IPV6 not working


Recommended Posts

Unraid V6.8.2 Nvidia build.

 

the problem: unRAID doesn't work properly with IPv6.

i have created on my OPNsense router a IPV6 tunnel broker (hurricane electric) to enable ipv6 on my network. (ISP has the option "DS-Lite"(Carrier-grade NAT) or IPv4 only)

every machine is working fully fine with ipv6, even the VM's on unraid works with ipv6 no manual installation needed.

only unraid doest't work with it, for testing i used the website https://test-ipv6.com/  its working fine on every machine here (incl. VM's on unraid) but not directly on unraid itself. (i use the GUI boot) what did i wrong or what is wrong with unraid? everything is set to auto, only change network protocol from "ipv4" to "ipv4+ipv6"

 

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.3.2  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 2001:XX:XX:XX:XX:b29a:ffa5:3ae6  prefixlen 128  scopeid 0x0<global>
        inet6 fe80::e2d5:5eff:XX:XX  prefixlen 64  scopeid 0x20<link>
        inet6 2001:XX:XX:XX:XX:5fff:53c:2c53  prefixlen 64  scopeid 0x0<global>
        ether e0:d5:5e:68:XX:XX  txqueuelen 1000  (Ethernet)
        RX packets 195333  bytes 268545945 (256.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 60352  bytes 12172817 (11.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::e2d5:5eff:XX:XX  prefixlen 64  scopeid 0x20<link>
        ether e0:d5:5e:68:XX:XX  txqueuelen 1000  (Ethernet)
        RX packets 416632  bytes 593217654 (565.7 MiB)
        RX errors 0  dropped 49  overruns 0  frame 0
        TX packets 165983  bytes 17702085 (16.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Edited by sjaak
Link to comment

well, the problem was that the dhcp server didn't give unraid the ipv6 dns server, now it got working dns (tested with the firefox container, with the extra parameters: "--sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.eth0.use_tempaddr=2")  this container has working ipv6, but the other containers don't work with this parameters... damn, what is IPv6 with docker en pain in the ass...

i know, i have to convert the link local address to the gateway address, but don't know how to do... (IPv6-net::1) (need to config in the router)

Edited by sjaak
Link to comment
30 minutes ago, sjaak said:

i know, i have to convert the link local address to the gateway address, but don't know how to do... (IPv6-net::1) (need to config in the router)

The conversion is done automatically by Unraid, you don't need to worry.

Eventhough Docker wants the first address as gateway address, the containers actually learn the link local address too and can use this as default gateway.

This means you do not have to configure an additional address on your router, it is optional.

 

This is the routing table of the Firefox container, note the fe80:: default route

tmp # ip -6 route
2a02:xxxx:xxxx:101::/64 dev eth0  metric 256 
fe80::/64 dev eth0  metric 256 
ff00::/8 dev eth0  metric 256 
default via 2a02:xxxx:xxxx:101::1 dev eth0  metric 1024 
default via fe80::1ae8:29ff:febd:80c7 dev eth0  metric 1024  expires 0sec

 

Edited by bonienl
Link to comment

well, i understand that as a "workaround" i can config it in the router...

the only way to get ipv6 working inside docker is to change the network to br0 and use the extra parameter "--sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.eth0.use_tempaddr=2",

but i use vlans and create letsencrypt with the spaceinvaderone video (proxynet network), i have no idea how to enable ipv6 on that, and to use for every containers it own ip adress is to much for me..

(we have already had i conversation on Tweakers ;) )

Link to comment
8 minutes ago, sjaak said:

well, i understand that as a "workaround" i can config it in the router...

Yeah, I didn't explain that well enough on Tweakers. Sorry.

 

There is no difference between a VLAN and physical interface, both work in the same way with IPv6 (I can run my Firefox container on either a physical interface or VLAN interface without modification, only the IPv6 address changes because these are different networks).

 

Unfortunately, I have no experience with Letsencrypt (not using it) and can't help you on this. Perhaps other users may jump in.

 

Link to comment

the problem is not the letsencrypt container. i changed the network from "proxynet" to br0, at first i didn't get a ipv6 address, after putting the extra parameters "--sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.eth0.use_tempaddr=2" letsencrypt got a ipv6 address (but its is not visible in the DHCP6 server leases. tested inside the console of the container: ping6 google.com works, i can use its ipv6 address to gain access to its interface.

 

so, br0 works fine, but every 'custom network' inside docker isn't working with ipv6...

Link to comment

net.ipv6.conf.all.disable_ipv6=0, is the default setting already and is not needed to set again

net.ipv6.conf.eth0.use_tempaddr=2, enables the privacy extensions on interface eth0, this is an optional setting

 

In short, I am puzzled why you need these settings, because all is supposed to work without these.

 

There is a bug, privacy extensions can not be enabled from the GUI. I made a correction for the next release.

 

1 hour ago, sjaak said:

but every 'custom network' inside docker isn't working with ipv6

It works for me ...

Is there a specific container you are testing?

 

  • Thanks 1
Link to comment

tested the "Proxynet" (make this one with the video from spaceinvaderone), not working.

using the default "bridge", not working

setting the docker container to "host", works!

 

i'm going to enable the privacy extension and remove those extra parameters and test if it works.

Link to comment

tried to enable ipv6 privacy extensions, every time i click apply, it resets to disabled.

tried this with automatic setting and static. on auto the ipv6 dns server fails, its set in the DHCP6 server, only unraid is not getting the ipv6 dns server, so its now set to static. i have no idea why the privacy extensions cant be enabled... (noting about is mentioned in the logbook.)

 

also, i removed the parameter: "--sysctl net.ipv6.conf.all.disable_ipv6=0" from the firefox container, it lose the ipv6 connection, putting it back, ipv6 is back... i have no idea what going on here 🙄

Edited by sjaak
Link to comment
1 hour ago, bonienl said:

When there is no IPv6 network shown, it means docker did not create it (usually due to some configuration conflct).

Can you post a screenshot of your docker settings page, with the docker service stopped and in advanced view?

 

sure:

dockersettings.thumb.png.d615d88645180800ca0efa4c4e4eff0b.png

Link to comment
8 hours ago, bonienl said:

That looks alright. I need your diagnostics to do further examination. See Tools -> Diagnostics

sure,

ignore those notifications from upsd[7111], a network switch is on it last miles...

 

ps. i still don't understand why unraid is the only one why its not getting the ipv6 dns on it own, every device here got it automatic, its set in the dhcp6 server.

 

Edited by sjaak
Link to comment

A small update you may want to make, it is not causing real issues, but your network.cfg file includes eth1 and eth2, which do not exist (anymore).

Delete these lines

IFNAME[1]="eth1"
PROTOCOL[1]="ipv4+ipv6"
USE_DHCP[1]="yes"
USE_DHCP6[1]="yes"
IFNAME[2]="eth2"
PROTOCOL[2]="ipv4+ipv6"
USE_DHCP[2]="yes"
USE_DHCP6[2]="yes"

And change sysnics to

SYSNICS="1"

A reboot is required for the new settings.

 

Unraid gets a proper IPv6 address, but your router is advertising an additional /128 address, not sure why it is doing this. Check your router config.

 

This /128 address causes several issues, including Docker which doesn't accept a /128 subnet (invalid CIDR address) and this results in no IPv6 connectivity.

 

5 hours ago, sjaak said:

why its not getting the ipv6 dns on it own

It is because of a limitation in Unraid 6.8. When IPv4 is configured with a static IP + DNS, then IPv6 DNS needs to be static too.

 

I have changed this behaviour and in Unraid 6.9, IPv6 DNS can be automatic independent of the IPv4 setting.

 

 

  • Thanks 1
Link to comment

did removed and changed the lines; after reboot i lost all network activities, changed ip to ipv4 only, reboot, back in business! ipv6 enabled. still no proper ipv6... (set dns static)

i have no idea why the /128 is here. i just followed the instructions:

https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html

al my devices have a /128 address (those are visible in the dhcpv6 leases).

but all my other devices are working fully on ipv6, tested it by disable ipv4 on it..

 

"ip -6 a" shows me this (this is on the VM):

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:XXX:XXXX:XXX:XXXX:77d2:2124:62e7/128 scope global dynamic noprefixroute 
       valid_lft 7196sec preferred_lft 4496sec
    inet6 2001:XXX:XXXX:XXX:XXXX:5886:cc08:3b44/64 scope global temporary dynamic 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 2001:XXX:XXXX:XXX:XXXX:fee8:3879:4ebf/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::XXXX:XXXX:b550:ed55/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

"noprefixroute"...

Edited by sjaak
Link to comment

after reading the tutorial from PFsense (and i use OPNsense) i though: lets change the Router Advertisements from 'Assisted' to 'unmanaged', after reboot i got an /64 address!

# ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
8: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::XXXX:XXXX:XXXX:7fb3/64 scope link 
       valid_lft forever preferred_lft forever
11: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:XXX:XXXX:XXX:XXXX:XXXX:XXXX:9065/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86020sec preferred_lft 14020sec
    inet6 fe80::XXXX:XXXX:XXXX:7fb3/64 scope link 
       valid_lft forever preferred_lft forever

i guess that the Router Advertisements wasn't setup correctly. (or at least, i or the Manuel tell something wrong)

now i cant see the leases in the dhcpv6 anymore, after some reading i find out that RA unmanaged means only SLAAC.

the only thing what is not working is IPv6 in the management GUI boot, no IPv6 at ipv6-test.com  (i know, it isn't mean to browser the www)

i tried to do some port scans, the ports what are configured in the firewall are working correctly.

 

37 minutes ago, bonienl said:

Ok, I had a look again and found a way to make Docker happy.

 

I'll make an update for the next version and your server should work (including the /128 address).

Nice!

Edited by sjaak
Link to comment

small update, Docker containers with the network set on "bridge" and "Host" doesn't work with ipv6, only set on br0. works with ipv6.

i am not sure if docker accepts SLAAC...

unraid itself is still using an /64 address and it's holding it, where my vm change daily from ip address...

Link to comment

The Docker implementation of IPv6 on bridge and host networks is flaky and interferes with the IPv6 routing of Unraid. It is switched off, and IPv6 is made only available for macvlan (custom) networks.

 

Docker doesn't use SLAAC, it is handing out IPv6 addresses in sequence. The gateway address is ::1, and ::2 will be the first container.

 

Privacy extensions (RFC4941) are intended to hide your identity when you are on the move. Typically useful for phones, tablets and laptops.

When you connect "somewhere" you don't want people be able to recognize it is you again (the MAC address of your device reveals your identity).

 

Servers are stationary and the use of privacy extensions is not meaningful. Some people even argue to not use them at all.

A server needs a dedicated address which doesn't change. Much like setting a static IPv4 address for a server.

 

 

 

Edited by bonienl
Link to comment

well in that cage, i have to wait for the new unraid version so i can switch back to dhcpv6 and use static ip settings and let unraid handle it /128 address ;)

(or i find the right config on the router 😅 )

my other vlan is using dhcpv6+slaac and every device has there ip static, even with a reboot. unraid isn on that vlan and with every reboot it got an other ip

Link to comment

Would just like to add my 2bits here:

There are two ways you can configure dockers and IPv6.

The first and foremost way is to configure Docker network with either a default ipv6 pool - same as the one assigned to the interface or statically assign one to it. This makes the whole assignment of IPv6 by Docker work like IPv4 - sequentially in order of the container starting up. Docker will keep track of the IPv6 addresses assigned to the containers.

The 2nd way which I am using, is to simply disable IPv6 at the Unraid network configuration level.

Then all my containers have the "--sysctl net.ipv6.conf.all.disable_ipv6=0 --sysctl net.ipv6.conf.eth0.use_tempaddr=2" extra parameters set.

This make Docker not bother at all with IPv6 assignments, does not do anything to the container routing tables, and does not add extra dns settings to the ipv4 settings. What happens then is that the network stack in the container will attempt to configure IPv6 via SLAAC and attempt to discover the router by router-advertisements over the wire, assigning a privacy address is desired. This mechanism works really well on my network running Mikrotik router (which does not have DHCPv6, so every thing is SLAAC using the dynamic /56 provided by my ISP. The whole thing works very well, particularly since the dynamic /56 has no gurantee of being the same across reboots, and with the absence of DHCPv6, my Unraid docker networks would not be configurable anyway. Also, I wanted to restrict which network interface and IP Unraid was able to use to host the SMB/SSH/HTTP services.

 

  • Thanks 3
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.