Ipv6 not routing outside containers

i2blind · October 18, 2019, 7:57pm

Hi,

running on centos 7 64 bit os
with docker version
docker-ce-19.03.3-3.el7.x86_64
docker-ce-cli-19.03.3-3.el7.x86_64

I’m banging my head against my desk trying to get ip v6 to work correctly. In essence I need to be able to access systems using ipv6 addresses as well as ipv4 addresses that exist outside of my container host from within my containers.

so the container can ping the docker0 ip6 address and other containers ip6 address but can’t ping anything outside the host.

One funny thing is that the container can ping the hosts ipv6 address, but it doesn’t appear to go through the default gateway when I use traceroute.

I just don’t get what I’m missing.

I’ve also tried different address types once matching container hosts as suggested in the docker documentation buy adding a :1 on the end of my hosts 4 address divisions.

I’ve configured the daemon such that
{
“bip”: “192.168.0.1/16”,
“fixed-cidr”: “192.168.0.0/16”,
“fixed-cidr-v6”: “fdaa:bbbb:cccc:1:1::/80”,
“ipv6”: true,
“debug”: true
}

docker- from ifconfig
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.0.0 broadcast 192.168.255.255
inet6 fdaa:bbbb:cccc:1:1::1 prefixlen 80 scopeid 0x0
inet6 fe80::42:d9ff:fe47:fe37 prefixlen 64 scopeid 0x20
inet6 fe80::1 prefixlen 64 scopeid 0x20

sysctl: net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1

docker network inspect bridge
[
{
“Name”: “bridge”,
“Id”: “e4d84671a181b1ef895432b9ec3f1f4d74f52c52f954947b9ab1242940c92586”,
“Created”: “2019-10-18T14:29:11.887900679Z”,
“Scope”: “local”,
“Driver”: “bridge”,
“EnableIPv6”: true,
“IPAM”: {
“Driver”: “default”,
“Options”: null,
“Config”: [
{
“Subnet”: “192.168.0.1/16”,
“IPRange”: “192.168.0.0/16”,
“Gateway”: “192.168.0.1”
},
{
“Subnet”: “fdaa:bbbb:cccc:1:1::/80”
}
]
},
“Internal”: false,
“Attachable”: false,
“Ingress”: false,
“ConfigFrom”: {
“Network”: “”
},
“ConfigOnly”: false,
“Containers”: {
“5c9994b9c0de528893012a352a12effb3dcd133402cbe3723bf3708ced3f6c5d”: {
“Name”: “cust1_watchmen_1”,
“EndpointID”: “8424bc470b1bd586838795d31cda84b88863be468ed7114c31d58e3f6936fc19”,
“MacAddress”: “02:42:c0:a8:00:03”,
“IPv4Address”: “192.168.0.3/16”,
“IPv6Address”: “fdaa:bbbb:cccc:1:1:242:c0a8:3/80”
},
“75728a48495551904ae80f59676bff3098c6427c2d774e8772e9d7f0c15a69fb”: {
“Name”: “cust6_watchmen_1”,
“EndpointID”: “920dfdb8938fda9c616572be98b51c20c5615a11fa9dd5e9ffeee27e973db980”,
“MacAddress”: “02:42:c0:a8:00:05”,
“IPv4Address”: “192.168.0.5/16”,
“IPv6Address”: “fdaa:bbbb:cccc:1:1:242:c0a8:5/80”
},
“77ab556e6528eecabfa3d636063923d101e1fa80fb57dd2f33956cd6d72e5151”: {
“Name”: “autoheal_auto-heal_1”,
“EndpointID”: “280aa2e84a3d2ce0adaee874f1394c44a26aa17385565e8052c852e58d5cc15a”,
“MacAddress”: “02:42:c0:a8:00:02”,
“IPv4Address”: “192.168.0.2/16”,
“IPv6Address”: “fdaa:bbbb:cccc:1:1:242:c0a8:2/80”
},
“79d4668e7babc2d1444cc4ca6ac2b599f5b88a98e04387302c1a01a83ba0ea20”: {
“Name”: “cust7_watchmen_1”,
“EndpointID”: “e2e148d66ffaf747e8634dfa57152ec08e7b2b8fc6415c5441cc76ac4c79fdfc”,
“MacAddress”: “02:42:c0:a8:00:04”,
“IPv4Address”: “192.168.0.4/16”,
“IPv6Address”: “fdaa:bbbb:cccc:1:1:242:c0a8:4/80”
}
},
“Options”: {
“com.docker.network.bridge.default_bridge”: “true”,
“com.docker.network.bridge.enable_icc”: “true”,
“com.docker.network.bridge.enable_ip_masquerade”: “true”,
“com.docker.network.bridge.host_binding_ipv4”: “0.0.0.0”,
“com.docker.network.bridge.name”: “docker0”,
“com.docker.network.driver.mtu”: “1500”
},
“Labels”: {}
}
]

[root@79d4668e7bab /]# ip -6 route
fdaa:bbbb:cccc:1:1::/80 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fdaa:bbbb:cccc:1:1::1 dev eth0 metric 1024 pref medium

[root@79d4668e7bab /]# ping6 fdaa:bbbb:cccc:1:1::1
PING fdaa:bbbb:cccc:1:1::1(fdaa:bbbb:cccc:1:1::1) 56 data bytes
64 bytes from fdaa:bbbb:cccc:1:1::1: icmp_seq=1 ttl=64 time=0.042 ms
64 bytes from fdaa:bbbb:cccc:1:1::1: icmp_seq=2 ttl=64 time=0.069 ms

[root@79d4668e7bab /]# traceroute fdaa:bbbb:cccc:1:1::1
traceroute to fdaa:bbbb:cccc:1:1::1 (fdaa:bbbb:cccc:1:1::1), 30 hops max, 80 byte packets
1 gateway (fdaa:bbbb:cccc:1:1::1) 0.037 ms 0.011 ms 0.009 ms

mikma · October 19, 2019, 11:46am

Can you ping from the host’s docker1 IPv6 address? Run this on the docker host:

ping -I fdaa:bbbb:cccc:1:1::1 <IPv6 address you want to ping>

If it doesn’t work then there is a problem with the IPv6 routes from the host to the IPv6 address you want to ping, or the reverse routes.

You need a route to fdaa:bbbb:cccc:1:1::/80 on your router or on your hosts.

i2blind · October 22, 2019, 1:52pm

That helped mikma, thanks. it runs out I couldn’t route through docker0.

To get around this I used docker-ipv6nat

Setting my ipv6-cidr to a unique local address and starting the nat container got it working.

For what I need this will work fine. and a bonus is that I don’t need to bug the network folks.