(OK) IPv6 does not work over bridge
http://askubuntu.com/questions/460405/ipv6-does-not-work-over-bridge
have you enabled IPv6 on the interface at all? if the bridge device is br0, then do this:
sysctl net.ipv6.conf.br0.disable_ipv6=0
sysctl net.ipv6.conf.br0.autoconf=1
sysctl net.ipv6.conf.br0.accept_ra=1
sysctl net.ipv6.conf.br0.accept_ra_defrtr=1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Every IPv6 address, even link-local ones, automatically subscribe to a multicast group based on its last 24 bits. If multicast snooping is enabled, the bridge filters out (almost) all multicast traffic by default. When an IPv6 address is assigned to an interface, the system must inform the network that this interface is interested in that particular multicast group and must be excluded by the filter. The following is a good introductory video: https://www.youtube.com/watch?v=O1JMdjnn0ao
Multicast snooping is there to prevent flooding the network with multicast packets that most systems aren't interested. You can disable multicast snooping in small deployments without noticing any big difference. But this may have significant performance impact on larger deployments.
You can disable snooping with:
echo -n 0 > /sys/class/net/<brif>/bridge/multicast_snooping
If you want to protect your VMs from unwanted traffic and unnecessary packet processing, you can leave snooping enabled but also enable a multicast Querier on the network. A Querier will periodically broadcast query packets and update snooping filters on switches and bridges. It is possible to enable a Querier on your system with:
echo -n 1 > /sys/class/net/<brif>/bridge/multicast_querier
If you have snooping enabled, you must also have a querier on the network.
There's no need to enable STP. It's probably safer to turn it off, unless you know that you're bridging segments that result in circular paths. It's also irrelevant if you have SLAAC enabled (ie
autoconf=1
, accept_ra=1
). Enabling PROMISC mode on the bridge implicitly disables snooping.
Here's a nice summary of the modern challenges of IPv6 Neighbor Discovery (ND) and Multicast Listener Discovery (MLD).
The only obvious problem I see with your configuration is:
bridge_stp off
For various reasons STP needs to be enabled on libvirt bridges.
Change the configuration to:
bridge_stp on
You can also activate it immediately without restarting the network:
$ sudo brctl stp br0 on