Containers not accessible over IPv6 from internet, gateway incorrect

reidweb · October 14, 2017, 8:08pm

I setup Docker with IPv6 (tested on a fresh machine), where the IPv6 gateway is not at the traditional address. daemon.json with following content:

{
  "storage-driver": "overlay2",
  "ipv6": true,
  "fixed-cidr-v6": "2001:41d0:1:dbc4::/56",
  "default-gateway-v6": "2001:41d0:1:dbff:ff:ff:ff:ff"
}

On the host:

ifconfig returns:

docker0   Link encap:Ethernet  HWaddr 02:42:c1:7e:25:b4
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::1/64 Scope:Link
          inet6 addr: 2001:41d0:1:db00::1/56 Scope:Global
          inet6 addr: fe80::42:c1ff:fe7e:25b4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:91 errors:0 dropped:0 overruns:0 frame:0
          TX packets:95 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:9003 (9.0 KB)  TX bytes:9523 (9.5 KB)

eth0      Link encap:Ethernet  HWaddr 00:25:90:50:d5:10
          inet addr:91.121.154.196  Bcast:91.121.154.255  Mask:255.255.255.0
          inet6 addr: fe80::225:90ff:fe50:d510/64 Scope:Link
          inet6 addr: 2001:41d0:1:dbc4::1/56 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4152393 errors:0 dropped:0 overruns:0 frame:0
          TX packets:288620 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:415777011 (415.7 MB)  TX bytes:29767545 (29.7 MB)
          Interrupt:16 Memory:fbce0000-fbd00000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:2368 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2368 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:365057 (365.0 KB)  TX bytes:365057 (365.0 KB)

vethb9812af Link encap:Ethernet  HWaddr 66:bb:f0:5b:71:f8
          inet6 addr: fe80::64bb:f0ff:fe5b:71f8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:42 errors:0 dropped:0 overruns:0 frame:0
          TX packets:60 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:5327 (5.3 KB)  TX bytes:5433 (5.4 KB)

vethf7f5125 Link encap:Ethernet  HWaddr 32:d2:9f:d4:23:64
          inet6 addr: fe80::30d2:9fff:fed4:2364/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:41 errors:0 dropped:0 overruns:0 frame:0
          TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4302 (4.3 KB)  TX bytes:6764 (6.7 KB)

ip -6 route returns:

2001:41d0:1:dbff:ff:ff:ff:ff dev eth0  metric 1024  pref medium
2001:41d0:1:db00::/56 dev docker0  proto kernel  metric 256  pref medium
2001:41d0:1:db00::/56 dev eth0  proto kernel  metric 256  pref medium
2001:41d0:1:db00::/56 dev docker0  metric 1024  pref medium
fe80::/64 dev docker0  proto kernel  metric 256  pref medium
fe80::/64 dev vethf7f5125  proto kernel  metric 256  pref medium
fe80::/64 dev vethb9812af  proto kernel  metric 256  pref medium
fe80::/64 dev eth0  proto kernel  metric 256  pref medium
default via 2001:41d0:1:dbff:ff:ff:ff:ff dev eth0  metric 1024  pref medium

ip -6 addr returns:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:41d0:1:dbc4::1/56 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::225:90ff:fe50:d510/64 scope link
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
    inet6 2001:41d0:1:db00::1/56 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::42:c1ff:fe7e:25b4/64 scope link
       valid_lft forever preferred_lft forever
    inet6 fe80::1/64 scope link
       valid_lft forever preferred_lft forever
8: vethf7f5125@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
    inet6 fe80::30d2:9fff:fed4:2364/64 scope link
       valid_lft forever preferred_lft forever
10: vethb9812af@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP
    inet6 fe80::64bb:f0ff:fe5b:71f8/64 scope link
       valid_lft forever preferred_lft forever

The gateway is at an address provided by my server provider/ISP and cannot be changed.

In a docker container:

executing ip -6 route returns:

2001:41d0:1:db00::/56 dev eth0  metric 256
fe80::/64 dev eth0  metric 256
default via 2001:41d0:1:db00:ff:ff:ff:ff dev eth0  metric 1024
unreachable default dev lo  metric -1  error -101
ff00::/8 dev eth0  metric 256
unreachable default dev lo  metric -1  error -101

executing ip -6 addr returns:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
7: eth0@if8: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 state UP
    inet6 2001:41d0:1:db00::242:ac11:2/56 scope global flags 02
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:2/64 scope link
       valid_lft forever preferred_lft forever

Executing docker inspect {containerId} for the container in question returns (cut to pertinent info)

[
    {
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "0cd3f4b2f9ca653fa8c7782e4e839c017894d0d30aa5d7a2cdd314964782afd9",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {},
            "SandboxKey": "/var/run/docker/netns/0cd3f4b2f9ca",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "4a5df933f52c2789838f0d4a1822df997a30c988894982bdcd29d4cc3c3ccdd5",
            "Gateway": "172.17.0.1",
            "GlobalIPv6Address": "2001:41d0:1:db00:0:242:ac11:2",
            "GlobalIPv6PrefixLen": 56,
            "IPAddress": "172.17.0.2",
            "IPPrefixLen": 16,
            "IPv6Gateway": "2001:41d0:1:db00:ff:ff:ff:ff",
            "MacAddress": "02:42:ac:11:00:02",
            "Networks": {
                "bridge": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "NetworkID": "71e4ff9707a415ec13fecf2bce4bffe1042b0718a9c6005455970ea4d87889db",
                    "EndpointID": "4a5df933f52c2789838f0d4a1822df997a30c988894982bdcd29d4cc3c3ccdd5",
                    "Gateway": "172.17.0.1",
                    "IPAddress": "172.17.0.2",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "2001:41d0:1:db00:ff:ff:ff:ff",
                    "GlobalIPv6Address": "2001:41d0:1:db00:0:242:ac11:2",
                    "GlobalIPv6PrefixLen": 56,
                    "MacAddress": "02:42:ac:11:00:02",
                    "DriverOpts": null
                }
            }
        }
    }
]

I will highlight that the IPv6Gateway is returning as 2001:41d0:1:db00:ff:ff:ff:ff which does not match what I have set in my daemon.json

Am I doing something wrong? Why is my gateway not being correctly set? Why can I not access these containers?

sdetweil · October 16, 2017, 4:57am

you cannot directly address the container INBOUND because its virtual mac address does not exist on the local hosts lan.
a packet comes for that mac address and is ignored, because it doesn’t match any expected mac address…

the only thing you CAN do it map ports from the containers onto the host system and expose the HOST and THOSE ports to the gateway… traffic will come for the host mac address and the virtual gateway on host machine will route the traffic to the appropriate container ports. (NAT style)

the container OUTBOUND connects, because the request is on a temp virtual port (NAT) on the host, and this is accessible on the local lan… requests sent out from this port in NAT will have their responses mapped back to the container port.

Topic		Replies	Views
IPv6 with docker routing question General	1	1155	September 24, 2018
Ipv6 not working General	10	12718	May 23, 2016
Ipv6 not routing outside containers General	2	5689	October 22, 2019
IPV6 routing problem General	3	4390	March 29, 2020
Struggling to wrap my head around Docker and IPv6 General	0	536	December 6, 2019

Containers not accessible over IPv6 from internet, gateway incorrect

Related topics