How to Fix “No IPv6 Connectivity in Docker Containers” – Complete Troubleshooting Guide


3 views

From your configuration, I notice several key points that need verification:

  • The host has proper IPv6 connectivity (confirmed via pinging external addresses)
  • The docker0 bridge isn't receiving an IPv6 address despite configuration
  • Containers have IPv6 addresses assigned but can't reach external networks

First, let's verify the core settings on the host:

# Verify sysctl settings
sysctl net.ipv6.conf.all.forwarding
sysctl net.ipv6.conf.default.forwarding

# Check Docker daemon IPv6 status
docker info | grep -i ipv6

# Inspect interface configurations
ip -6 addr show docker0
ip -6 route show

Based on your setup, here's what's likely missing:

  1. NDP Proxy Configuration:
    2. # Enable NDP proxying for docker0
sysctl -w net.ipv6.conf.docker0.proxy_ndp=1
ip -6 neigh add proxy w:x:y:z:a::1 dev eth0
  2. Proper Firewall Rules:
    3. # Allow forwarded IPv6 traffic
ip6tables -A FORWARD -i docker0 -o eth0 -j ACCEPT
ip6tables -A FORWARD -i eth0 -o docker0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Here's a working configuration I've implemented successfully:

# /etc/docker/daemon.json
{
  "ipv6": true,
  "fixed-cidr-v6": "2a03:4000:6:2158:a::/80",
  "experimental": true,
  "ip6tables": true,
  "dns": ["8.8.8.8", "8.8.4.4"]
}

# Network creation command
docker network create --ipv6 --subnet=172.23.0.0/16 \
--ipv6 --subnet=2a03:4000:6:2158:a::/80 \
--gateway=172.23.0.1 \
--gateway=2a03:4000:6:2158:a::1 \
wopr6

When testing from inside containers:

# First verify local connectivity
ping6 -c 4 2a03:4000:6:2158:a::1

# Then test external connectivity
ping6 -c 4 ipv6.google.com

# Check route to gateway
ip -6 route get 2a00:1450:4001:811::200e
  • Host firewall blocking ICMPv6: Many hosting providers filter ICMPv6 which breaks NDP
  • Incorrect prefix delegation: Ensure your /80 subnet is properly routed to your host
  • Missing kernel modules: Verify nf_conntrack_ipv6 and ip6table_nat are loaded

For deeper investigation:

# Check neighbor discovery
ip -6 neigh show

# Verify packet flow
tcpdump -i docker0 ip6
tcpdump -i eth0 ip6

# Check kernel routing decisions
ip -6 route get 2a00:1450:4001:811::200e from 2a03:4000:6:2158:a::2

When dealing with Docker networking, IPv6 configuration can be particularly tricky on Debian Jessie systems. Here's a deep dive into solving the connectivity issues you're experiencing.

From your setup, we can see:

Host IP: w:x:y:z::1/64
Docker bridge config: --ipv6 --fixed-cidr-v6=w:x:y:z:a::/80
Custom network: w:x:y:z:a::/80 with gateway w:x:y:z:a::1

The key symptoms indicate:

  • docker0 bridge lacks IPv6 address assignment
  • No proper IPv6 routing between containers and host
  • Ping failures to external IPv6 addresses
  • Missing NDP (Neighbor Discovery Protocol) functionality

First, ensure these critical settings in /etc/docker/daemon.json:

{
  "ipv6": true,
  "fixed-cidr-v6": "w:x:y:z:a::/80",
  "experimental": true,
  "ip6tables": true,
  "userland-proxy": false
}

Create a proper bridge with IPv6 support:

# Create bridge
ip link add name docker0 type bridge
ip addr add w:x:y:z:a::1/80 dev docker0
ip link set docker0 up

# Add NAT rules
ip6tables -t nat -A POSTROUTING -s w:x:y:z:a::/80 -j MASQUERADE

Add these to /etc/sysctl.conf:

net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.proxy_ndp=1
net.ipv6.conf.all.accept_ra=2

After implementation, test with:

# Check bridge
ip -6 addr show docker0

# Test connectivity
docker run --rm -it busybox ping6 ipv6.google.com

# Verify routes
docker exec -it container_name ip -6 route

If issues persist, gather these diagnostics:

# Capture NDP traffic
tcpdump -i docker0 -vvv icmp6

# Check kernel logs
dmesg | grep -i ipv6

# Verify forwarding
sysctl net.ipv6.conf.all.forwarding

Consider using macvlan driver for direct IPv6 connectivity:

docker network create -d macvlan \
  --subnet=w:x:y:z::/64 \
  --gateway=w:x:y:z::1 \
  --ipv6 \
  -o parent=eth0 \
  ipv6_net