sjaak Posted April 30, 2020 Share Posted April 30, 2020 (edited) Unraid V6.8.2 Nvidia build. the problem: unRAID doesn't work properly with IPv6. i have created on my OPNsense router a IPV6 tunnel broker (hurricane electric) to enable ipv6 on my network. (ISP has the option "DS-Lite"(Carrier-grade NAT) or IPv4 only) every machine is working fully fine with ipv6, even the VM's on unraid works with ipv6 no manual installation needed. only unraid doest't work with it, for testing i used the website https://test-ipv6.com/ its working fine on every machine here (incl. VM's on unraid) but not directly on unraid itself. (i use the GUI boot) what did i wrong or what is wrong with unraid? everything is set to auto, only change network protocol from "ipv4" to "ipv4+ipv6" br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.0.3.2 netmask 255.255.255.0 broadcast 0.0.0.0 inet6 2001:XX:XX:XX:XX:b29a:ffa5:3ae6 prefixlen 128 scopeid 0x0<global> inet6 fe80::e2d5:5eff:XX:XX prefixlen 64 scopeid 0x20<link> inet6 2001:XX:XX:XX:XX:5fff:53c:2c53 prefixlen 64 scopeid 0x0<global> ether e0:d5:5e:68:XX:XX txqueuelen 1000 (Ethernet) RX packets 195333 bytes 268545945 (256.1 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 60352 bytes 12172817 (11.6 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::e2d5:5eff:XX:XX prefixlen 64 scopeid 0x20<link> ether e0:d5:5e:68:XX:XX txqueuelen 1000 (Ethernet) RX packets 416632 bytes 593217654 (565.7 MiB) RX errors 0 dropped 49 overruns 0 frame 0 TX packets 165983 bytes 17702085 (16.8 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Edited May 3, 2020 by sjaak Quote Link to comment
sjaak Posted May 4, 2020 Author Share Posted May 4, 2020 (edited) well, the problem was that the dhcp server didn't give unraid the ipv6 dns server, now it got working dns (tested with the firefox container, with the extra parameters: "--sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.eth0.use_tempaddr=2") this container has working ipv6, but the other containers don't work with this parameters... damn, what is IPv6 with docker en pain in the ass... i know, i have to convert the link local address to the gateway address, but don't know how to do... (IPv6-net::1) (need to config in the router) Edited May 4, 2020 by sjaak Quote Link to comment
bonienl Posted May 4, 2020 Share Posted May 4, 2020 (edited) 30 minutes ago, sjaak said: i know, i have to convert the link local address to the gateway address, but don't know how to do... (IPv6-net::1) (need to config in the router) The conversion is done automatically by Unraid, you don't need to worry. Eventhough Docker wants the first address as gateway address, the containers actually learn the link local address too and can use this as default gateway. This means you do not have to configure an additional address on your router, it is optional. This is the routing table of the Firefox container, note the fe80:: default route tmp # ip -6 route 2a02:xxxx:xxxx:101::/64 dev eth0 metric 256 fe80::/64 dev eth0 metric 256 ff00::/8 dev eth0 metric 256 default via 2a02:xxxx:xxxx:101::1 dev eth0 metric 1024 default via fe80::1ae8:29ff:febd:80c7 dev eth0 metric 1024 expires 0sec Edited May 4, 2020 by bonienl Quote Link to comment
sjaak Posted May 4, 2020 Author Share Posted May 4, 2020 well, i understand that as a "workaround" i can config it in the router... the only way to get ipv6 working inside docker is to change the network to br0 and use the extra parameter "--sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.eth0.use_tempaddr=2", but i use vlans and create letsencrypt with the spaceinvaderone video (proxynet network), i have no idea how to enable ipv6 on that, and to use for every containers it own ip adress is to much for me.. (we have already had i conversation on Tweakers ) Quote Link to comment
bonienl Posted May 4, 2020 Share Posted May 4, 2020 8 minutes ago, sjaak said: well, i understand that as a "workaround" i can config it in the router... Yeah, I didn't explain that well enough on Tweakers. Sorry. There is no difference between a VLAN and physical interface, both work in the same way with IPv6 (I can run my Firefox container on either a physical interface or VLAN interface without modification, only the IPv6 address changes because these are different networks). Unfortunately, I have no experience with Letsencrypt (not using it) and can't help you on this. Perhaps other users may jump in. Quote Link to comment
sjaak Posted May 4, 2020 Author Share Posted May 4, 2020 the problem is not the letsencrypt container. i changed the network from "proxynet" to br0, at first i didn't get a ipv6 address, after putting the extra parameters "--sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.eth0.use_tempaddr=2" letsencrypt got a ipv6 address (but its is not visible in the DHCP6 server leases. tested inside the console of the container: ping6 google.com works, i can use its ipv6 address to gain access to its interface. so, br0 works fine, but every 'custom network' inside docker isn't working with ipv6... Quote Link to comment
bonienl Posted May 4, 2020 Share Posted May 4, 2020 net.ipv6.conf.all.disable_ipv6=0, is the default setting already and is not needed to set again net.ipv6.conf.eth0.use_tempaddr=2, enables the privacy extensions on interface eth0, this is an optional setting In short, I am puzzled why you need these settings, because all is supposed to work without these. There is a bug, privacy extensions can not be enabled from the GUI. I made a correction for the next release. 1 hour ago, sjaak said: but every 'custom network' inside docker isn't working with ipv6 It works for me ... Is there a specific container you are testing? 1 Quote Link to comment
sjaak Posted May 4, 2020 Author Share Posted May 4, 2020 tested the "Proxynet" (make this one with the video from spaceinvaderone), not working. using the default "bridge", not working setting the docker container to "host", works! i'm going to enable the privacy extension and remove those extra parameters and test if it works. Quote Link to comment
sjaak Posted May 4, 2020 Author Share Posted May 4, 2020 (edited) tried to enable ipv6 privacy extensions, every time i click apply, it resets to disabled. tried this with automatic setting and static. on auto the ipv6 dns server fails, its set in the DHCP6 server, only unraid is not getting the ipv6 dns server, so its now set to static. i have no idea why the privacy extensions cant be enabled... (noting about is mentioned in the logbook.) also, i removed the parameter: "--sysctl net.ipv6.conf.all.disable_ipv6=0" from the firefox container, it lose the ipv6 connection, putting it back, ipv6 is back... i have no idea what going on here 🙄 Edited May 4, 2020 by sjaak Quote Link to comment
bonienl Posted May 4, 2020 Share Posted May 4, 2020 47 minutes ago, sjaak said: tried to enable ipv6 privacy extensions, every time i click apply, it resets to disabled. This is a bug, which will be corrected in the next version of Unraid 1 Quote Link to comment
sjaak Posted May 4, 2020 Author Share Posted May 4, 2020 thanks, currently i'm still on 6.8.2, but will upgrade its available. and the "net.ipv6.conf.all.disable_ipv6=0", i need this one, is this a bug too? or did i something wrong? Quote Link to comment
sjaak Posted May 4, 2020 Author Share Posted May 4, 2020 (edited) after reading this topic: https://forums.unraid.net/topic/78382-docker-ipv6-fixed-ip-address/ i don't have any ipv6 subnet visible, only the ipv4 subnet is showed... firefox container is not listening on ipv6? 04/05/2020 19:08:08 listen6: bind: Address in use 04/05/2020 19:08:08 Not listening on IPv6 interface. (i can browser the WWW thought ipv6...) Edited May 4, 2020 by sjaak Quote Link to comment
bonienl Posted May 4, 2020 Share Posted May 4, 2020 When there is no IPv6 network shown, it means docker did not create it (usually due to some configuration conflct). Can you post a screenshot of your docker settings page, with the docker service stopped and in advanced view? Quote Link to comment
sjaak Posted May 4, 2020 Author Share Posted May 4, 2020 1 hour ago, bonienl said: When there is no IPv6 network shown, it means docker did not create it (usually due to some configuration conflct). Can you post a screenshot of your docker settings page, with the docker service stopped and in advanced view? sure: Quote Link to comment
bonienl Posted May 5, 2020 Share Posted May 5, 2020 That looks alright. I need your diagnostics to do further examination. See Tools -> Diagnostics Quote Link to comment
sjaak Posted May 5, 2020 Author Share Posted May 5, 2020 (edited) 8 hours ago, bonienl said: That looks alright. I need your diagnostics to do further examination. See Tools -> Diagnostics sure, ignore those notifications from upsd[7111], a network switch is on it last miles... ps. i still don't understand why unraid is the only one why its not getting the ipv6 dns on it own, every device here got it automatic, its set in the dhcp6 server. Edited May 5, 2020 by sjaak Quote Link to comment
bonienl Posted May 5, 2020 Share Posted May 5, 2020 A small update you may want to make, it is not causing real issues, but your network.cfg file includes eth1 and eth2, which do not exist (anymore). Delete these lines IFNAME[1]="eth1" PROTOCOL[1]="ipv4+ipv6" USE_DHCP[1]="yes" USE_DHCP6[1]="yes" IFNAME[2]="eth2" PROTOCOL[2]="ipv4+ipv6" USE_DHCP[2]="yes" USE_DHCP6[2]="yes" And change sysnics to SYSNICS="1" A reboot is required for the new settings. Unraid gets a proper IPv6 address, but your router is advertising an additional /128 address, not sure why it is doing this. Check your router config. This /128 address causes several issues, including Docker which doesn't accept a /128 subnet (invalid CIDR address) and this results in no IPv6 connectivity. 5 hours ago, sjaak said: why its not getting the ipv6 dns on it own It is because of a limitation in Unraid 6.8. When IPv4 is configured with a static IP + DNS, then IPv6 DNS needs to be static too. I have changed this behaviour and in Unraid 6.9, IPv6 DNS can be automatic independent of the IPv4 setting. 1 Quote Link to comment
sjaak Posted May 5, 2020 Author Share Posted May 5, 2020 (edited) did removed and changed the lines; after reboot i lost all network activities, changed ip to ipv4 only, reboot, back in business! ipv6 enabled. still no proper ipv6... (set dns static) i have no idea why the /128 is here. i just followed the instructions: https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html al my devices have a /128 address (those are visible in the dhcpv6 leases). but all my other devices are working fully on ipv6, tested it by disable ipv4 on it.. "ip -6 a" shows me this (this is on the VM): 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000 inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 2001:XXX:XXXX:XXX:XXXX:77d2:2124:62e7/128 scope global dynamic noprefixroute valid_lft 7196sec preferred_lft 4496sec inet6 2001:XXX:XXXX:XXX:XXXX:5886:cc08:3b44/64 scope global temporary dynamic valid_lft 86396sec preferred_lft 14396sec inet6 2001:XXX:XXXX:XXX:XXXX:fee8:3879:4ebf/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 86396sec preferred_lft 14396sec inet6 fe80::XXXX:XXXX:b550:ed55/64 scope link noprefixroute valid_lft forever preferred_lft forever "noprefixroute"... Edited May 5, 2020 by sjaak Quote Link to comment
bonienl Posted May 5, 2020 Share Posted May 5, 2020 Docker and IPv6 are not going to work with this /128 address. This is a docker implementation which I can’t change. Quote Link to comment
bonienl Posted May 5, 2020 Share Posted May 5, 2020 Ok, I had a look again and found a way to make Docker happy. I'll make an update for the next version and your server should work (including the /128 address). 1 Quote Link to comment
sjaak Posted May 5, 2020 Author Share Posted May 5, 2020 (edited) after reading the tutorial from PFsense (and i use OPNsense) i though: lets change the Router Advertisements from 'Assisted' to 'unmanaged', after reboot i got an /64 address! # ip -6 a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000 inet6 ::1/128 scope host valid_lft forever preferred_lft forever 8: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 fe80::XXXX:XXXX:XXXX:7fb3/64 scope link valid_lft forever preferred_lft forever 11: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 2001:XXX:XXXX:XXX:XXXX:XXXX:XXXX:9065/64 scope global dynamic mngtmpaddr noprefixroute valid_lft 86020sec preferred_lft 14020sec inet6 fe80::XXXX:XXXX:XXXX:7fb3/64 scope link valid_lft forever preferred_lft forever i guess that the Router Advertisements wasn't setup correctly. (or at least, i or the Manuel tell something wrong) now i cant see the leases in the dhcpv6 anymore, after some reading i find out that RA unmanaged means only SLAAC. the only thing what is not working is IPv6 in the management GUI boot, no IPv6 at ipv6-test.com (i know, it isn't mean to browser the www) i tried to do some port scans, the ports what are configured in the firewall are working correctly. 37 minutes ago, bonienl said: Ok, I had a look again and found a way to make Docker happy. I'll make an update for the next version and your server should work (including the /128 address). Nice! Edited May 5, 2020 by sjaak Quote Link to comment
sjaak Posted May 7, 2020 Author Share Posted May 7, 2020 small update, Docker containers with the network set on "bridge" and "Host" doesn't work with ipv6, only set on br0. works with ipv6. i am not sure if docker accepts SLAAC... unraid itself is still using an /64 address and it's holding it, where my vm change daily from ip address... Quote Link to comment
bonienl Posted May 7, 2020 Share Posted May 7, 2020 (edited) The Docker implementation of IPv6 on bridge and host networks is flaky and interferes with the IPv6 routing of Unraid. It is switched off, and IPv6 is made only available for macvlan (custom) networks. Docker doesn't use SLAAC, it is handing out IPv6 addresses in sequence. The gateway address is ::1, and ::2 will be the first container. Privacy extensions (RFC4941) are intended to hide your identity when you are on the move. Typically useful for phones, tablets and laptops. When you connect "somewhere" you don't want people be able to recognize it is you again (the MAC address of your device reveals your identity). Servers are stationary and the use of privacy extensions is not meaningful. Some people even argue to not use them at all. A server needs a dedicated address which doesn't change. Much like setting a static IPv4 address for a server. Edited May 7, 2020 by bonienl Quote Link to comment
sjaak Posted May 7, 2020 Author Share Posted May 7, 2020 well in that cage, i have to wait for the new unraid version so i can switch back to dhcpv6 and use static ip settings and let unraid handle it /128 address (or i find the right config on the router 😅 ) my other vlan is using dhcpv6+slaac and every device has there ip static, even with a reboot. unraid isn on that vlan and with every reboot it got an other ip Quote Link to comment
ken-ji Posted May 10, 2020 Share Posted May 10, 2020 Would just like to add my 2bits here: There are two ways you can configure dockers and IPv6. The first and foremost way is to configure Docker network with either a default ipv6 pool - same as the one assigned to the interface or statically assign one to it. This makes the whole assignment of IPv6 by Docker work like IPv4 - sequentially in order of the container starting up. Docker will keep track of the IPv6 addresses assigned to the containers. The 2nd way which I am using, is to simply disable IPv6 at the Unraid network configuration level. Then all my containers have the "--sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.eth0.use_tempaddr=2" extra parameters set. This make Docker not bother at all with IPv6 assignments, does not do anything to the container routing tables, and does not add extra dns settings to the ipv4 settings. What happens then is that the network stack in the container will attempt to configure IPv6 via SLAAC and attempt to discover the router by router-advertisements over the wire, assigning a privacy address is desired. This mechanism works really well on my network running Mikrotik router (which does not have DHCPv6, so every thing is SLAAC using the dynamic /56 provided by my ISP. The whole thing works very well, particularly since the dynamic /56 has no gurantee of being the same across reboots, and with the absence of DHCPv6, my Unraid docker networks would not be configurable anyway. Also, I wanted to restrict which network interface and IP Unraid was able to use to host the SMB/SSH/HTTP services. 3 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.