Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Use IPv6 functionality in docker host for dynamic IPv6 address
« previous
next »
Print
Pages: [
1
]
Author
Topic: Use IPv6 functionality in docker host for dynamic IPv6 address (Read 571 times)
Baender
Full Member
Posts: 107
Karma: 4
Use IPv6 functionality in docker host for dynamic IPv6 address
«
on:
September 22, 2024, 09:27:59 pm »
I get more and more into OPNsense and networking in general and my homenetwork, with self hosted services growing.
I run a few services exposed to the Internet, but for now only for IPv4.
For WAN I get a dynamic IPv4 address and via 6To4 a dynamic IPv6 address.
From my first reading, it sounds like IPv6 for docker is special. At least if I want to get IPv6 addresses for my containers, in my special situation. To get a IPv6 address in every subnet, I use Track Interface in OPNsense. This means that I cannot just take a /80 of the docker hosts IP and are done. I chatted with GPT and it suggested a script, to get the current prefix and generate an appertaining subnet from the applied IPv6 address of the docker host.
This sounds really like rocket science to me, but I've come across so many technologies where you have to do such stupid things to achieve something that I'm not surprised. Often it's just not a matter of flipping a switch. But what do you think?
Perhaps it is also important to know that I use Caddy plugin for my OPNsense, to publish the services.
I have to say that I am still relatively new to IPv6 and therefore the question may seem strange.
«
Last Edit: September 22, 2024, 09:44:06 pm by Baender
»
Logged
meyergru
Hero Member
Posts: 1769
Karma: 172
IT Aficionado
Re: Use IPv6 functionality in docker host for dynamic IPv6 address
«
Reply #1 on:
September 23, 2024, 12:40:19 am »
Indeed IPv6 for docker is special. As far as my own investigations went, I found that it only works for static IPv6 (which I cannot get) and even then has some tricks ups its sleeves.
Maybe that is the reason why few people actually use this and expose services on the docker container via a reverse proxy like HAproxy, nginx, traefik or caddy. Since you already use caddy, it will be easier to make the frontend available to IPv6 only and access the backend services via IPv4 only. This applies to the other reverse proxies as well.
Besides being able to map services purely name-based, you can thus do this regardless of IPv6 or IPv4 and also manage TLS termination and certificate prolongation centrally on your OpnSense.
In the outbound direction, you can use a forward proxy like squid if your docker container needs to access IPv6 services. I had to use this for uptime kuma and gatus, for example. Obviously, the proxy cannot run as a container itself, as it must be accessible via IPv4 and be capable of connecting to IPv6-only sites.
BTW: If you run your squid on OpnSense: There is currently a problem after a reboot - squid starts, but accepts no connections - it will work only after a restart. Currently, I resort to a squid instance on the docker host itself.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Baender
Full Member
Posts: 107
Karma: 4
Re: Use IPv6 functionality in docker host for dynamic IPv6 address
«
Reply #2 on:
September 23, 2024, 09:26:05 am »
Do I understand correctly that Caddy can forward IPv6 requests from my OPNsense to my service host as long as the service host also has an IPv6 address?
Code:
[Select]
Firewall --> Service Host [Docker --> Caddy:80 (IPv4)]
(Caddy-os) IPv4/6 IPv4
The Docker container is exposed on port 80 on the service host and all containers only have an IPv4 address. I have not activated IPv6 in Docker myself.
As I also want to add Uptime Kuma, could you describe it a bit more? Is this an obvious issue, you could run into?
Logged
meyergru
Hero Member
Posts: 1769
Karma: 172
IT Aficionado
Re: Use IPv6 functionality in docker host for dynamic IPv6 address
«
Reply #3 on:
September 23, 2024, 10:58:04 am »
No, as I said, IPv6 on Docker is ultra-hard and nearly infeasible - but unneccessary.
I have not used Caddy specifically, but HAproxy. Both are application level reverse proxies, so whatever they receive on either IPv6 or IPv4 will be forwarded to a configurable backend, which potentially can be either be IPv6 or IPv4. With HAproxy, you create a name-based mapping for several backends in order to do this, I bet this is similar on Caddy.
But since this takes place at the application level, you can have any backend/frontend combination of IPv6 and IPv4. This is an opportunity to have IPv4
only
at the backend (i.e. docker) while serving both IPv6 and IPv4 at the frontend of the reverse proxy for incoming requests. Thereby, you eliminate the need for IPv6 on Docker - all of this translation is handled on the reverse proxy.
The only need for IPv6 connectivity on the Docker host (i.e. not the containers) itself arises when you need an IPv6-outbound capable proxy that you can use via IPv4 from your containers, like if you want to test IPv6 endpoints with Uptime Kuma. Currently, you cannot use Squid on OpnSense for this because of the noted problem after a reboot.
«
Last Edit: September 23, 2024, 11:14:51 am by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1662
Karma: 178
Re: Use IPv6 functionality in docker host for dynamic IPv6 address
«
Reply #4 on:
September 23, 2024, 11:04:02 am »
Caddy also has a forward proxy module but its not implemented in the plugin (out of scope). But it would be interesting inside a separate VM where Caddy would be reverse and forward proxy at the same time to translate IPv4 to IPv6 and back for each side of the connection initialization.
https://github.com/caddyserver/forwardproxy
Logged
Hardware:
DEC740
Baender
Full Member
Posts: 107
Karma: 4
Re: Use IPv6 functionality in docker host for dynamic IPv6 address
«
Reply #5 on:
September 23, 2024, 11:11:46 am »
Thank you, for the information, and the insight. I guess, I can halt my research in IPv6 Docker then. This is wonderful.
As I have no IPv6-only services, it will be enough to use the reverse proxy for now.
Logged
meyergru
Hero Member
Posts: 1769
Karma: 172
IT Aficionado
Re: Use IPv6 functionality in docker host for dynamic IPv6 address
«
Reply #6 on:
September 23, 2024, 11:13:08 am »
Correct, it would be nice if the Caddy plugin could also handle forward traffic as well - with an accent on "VM" or "Jail" on OpnSense as opposed to "Docker container", because Docker does not handle IPv6 too well.
BTW: The
squid issue is on github
...
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1662
Karma: 178
Re: Use IPv6 functionality in docker host for dynamic IPv6 address
«
Reply #7 on:
September 23, 2024, 11:24:21 am »
Well if somebody wants to add it, it wouldn't be too hard. But I don't need it personally so I won't do it.
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Use IPv6 functionality in docker host for dynamic IPv6 address