Docker container with bridge-mode network can't access to ipv6 network

Hi there,

I enabled ipv6 for docker on my openwrt by adding below content into the file: /etc/docker/daemon.json

{
    "ipv6": true,
    "fixed-cidr-v6": "fd00::/80",
    "experimental": true,
    "ip6tables": true
}

and uncomment line option alt_config_filein the file: /etc/config/dockerd

root@Openwrt:~# cat /etc/config/dockerd
# The following settings require a restart of docker to take full effect, A reload will only have partial or no effect:
# log_driver
# bip
# blocked_interfaces
# extra_iptables_args
# device

config globals 'globals'
	option alt_config_file '/etc/docker/daemon.json'

then restart dockerd by:

root@Openwrt:~# /etc/init.d/dockerd restart

container with bridge network type can't access to ipv6 network:

root@Openwrt:~# docker run --rm --network bridge alpine ping6 -c 2 www.taobao.com
PING www.taobao.com (2408:871a:2800:2:3::3eb): 56 data bytes

--- www.taobao.com ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

container with host network type ipv6 works fine:

root@Openwrt:~# docker run --rm --network host alpine ping6 -c 2 www.taobao.com
PING www.taobao.com (2408:871a:2800:2:3::3ec): 56 data bytes
64 bytes from 2408:871a:2800:2:3::3ec: seq=0 ttl=57 time=10.122 ms
64 bytes from 2408:871a:2800:2:3::3ec: seq=1 ttl=57 time=10.341 ms

--- www.taobao.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss

Does Anyone have idea to solve this issue?

my docker version as below:

root@Openwrt:~# docker version
Client:
 Version:           20.10.17
 API version:       1.41
 Go version:        go1.18.4
 Git commit:        100c701
 Built:             Mon Sep 19 23:09:18 2022
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.17
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.4
  Git commit:       a89b842
  Built:            Mon Sep 19 01:48:26 2022
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          1.6.8
  GitCommit:        
 runc:
  Version:          1.1.4
  GitCommit:        
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Thanks in advance!

Since you are using ULAs, first try to ping some IPv6 addresses on the OpenWrt router and in the LAN. Then the problem might be that you haven't configured IPv6 NAT or network prefix translation which is needed if you want to use a ULA to reach the Internet.

Also the ULA is incorrect, it needs to contain a random prefix after "fd" according to RFC 4139. Though it won't cause issues until you want to connect to someone else who also uses fd00::/48.

The ipv6 on my host openwrt router works fine:

root@Openwrt:~# ping6 -c 5 www.taobao.com
PING www.taobao.com (2408:871a:2800:2:3::3eb): 56 data bytes
64 bytes from 2408:871a:2800:2:3::3eb: seq=0 ttl=57 time=10.380 ms
64 bytes from 2408:871a:2800:2:3::3eb: seq=1 ttl=57 time=9.872 ms
64 bytes from 2408:871a:2800:2:3::3eb: seq=2 ttl=57 time=10.032 ms
64 bytes from 2408:871a:2800:2:3::3eb: seq=3 ttl=57 time=10.135 ms
64 bytes from 2408:871a:2800:2:3::3eb: seq=4 ttl=57 time=10.328 ms

--- www.taobao.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 9.872/10.149/10.380 ms
root@Openwrt:~# 

and "fd00::/80" this config works well on debian host, I just copied the config from my debian host.


debian@localhost:~$ docker run --rm --network bridge alpine ping6 -c 2 www.youtube.com
PING www.youtube.com (2a00:1450:400e:80e::200e): 56 data bytes
64 bytes from 2a00:1450:400e:80e::200e: seq=0 ttl=120 time=35.546 ms
64 bytes from 2a00:1450:400e:80e::200e: seq=1 ttl=120 time=2.765 ms

--- www.youtube.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 2.765/19.155/35.546 ms
debian@localhost:~$ 

My issue resolved by flowing the steps in this doc: https://docs.docker.com/config/daemon/ipv6/
it must use the prefix like: "2001:db8:1::/64"

"fd00::/80" can't work on it although this prefix works on ubuntu/debian/alpine.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.