IPv6 Connection to Proxmox VE Node: connection-state: invalid

crash1601 · September 29, 2023, 4:57am

Hello everyone,

I’ve been working with the RouterOS7 (RB5009) for a few weeks and am now at a point where I don’t know what to do next.

My problem is that I produce a lot of invalid IP packets, which are dropped by the firewall rule (invalid => drop). The invalid IP packets only arise when I want to connect to my Proxmox VE 8 node via IPv6 (https). I don’t have this problem with other servers in the same networks that I connect via IPv6.

There are four Proxmox VE nodes - the same problem on all of them.

Connection-Path:
Win11-PC fd10::403b:d87b:4d66:cd59 (VLAN-10) => Mikrotik RouterOS7.11.2 fd10::1 <=> fd05::1 => PVE Node fd05::17 (VLAN-5)

The web interface is partially built, but the shell of the node cannot be opened and the connection is very slow. IPv4 works very fine without any problems.

To me it seems as if the packets want to be sent to the PVE node (from my PC), but the connection is not correct/is not always confirmed by the PVE node with an ACK.

I hope someone can give me a tip as to where I should look for the cause or what it might be.

Thanks a lot!

By the way: If I created a firewall rule that IP packets with the connection state invalid in the direction of proxmox ve node are accepted, the connection works without any problems.

I attached some files.

PVE-3_ip-c-6_r_s.txt (2.79 KB)
PVE-3_Interfaces.txt (1.44 KB)

crash1601 · September 29, 2023, 9:50am

Hello,

the mystery seems to have been solved. The way I created the VLANs caused the problem and probably messed up the routing on the node. With the following config, the node in VLAN 5 can be easily reached and the virtual machines receive their VLAN tag via the settings of the VM itself.

Btw: Don’t be surprised, I tested the new config with another node that is controlled via an LACP bond. The problem was identical to the system with ::17.

auto lo
iface lo inet loopback
iface lo inet6 loopback

iface enp86s0 inet manual
    post-up /usr/sbin/ethtool -s enp86s0 wol g
#Onboard Ethernet

iface enx00e04c680576 inet manual
#uni USB Ethernet #1

iface enx00e04c680698 inet manual
#uni USB Ethernet #2

auto bond0
iface bond0 inet manual
    bond-slaves enx00e04c680698 enx00e04c680576
    bond-miimon 100
    bond-mode 802.3ad
    bond-xmit-hash-policy layer2+3
    
auto vmbr0
iface vmbr0 inet manual
    bridge-ports bond0
    bridge-stp off
    bridge-fd 0
    bridge-vlan-aware yes
    bridge-vids 2-4094

auto vmbr0.5
iface vmbr0.5 inet static
    address 192.168.5.18
    netmask 24
    gateway 192.168.5.1
#VLAN-5

iface vmbr0.5 inet6 static
    address fd05::18
    netmask 64
    gateway fd05::1