Skip to content

IPv6 setup server/docker -part 3#

In my previous section, I covered the setup of my USG router and LAN networks.
This section covers the setup of my primary server and Docker. (USG)

Home server#

As seen on other pages, I am a docker fan (maybe Kubernetes in future). When I got my Intel NUC last year, I wanted to set it up with a common architecture for applications. I started with virtualbox and having each application in it's own virtual machine, but found this too limiting and also unstable.

I am really happy with the switch to Docker and the support for applications on this platform.
It is just so easy to install new applications knowing you can't really corrupt the rest of your system.

IPv6 setup#

My server runs Ubuntu 20.04 and when I activated IPv6 on my LAN network, it automatically obtained an IPv6 address. I have not yet assigned this as a static IP and don't really need to as the server keeps the same IP when restarted and is rarely restarted. (This is an item on my todo list)

IPv6 for Docker#

By it's nature Docker tries to separate the networks used by the container from the host server to provide a secure and contained environment. With IPv4 in containers you generally have to expose ports from the container to the host. You can also use the host network in a container or bridge networks.

Issue: Docker is not designed to use the global IPv6 range within containers.

I found a solution using IPV6NAT which I will cover below.

Configuring Docker for IPv6#

The first step is to assign a ULA IPv6 range for Docker to use for it's containers. Just 2 steps required here.

  • Edit /etc/docker/daemon.json, set the ipv6 key to true and the fixed-cidr-v6 key to your IPv6 subnet.
    In this example we are setting it to 2001:db8:1::/64. (It doesn't really matter what is used as it is only used within Docker.)

     {
     "ipv6": true,
     "fixed-cidr-v6": "2001:db8:1::/64"
 }

    Save the file.

  • Reload the Docker configuration file.

    $ systemctl reload docker

Getting containers to communicate to the outside world with IPv6.#

Issue: When you expose a port in a container it is only really exposed for the IPv4 address of the host.

I found 2 solutions on the internet. One was a convoluted setup of routing via iptables6 with many steps.
The other was to use a container called IPV6NAT that makes the required configurations.

Kudos to robertkl for this. It took me 5 minutes to setup and worked out of the box. I read also that Docker is now also looking at something similar for their core support of IPv6.

To set this up, all you need is to create an IPv6 network in Docker. This must be a ULA network.
I used fd00:dead:beef::/48

The IPV6NAT container will then manage the hosts IPv6 firewall using ip6tables. Essentially monitoring the docker.sock for container changes and dynamically updating the firewall to allow access to the exposed port of the container for the IPv6 address of the container.

As the author said, using NAT (Network Address Translation) for IPv6 is not the best way, but Docker uses NAT for IPv4 access into it's container, and since IPv6 is not well integrated into Docker, it really is a matter of finding a solution that works and most importantly to keep it simple. This container does the job.

Applications#

All the applications I am using have been able to be accessed using the IPv6 address of the server along with their corresponding port.

Issue: Entering an IPv6 address in the browser requires it to be enclosed with square brackets.

Example: http://[2001:1111:2222:1df1::7e4]:8096/web/index.html

I mostly use DNS for my applications and these have both the IPv4 and IPv6 address defined.

Additionally, as I am using Traefik, most of them have a common entry point to secure and route them.

The test#

So, I have an IPv6 WiFi only network set up, and my clients can do most of their work on this.
I noticed they will use IPv6 in preference to IPv6 in the case that both are available.
I don't notice any performance improvements, but didn't expect any either.

Unifi not manageable via IPv6#

Issue: The only devices not available for management via IPv6 are my Unifi devices.

Unfortunately, at this time Unifi still require an underlying IPv4 network for their device management.

Stocktake - home server#

IPv6 is working for my applications.

In the next section I cover the configuration of my sensors (Arduino and ESP8266)