How do I bridge IPv6 over gretap link?

by manatails   Last Updated October 20, 2019 04:00 AM

My goal is to create an IPv6 interface on an Amazon Lightsail instance. As Amazon currently only assigns IPv6 address to EC2 instances, I am trying to create a virtual bridge between the EC2 instance and Lightsail instance and set the IPv6 address on the Lightsail instance. I want the Lightsail instance to behave as if it has a 'real' IPv6 interface I am using gretap instead of gre and forwarding.

So what I've done so far is

On the EC2 Instance

sudo brctl addbr br0

sudo ip addr del 172.31.11.88/20 dev ens5

sudo ip addr add 172.31.11.88/20 dev br0

sudo brctl addif br0 ens5

sudo ip link set br0 up

sudo ip route add default via 172.31.0.1 dev br0

sudo ip link add awsgre0 type gretap remote 172.26.8.245 local 172.31.11.88

sudo ip link set awsgre0 up

sudo brctl addif br0 awsgre0

sudo ip addr add 2406:da12:def:a900::10/64 dev br0

sudo ip -6 route del 2406:da12:def:a900::/64 dev ens5

On the Lightsail instance

sudo ip link add awsgre0 type gretap local 172.26.8.245 remote 172.31.11.88

sudo ip link set awsgre0 up

sudo ip addr add 2406:da12:def:a900::11/64 dev awsgre0

sudo ip -6 route add default via fe80::4d:13ff:fe13:4fdc dev awsgre0 (I guess I don't have to do that)

After doing all this I can normally connect to external IPv6 network from EC2 Instance. And pinging between ::10 and ::11 works fine, but connections from Lightsail instance to the external network still does not work.

My routing tables look like this:

[email protected]:~$ sudo route -n -6
[sudo] password for manatails:
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2406:da12:def:a900::/64        ::                         U    256 1    64 br0
fe80::/64                      ::                         U    256 1    51 br0
::/0                           fe80::4d:13ff:fe13:4fdc    UGDAe 1024 2    32 br0
::/0                           ::                         !n   -1  1   309 lo
::1/128                        ::                         Un   0   3  5133 lo
2406:da12:def:a900::10/128     ::                         Un   0   2   217 lo
fe80::4a:86ff:fe6c:d5e6/128    ::                         Un   0   3   411 lo
fe80::4a:86ff:fe6c:d5e6/128    ::                         Un   0   2    48 lo
fe80::d4f1:3eff:fef1:761c/128  ::                         Un   0   1     0 lo
ff00::/8                       ::                         U    256 2  3305 ens5
ff00::/8                       ::                         U    256 1   828 br0
ff00::/8                       ::                         U    256 0     0 awsgre0
::/0                           ::                         !n   -1  1   309 lo

on lightsail:

[email protected]:~$ sudo route -n -6
[sudo] password for manatails:
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref Use If
2406:da12:def:a900::/64        ::                         UA   256 1    67 awsgre0
fe80::/64                      ::                         U    256 1    13 awsgre0
::/0                           fe80::4d:13ff:fe13:4fdc    UGDAe 1024 1   567 awsgre0
::/0                           ::                         !n   -1  1  1105 lo
::1/128                        ::                         Un   0   2   270 lo
2406:da12:def:a900::11/128     ::                         Un   0   2   145 lo
fe80::e:d7ff:fec4:78ca/128     ::                         Un   0   1     0 lo
fe80::503c:fff:fe8b:1477/128   ::                         Un   0   2    11 lo
ff00::/8                       ::                         U    256 0     0 eth0
ff00::/8                       ::                         U    256 1   568 awsgre0
::/0                           ::                         !n   -1  1  1105 lo

Since ens5 and awsgre0 are bonded together as br0, shouldn't it be possible to connect to the external network from the other side of the awsgre0 link?

While looking for a solution on Stackexchange I found a similar question here:

https://askubuntu.com/questions/460405/ipv6-does-not-work-over-bridge

So as per the answers I tried setting multicast snooping off, turning STP on, setting accept_ra but no success.

Is there something else I am missing out?



Related Questions


Updated June 20, 2019 17:00 PM

Updated October 03, 2019 12:00 PM

Updated July 02, 2017 10:00 AM

Updated December 13, 2017 21:00 PM

Updated April 23, 2018 16:00 PM