Hey, thats very strange. I got a router running on VyOS 1.5-stream-2025-Q2 and only on eth0 it send back ICMP echo replies. On my own subnet on vrf net it does not send echo replies back but receives echo requests. Also after I explicitly allow ipv6-icmp on firewall there is no echo reply outgoing. Did anyone had this strange behavior?
With similar config (only other IPs) ICMP echos are replied. Only not on my VMs. Also recreating the VM did not fix it.
Summary
firewall {
ipv6 {
input {
filter {
rule 1 {
action accept
destination {
port 222
}
protocol tcp
source {
address xxxx:xxxx:1c1c:7113::/64
}
}
rule 2 {
action accept
destination {
port 222
}
protocol tcp
source {
address xxxx:xxxx:c0c:abb2::/64
}
}
rule 3 {
action accept
protocol ipv6-icmp
}
rule 10 {
action drop
destination {
port 222
}
protocol tcp
}
}
}
}
}
interfaces {
dummy dum0 {
address xxxx:xxxx:d41::ce:0/128
vrf net
}
ethernet eth0 {
address xxxx:xxxx:1b7:730::a/56
hw-id xx:xx:xx:xx:xx:d7
offload {
gro
gso
sg
tso
}
}
ethernet eth1 {
address xxxx:xxxx:15b:1::1:7/64
hw-id xx:xx:xx:xx:xx:96
offload {
gro
gso
sg
tso
}
vrf net
}
loopback lo {
}
tunnel tun001 {
address xxxx:xxxx:d41::8000/127
description core-w0.draphago.de
encapsulation ip6gre
mtu 1376
remote xxxx:xxxx:1c1c:f2c:1001:101:1:2
source-address xxxx:xxxx:1b7:730::a
vrf net
}
tunnel tun213292 {
address xxxx:xxxx:d41::2:1/127
description Okkel-Router
encapsulation ip6gre
mtu 1456
remote xxxx:xxxx:1b7:730::7
source-address xxxx:xxxx:1b7:730::a
vrf net
}
}
policy {
as-path-list apl-bogon-asns {
rule 10 {
action permit
regex 23456
}
rule 20 {
action permit
regex 64496-131071
}
rule 30 {
action permit
regex 4200000000-4294967295
}
}
large-community-list cm-learnt-downstream {
rule 1 {
action permit
regex “213036:4:"
}
}
large-community-list lcm-own-communities {
rule 1 {
action permit
regex "213036::*”
}
}
prefix-list6 pl6-bogons {
rule 10 {
action permit
le 128
prefix ::/8
}
rule 20 {
action permit
le 128
prefix 100::/64
}
rule 30 {
action permit
le 128
prefix xxxx:xxxx::/48
}
rule 40 {
action permit
le 128
prefix xxxx:xxxx::/28
}
rule 50 {
action permit
le 128
prefix xxxx:xxxx::/32
}
rule 60 {
action permit
le 128
prefix 2002::/16
}
rule 70 {
action permit
le 128
prefix 3ffe::/16
}
rule 80 {
action permit
le 128
prefix fc00::/7
}
rule 90 {
action permit
le 128
prefix fe80::/10
}
rule 100 {
action permit
le 128
prefix fec0::/10
}
rule 110 {
action permit
le 128
prefix ff00::/8
}
rule 120 {
action permit
le 128
prefix 3fff::/20
}
rule 130 {
action permit
le 128
prefix 5f00::/16
}
}
prefix-list6 pl6-ixp-lan {
rule 1 {
action permit
ge 64
le 128
prefix xxxx:xxxx:701::/64
}
rule 2 {
action permit
ge 64
le 128
prefix xxxx:xxxx:1000:46::/64
}
rule 3 {
action permit
ge 64
le 128
prefix xxxx:xxxx:15b:1::/64
}
}
prefix-list6 pl6-own-prefixes {
rule 1 {
action permit
ge 48
le 48
prefix xxxx:xxxx:d41::/48
}
}
prefix-list6 pl6-tiny-prefix {
rule 10 {
action permit
ge 49
le 128
prefix ::/0
}
}
route-map rm-noexport {
rule 1 {
action deny
}
}
route-map rm-noimport {
rule 1 {
action deny
}
}
route-map rm-as213422-in {
rule 1 {
action deny
match {
as-path apl-bogon-asns
}
}
rule 2 {
action deny
match {
ipv6 {
address {
prefix-list pl6-bogons
}
}
}
}
rule 3 {
action deny
match {
ipv6 {
address {
prefix-list pl6-tiny-prefix
}
}
}
}
rule 4 {
action deny
match {
rpki invalid
}
}
rule 5 {
action deny
match {
ipv6 {
address {
prefix-list pl6-ixp-lan
}
}
}
}
rule 65535 {
action permit
set {
large-community {
add 213036:1:213422
add 213036:0:0
}
local-preference 50
}
}
}
route-map rm-frankonix-in {
rule 1 {
action deny
match {
as-path apl-bogon-asns
}
}
rule 2 {
action deny
match {
ipv6 {
address {
prefix-list pl6-bogons
}
}
}
}
rule 3 {
action deny
match {
ipv6 {
address {
prefix-list pl6-tiny-prefix
}
}
}
}
rule 4 {
action deny
match {
rpki invalid
}
}
rule 5 {
action deny
match {
ipv6 {
address {
prefix-list pl6-ixp-lan
}
}
}
}
rule 65535 {
action permit
set {
large-community {
add 213036:2:214591
add 213036:0:0
}
local-preference 150
}
}
}
route-map rm-internal-in {
rule 1 {
action permit
}
}
route-map rm-internal-out {
rule 1 {
action deny
match {
ipv6 {
address {
prefix-list pl6-own-prefixes
}
}
}
}
rule 65535 {
action permit
}
}
route-map rm-peer-out {
rule 1 {
action deny
match {
rpki invalid
}
}
rule 2 {
action permit
match {
large-community {
large-community-list cm-learnt-downstream
}
}
}
}
route-map rm-set-src {
rule 1 {
action permit
set {
src xxxx:xxxx:b7a::ce:0
}
}
}
route-map rm-tag-downstream {
rule 1 {
action permit
set {
large-community {
add 213036:4:213036
}
}
}
}
route-map rm-upstream-out {
rule 1 {
action deny
match {
rpki invalid
}
}
rule 2 {
action permit
match {
large-community {
large-community-list cm-learnt-downstream
}
}
}
}
}
protocols {
rpki {
cache routinator.xnee.net {
port 8282
preference 1
}
}
static {
route6 ::/0 {
next-hop xxxx:xxxx:1b7:700::1 {
interface eth0
}
}
}
}
service {
lldp {
}
ntp {
allow-client xxxxxx
address xxx.xxx.0.0/8
address xxx.xxx.0.0/16
address xxx.xxx.0.0/8
address xxx.xxx.0.0/12
address xxx.xxx.0.0/16
address ::1/128
address fe80::/10
address fc00::/7
}
server xxxxx.tld {
}
server xxxxx.tld {
}
server xxxxx.tld {
}
}
ssh {
access-control {
allow {
user xxxxxx
}
}
listen-address xxxx:xxxx:1b7:730::a
port 222
}
}
system {
config-management {
commit-revisions 100
}
console {
device ttyS0 {
speed 115200
}
}
host-name xxxxxx
login {
user xxxxxx {
authentication {
encrypted-password xxxxxx
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-ed25519
}
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-ed25519
}
public-keys xxxx@xxx.xxx {
key xxxxxx
type ssh-ed25519
}
}
full-name xxxxxx
}
}
name-server xxxx:xxxx::fe
name-server xxxx:xxxx::9
option {
ctrl-alt-delete reboot
kernel {
debug {
}
}
keyboard-layout de
reboot-on-panic
reboot-on-upgrade-failure 5
time-format 24-hour
}
syslog {
local {
facility all {
level info
}
facility local7 {
level debug
}
}
}
time-zone Europe/Berlin
}
vrf {
name net {
ipv6 {
protocol any {
route-map rm-set-src
}
}
protocols {
bgp {
address-family {
ipv6-unicast {
aggregate-address xxxx:xxxx:d41::/48 {
route-map rm-tag-downstream
}
redistribute {
connected {
}
}
}
}
neighbor xxxx:xxxx:15b:1::1:4 {
address-family {
ipv6-unicast {
maximum-prefix 300000
nexthop-self {
}
route-map {
export rm-upstream-out
import rm-as213422-in
}
soft-reconfiguration {
inbound
}
}
}
description XGWQ
local-role customer {
}
remote-as XXXXXX
}
neighbor xxxx:xxxx:15b:1::c122:cbc1 {
address-family {
ipv6-unicast {
maximum-prefix 300
nexthop-self {
}
route-map {
export rm-peer-out
import rm-frankonix-in
}
soft-reconfiguration {
inbound
}
}
}
bfd {
}
description frankonIX
local-role rs-client xxxxxx
}
remote-as XXXXXX
}
neighbor xxxx:xxxx:15b:1::c122:cbc2 {
address-family {
ipv6-unicast {
maximum-prefix 300
nexthop-self {
}
route-map {
export rm-peer-out
import rm-frankonix-in
}
soft-reconfiguration {
inbound
}
}
}
bfd {
}
description frankonIX
local-role rs-client xxxxxx
}
remote-as XXXXXX
}
parameters {
ebgp-requires-policy
log-neighbor-changes
router-id xxx.xxx.0.1
}
system-as 213036
}
}
table 100
}
}