IPv6 subnet inbound routing to instance containers

0

I need to provide public IPv6 addresses to containers within an instance. I have IPv6 connectivity set up correctly to the instance and mostly within the instance, but the AWS routing table I have doesn't appear to be working for inbound traffic. Here's a brief description of my configuration and the problem:

AWS assigned CIDR: blah:a400::/56
Subnet1: blah:a400::/64
Subnet2: blah:a401::/64
Instance eni IPv6 address: blah:a400::a

Main Route Table:
::/0 igw
blah:a400::/56 local (cannot remove)
blah:a401::/64 eni-for-instance

Instance host external interface ens5:
inet6 blah:a400::a/128 scope global dynamic noprefixroute (autoconfigured by dhcp6?)
inet6 fe80::88:7bff:fe22:587f/64 scope link

Instance host internal interface lxdbr0:
inet6 blah:a401::1/64 scope global

Instance host routing table:
blah:a400::/64 dev ens5 proto ra metric 100 hoplimit 255 pref medium
blah:a401::/64 dev lxdbr0 proto kernel metric 256 pref medium
default via fe80::d3:52ff:feda:e453 dev ens5 proto ra metric 100 expires 1790sec hoplimit 255 pref medium

Instance container interface on lxdbr0:
inet6 blah:a401::a/64 scope global

Instance container routing table:
blah:a401::/64 dev eth0 proto kernel metric 256 pref medium
default via blah:a401::1 dev eth0 metric 1024 onlink pref medium

I can ping6 from container out to google DNS server and the ICMP6 packets appear to leave the instance (tcpdump), but no reply
Traceroute from the internet to blah:a401::1 and blah:a401::a (lxdbr0) are NOT reachable, but crucially does not appear to hit blah:a400::a (ens5)
I can ping6 from the instance host out to google DNS server and I get a reply
Traceroute from the internet to blah:a400::a (ens5) is reachable

I have tried an IGW edge association, with a routing table without the default routes, but no joy.
Yes IPv6 forwarding is enabled on the instance host.
Yes ICMP6 is enabled in the AWS and instance firewalls.

Primary problem: So the main problem is the Main Route Table line [blah:a401::/64 eni-for-instance] is not working

Secondary: I'm also puzzled why the Instance host external interface ens5 IPv6 address has a /128 netmask instead of /64 since that's what I would expect looking at the RA and routing table. This is because I would prefer to use the public addresses of the instance and AWS router (::1) in the default route, but I guess that's just how AWS simplify their routing.

racitup
asked 8 days ago35 views
1 Answer
1
Accepted Answer

Okay, having slept on this I managed to fix it.
My mistake was trying to assign two separate AWS subnets with IPv6 /64 CIDRs to the same VPC and then route one to the other. Instead you just subnet a /64 further into a /80 on the instance itself, and add the /80 as a network interface IPv6 prefix which causes traffic to be routed to the instance.

There's not a great deal you have to do in the VPC other than assign an AWS /56 IPv6 CIDR.
Then in the VPC subnet you can decrease this to a /64 if you want. That's it, you don't have to mess with the Route Table. I would prefer to see the network interface IPs being added to the routing table, because that is what is happening in the background.

So I ended up with:

AWS Instance Network Interface:
IPv6 address: blah:a400::a
IPv6 prefix: blah:a400:1::/80

Instance host external interface ens5:
inet6 blah:a400::a/128 scope global dynamic noprefixroute
inet6 fe80::88:7bff:fe22:587f/64 scope link

Instance host internal interface lxdbr0:
inet6 blah:a400:1::1/80 scope global

Instance host routing table:
blah:a400::/64 dev ens5 proto ra metric 100 hoplimit 255 pref medium
blah:a400:1::/80 dev lxdbr0 proto kernel metric 256 pref medium
default via fe80::d3:52ff:feda:e453 dev ens5 proto ra metric 100 expires 1790sec hoplimit 255 pref medium

Instance container interface on lxdbr0:
inet6 blah:a400:1::a/80 scope global

Instance container routing table:
blah:a400:1::/80 dev eth0 proto kernel metric 256 pref medium
default via blah:a400:1::1 dev eth0 metric 1024 onlink pref medium

Then you can add another /80 IPv6 prefix to the same instance/network interface if for example you needed to use docker and lxc on the same instance:
blah:a400:2::/80

racitup
answered 7 days ago
profile picture
EXPERT
reviewed 7 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions