network ipv6 and docker

Started by caplam, December 23, 2024, 04:58:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 23, 2024, 04:58:24 PM
Hello,

I'm new to opnsense and to ipv6 too.

I setup opnsense recently and I almost managed everything I wanted to setup (vlans, reverse proxy, vlan assignment by Mac, vpn site2site ...)

My main server is Unraid and I have numerous containers. Some of them on bridge network, others on macvlan network.
Some networks are IPv6 enabled some not.
On my networks I enabled dhcpv6 and gua are assigned to devices and vm.
docker can not grab ipv6 or ipv4 from a DHCP server.
On Unraid i enabled privacy extensions

I'd like to setup correctly ipv6 for my whole network. But my isp doesn't assign me a fixed ipv6 prefix.
I have a dynamic /56.
I have read that ula is not recommended but If not using it how can I do ?
On the router no ula is present. the only ula on my network are on ipv6 enabled containers.
And I have some of them (all the nextcloud aio containers ) are trying to access dns server with their ula (unbound on opnsense) but are blocked.

You can't assign gua to docker containers as the prefix changes regularly.

I absolutletly don't know what to do.
Do you have any advice?
December 26, 2024, 10:38:21 AM #1
Docker is notoriously bad with IPv6. With dynamic prefixes, it is damn near defective. You cannot use them because you would have to restart every container and probably docker itself to get it working when a prefix changes.

You could use ULA for your internal network, but to make the containers accessible from outside, you would need NAT, which is a PITA for IPv6.

The usual remedy to all of this is to use IPv4 only for docker and use a reverse proxy to take care of the IPv6<->IPv4 translation. Actually, when you have IPv6, you need names to remember endpoints anyway, even more with dynamic prefixes, where dynamic DNS becomes a necessity.

With docker, the obvious choice for the reverse proxy would be Traefik, but you could delegate that to OpnSense with Nginx, Caddy or HAproxy.
Traefik is nice with docker because configuration is somewhat automatic once you get the hang of it. It does not help for services outside of docker, though.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
December 28, 2024, 10:34:13 AM #2
Thanks for your answer.
I'll go with the ipv4 only for docker. But it's not trivial with the nextcloud aio stack.
The only problem is that for now my registar is ovh and it supports ddns update only with ipv4. So I would have to manage my dns zone outside ovh.
I'd like docker network to be compatible with DHCP server.
I use macvlan network because I didn't find (if it's possible) a way to create docker bridge on a vlan subinterface. 
December 28, 2024, 04:04:34 PM #3
With a docker bridge, docker is managing your container's IPs. While you could use DHCP fpr the docker host, you normally would not do that because everything "hides" behind it and thus, a fixed IP is better.

OVH is bad at IPv6, but you would have that problem regardless of using IPv4 or IPv6 with docker at home.

And Linux bridges can contain arbitrary interfaces, which includes VLANs. In fact, they exist completely independent of their member interfaces.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
December 31, 2024, 11:54:43 AM #4
I didn't realize that. Perhaps because docker0 interface is created by default and when you create a custom network it's using docker0 by default.

I simply created a custom network with:
Code Select
docker network create -d bridge -o com.docker.network.bridge.host_binding_ipv4="192.168.10.50" iotnetwhere 192.168.10.50 is the ip of my docker host interface eth0.10 on vlan 10
Thank you for that. Sometimes I overthink
Print
Go Up Pages1
User actions