Docker custom network type: macvlan

Host access to custom networks: Enabled

I ran “AdGuard-Home” using a container and set the host's DNS to it

But I found that the host can only access the container's IPv4

From the "AdGuard Home" log, it can be seen that other devices in my home network have records of accessing this container through IPV6, while "UNRAID" only has access records for IPV4. Please help me

Yeah... one more guy that does not know about V6 address schemes yet...

So let's clear it up:

 

fe80:: is NOT the equivalent to IPV4s 192.168.x.x ("private" address range)!

 

Instead, fe80 is something new, called "local" address.

"local" addresses are only valid for the particular adapter they are assigned to (in case of a docker, only the docker net) and can never make contact outside this "cable" area.

They are used by the procotcol itself. The basics like ICMP (ping) or the new great feature called "neighbor discovery protocol" (NDP) which is the successor for ARP on V4.

This NDP sends and collects all other addresses of the adapters and therefor creates a routing table remembering that a (global or private) address X can be reached via local address fe80::... (the one of that neighbor).

Local addresses should never be used for higher protocols like http or ftp or something. SSH is tolerated for emergency situations but should be avoided too normally.

(the point is: "SHOULD", they work of course also for higher stuff but then you are running into the limit of "the same cable")

 

IP V6 also has "private addresses", they start with the prefix FD..::

These are routed among all FE80 LANs, but never send out over a router to the internet (this is a builtin feature of the router)

 

Addresses "below" 8000:: are called "global" and routed everywhere.

 

So, if you want your docker to be accessible from the outside, you have to give him a real address, NOT fe80::!

(you cannot get rid of FE80:: it will be assigned automatically, but you have to add another "real" address.)

 

usually UNRAID dockers get the FD17:: address too:

 

docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fd17::1  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::1  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::42:7cff:fe52:d6d2  prefixlen 64  scopeid 0x20<link>

docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fd17::1  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::1  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::42:7cff:fe52:d6d2  prefixlen 64  scopeid 0x20<link>

(but then, this is only a "private" address too, not for internet usage)

 

if you need accessibility from the internet, you have to run your docker either in "host mode" (gets the same addresses like the unraid server, ports may collide, so be careful) or "custom br0 mode" and assign static addresses to the docker (which may be inconviniant if your prefix changes often)

 

Or you put your docker behind a reverse proxy like "nginx proxy manager" (in hostmode) and only use the docker's V4 address internally.

 

(Dockers are not really V6 ready now, this is ongoing work in progress they say)

 

Addon: you might notice that some "documentations" about adguard home are simply wrong.

Like this one:

https://www.machs-smart.de/pihole-adguard-raspberry-werbeblocker/

 

if you read (and look) through it carefully, you might notice that in the 1s screenshot it uses

example address, but later on it switches to

Obviously the author has noticed that fe80 does not work at all.