IPv6 Connectivity within Docker on a Vultr host with ndppd

Question

I found another answer and looked through the official Docker ipv6 docs, but I'm still having trouble with IPv6 and Docker. If I expose public ports on Docker containers, I can connect to them via IPv6. From within the container, I can ping6 out to other IPv6 hosts on other providers. However if I try to make a TCP connection over IPv6 (http, telnet, nc, etc.) it timesout and fails.

Here is my public adapter:

2: ens3: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 56:00:01:46:4e:fe brd ff:ff:ff:ff:ff:ff
    inet 45.32.64.134/23 brd 45.32.65.255 scope global ens3
       valid_lft forever preferred_lft forever
    inet6 2001:19f0:6001:1c12:5400:1ff:fe46:4efe/64 scope global mngtmpaddr dynamic 
       valid_lft 2591898sec preferred_lft 604698sec
    inet6 2001:19f0:6001:1e43:5400:1ff:fe46:4efe/64 scope global mngtmpaddr dynamic 
       valid_lft 2591898sec preferred_lft 604698sec
    inet6 fe80::5400:1ff:fe46:4efe/64 scope link 
       valid_lft forever preferred_lft forever

The 2001:19f0:6001:1c12:/64 is the one I care about (Vultr lets you reserve IPv6 addresses that will survive rebuilds, but it also gives you another address for some reason). I setup my daemon.json for Docker like so:

{
    "tls": true,
    "tlsverify": true,
    "tlscacert": "/etc/docker/ca.pem",
    "tlscert": "/etc/docker/server.crt",
    "tlskey": "/etc/docker/server-key.pem",
    "ipv6": true,
    "fixed-cidr-v6": "2001:19f0:6001:1c12::1/80",
    "hosts": ["127.0.0.1:2376", "10.10.6.10:2376", "fd://"]
}

and my ndppd conf like so:

route-ttl 30000
proxy ens3 {
  router yes
  timeout 500
  ttl 30000
  rule 2001:19f0:6001:1c12::/64 {
    static
  }
}

I can ping6 fine:

docker exec -it mycontainer ping6 google.com
PING google.com (2607:f8b0:4007:80b::200e): 56 data bytes
64 bytes from 2607:f8b0:4007:80b::200e: seq=0 ttl=56 time=1.166 ms
64 bytes from 2607:f8b0:4007:80b::200e: seq=1 ttl=56 time=0.575 ms
64 bytes from 2607:f8b0:4007:80b::200e: seq=2 ttl=56 time=0.475 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.475/0.738/1.166 ms

..which I couldn't do before ndppd was running, but I still can't connect via IPv6 outbound:

docker run -it alpine ash -c "ip -6 addr show dev eth0; ip -6 route show"
191: eth0@if192: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 state UP 
    inet6 2001:19f0:6001:1c12::242:ac11:7/80 scope global flags 02 
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:7/64 scope link tentative 
       valid_lft forever preferred_lft forever
2001:19f0:6001:1c12::/80 dev eth0  metric 256 
fe80::/64 dev eth0  metric 256 
default via 2001:19f0:6001:1c12::1 dev eth0  metric 1024 
unreachable default dev lo  metric -1  error -101
ff00::/8 dev eth0  metric 256 
unreachable default dev lo  metric -1  error -101

What am I missing?

You shouldn't use `/80` networks with IPv6. Some things have problems if your networks are not `/64`. See [this answer](https://networkengineering.stackexchange.com/a/38201/8499) for links about the problems with using networks sizes other than `/64`. — Ron Maupin, Nov 29 '17 at 18:36
So what should I use for my Docker IPv6 fixed-cidr argument? If I try `2001:19f0:6001:1c12::/64` or `2001:19f0:6001:1c12::1/64`, I get a `failure to add ip to bridge: file exists` error. If I try to use `/128`, I get a `failed to allocate gateway. No available addresses on this pool`. What's the right way to subdivide that IPv6 subnet? — djsumdog, Nov 29 '17 at 20:46
You assign an address the same way you do for IPv4. For example, you can assign on IPv4 address as `10.11.12.13/24`, or with IPv6, you could assign `2001:19f0:6001:1c12::242:ac11:7/64`, rather than `2001:19f0:6001:1c12::242:ac11:7/80`. — Ron Maupin, Nov 29 '17 at 20:49
I changed the `daemon.json` for Docker to use a `fixed-cidr-v6` of `"2001:19f0:6001:1c12::242:ac11:7/64"`. I still have the same issue. I can ping6 to an IPv6 host from within a docker container, but can't establish an HTTP connection. (`curl -v https://google.com * Rebuilt URL to: https://google.com/ * Hostname was NOT found in DNS cache * Trying 2607:f8b0:4007:802::200e... * Trying 172.217.6.78... * Connected to google.com (172.217.6.78) port 443 (#0)` ` — djsumdog, Nov 29 '17 at 22:01
I wasn't actually answering your question; I was merely commenting that you can have problems with network sizes other than `/64`. It sounds like you have an IPv6 routing problem. I may be that you don't have IPv6 through the Internet, the router is not correctly configured, or something else. You should wait for an expert on your system to answer your question. — Ron Maupin, Nov 29 '17 at 22:45

score 2 · Answer 1 · answered Dec 01 '17 at 06:03

Turns out I was pretty much on the right track and my actual issue was with the firewall. The following needs to be set in /etc/default/ufw if you're using UFW to setup your iptables rules:

DEFAULT_FORWARD_POLICY="ACCEPT"

For completeness, the Docker daemon.json doesn't need the ::1 in the subnet:

"fixed-cidr-v6": "2001:19f0:6001:1c12::/80"

..and the ndppd.conf should look like the following:

proxy ens3 {
  timeout 500
  ttl 30000
  rule 2001:19f0:6001:1c12::/80 {
    static
  }
}

IPv6 Connectivity within Docker on a Vultr host with ndppd

1 Answers1