv6可在主机上正常运行,主机也是IPv6路由器。 Wireshark显示主机在收到HTTP SYN数据包后发送回ICMPv6目标无法访问(管理禁止)。

Internet Explorer报告无法显示网页,Google Chrome仅显示Oops! Chrome无法连接到网页,没有错误编号。

我甚至能够ping本地网关和Google的IPv6地址并执行IPv6 DNS查找。

PS C:\Users\Administrator> ping -6 fe80::6e62:6dff:fed1:dfad

Pinging fe80::6e62:6dff:fed1:dfad with 32 bytes of data:
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms
Reply from fe80::6e62:6dff:fed1:dfad: time<1ms

Ping statistics for fe80::6e62:6dff:fed1:dfad:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

PS C:\Users\Administrator> ping -6 www.google.com

Pinging www.l.google.com [2001:4860:800a::67] with 32 bytes of data:
Reply from 2001:4860:800a::67: time=43ms
Reply from 2001:4860:800a::67: time=42ms
Reply from 2001:4860:800a::67: time=46ms
Reply from 2001:4860:800a::67: time=42ms

Ping statistics for 2001:4860:800a::67:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 42ms, Maximum = 46ms, Average = 43ms

我的虚拟机配置如下所示:

PS C:\Users\Administrator> ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WIN-CRLO5NIQB72
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : local

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : local
   Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
   Physical Address. . . . . . . . . : 52-54-00-DD-DF-3E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:db8:1600:80bf:5054:ff:fedd:df3e(Preferred)
   Link-local IPv6 Address . . . . . : fe80::5054:ff:fedd:df3e%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.12.146(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, July 09, 2012 1:59:42 PM
   Lease Expires . . . . . . . . . . : Tuesday, July 10, 2012 1:59:42 PM
   Default Gateway . . . . . . . . . : fe80::6e62:6dff:fed1:dfad%13
                                       192.168.12.1
   DHCP Server . . . . . . . . . . . : 192.168.12.1
   DNS Servers . . . . . . . . . . . : 2001:4860:4860::8888
                                       2001:4860:4860::8844
                                       192.168.12.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.local:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : local
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:10d1:317d:3f57:f36d(Preferred)
   Link-local IPv6 Address . . . . . : fe80::10d1:317d:3f57:f36d%12(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

PS C:\Users\Administrator> netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
-------  --------  ---  ------------------------  ---  ------------------------
No       Manual    256  ::/0                       13  fe80::6e62:6dff:fed1:dfad
No       Manual    256  ::1/128                     1  Loopback Pseudo-Interface 1
No       Manual    8    2001::/32                  12  Teredo Tunneling Pseudo-Interface
No       Manual    256  2001:0:4137:9e76:10d1:317d:3f57:f36d/128   12  Teredo Tunneling Pseudo-Interface
No       Manual    8    2001:db8:1600:80bf::/64   13  Local Area Connection 2
No       Manual    256  2001:db8:1600:80bf:5054:ff:fedd:df3e/128   13  Local Area Connection 2
No       Manual    256  fe80::/64                  13  Local Area Connection 2
No       Manual    256  fe80::/64                  12  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::5efe:192.168.12.146/128   11  isatap.local
No       Manual    256  fe80::10d1:317d:3f57:f36d/128   12  Teredo Tunneling Pseudo-Interface
No       Manual    256  fe80::5054:ff:fedd:df3e/128   13  Local Area Connection 2
No       Manual    256  ff00::/8                    1  Loopback Pseudo-Interface 1
No       Manual    256  ff00::/8                   13  Local Area Connection 2
No       Manual    256  ff00::/8                   12  Teredo Tunneling Pseudo-Interface

PS C:\Users\Administrator> netsh interface ipv6 show prefixpolicies
Querying active state...

Precedence  Label  Prefix
----------  -----  --------------------------------
        50      0  ::1/128
        40      1  ::/0
        30      2  2002::/16
        20      3  ::/96
        10      4  ::ffff:0:0/96
         5      5  2001::/32

到目前为止我在VM中尝试过:

netsh interface ipv6 set global randomizeidentifiers=disabled

没变。

禁用Teredo适配器:无更改。它以某种方式重新启用。

运用 Microsoft Fix-It更喜欢IPv6 over IPv4: 没变。

到目前为止,我尝试过的东道主:

检查IPv6转发sysctl:

net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.br0.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.em1.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.sit0.forwarding = 1
net.ipv6.conf.sixxs.forwarding = 1
net.ipv6.conf.virbr0.forwarding = 1
net.ipv6.conf.virbr0-nic.forwarding = 1
net.ipv6.conf.vnet0.forwarding = 1
net.ipv6.conf.vnet1.forwarding = 1
net.ipv6.conf.vnet2.forwarding = 1

重启radvd:没有变化。


5
2017-07-09 18:35




您是否可以启动数据包捕获以查看它是否进行了正确的DNS查找和连接尝试? - Shane Madden♦
好决定。在wireshark中,我看到一个ICMPv6目的地无法访问(管理上被禁止)在HTTP SYN之后回来,这表明问题不在于Windows。现在我的其他虚拟机也无法再连接到IPv6站点,这证实了这一点。此时,我可以从主机Linux机箱加载IPv6网页,但不能从任何虚拟机加载,即使它们仍然可以ping通IPv6地址。 - Michael Hampton♦


答案:


ICMPv6目标不可达数据包有助于将问题识别为防火墙问题。

添加规则以在br0上转发IPv6数据包修复了该问题:

ip6tables -I FORWARD 6 -i br0 -s 2001:db8:1600:80bf::/64 -j ACCEPT

6
2017-07-09 19:22



很好,这个特殊的问题已经解决了。我对答案的第一个猜测是与MTU问题有关,这也可能困扰IPv6。 - Koos van den Hout