Docker needs to improve its IPv6 capabilities. My guests need IPv6 connectivity, e.g. to connect to external Database servers that are only reachable via IPv6. In default configuration containers won't have an IPv6 address so they won't be able to connect to the database at all.
That's why I create a bridge with RFC1918 range and UGA IPv6 range. I will then use nftables to masquerade IPv4, while IPv6 can be routed natively.
docker network create --ipv6 --subnet 10.39.10.0/24 --gateway 10.39.10.1 --subnet 2001:1234:1234:7008::/64 --gateway 2001:1234:1234:7008::1 brdocker -o com.docker.network
.bridge.name=brdocker
This will create a persistent bridge with dual stack. Routing and Masquerading are manage by this Ansible nftables role.
A docker compose yaml might look like this. Give a network name for every container but reference to the brdocker network.
version: "3.5"
services:
busy:
image: busybox
#command: ping6 -c 4 google.com
#command: top
#command: ip a s
#command: ping6 2a02:2e0:3fe:1001:7777:772e:2:85
command: ping 8.8.8.8 -c 6
networks:
- busyboxnet
networks:
busyboxnet:
external:
name: brdocker
This is the Ansible configuration:
nftablesmode: "firewall"
nftables_masks:
- downif: "brdocker"
upif: "eth0"
nftablesopenhost:
- dport: 8096
family: 6
proto: "tcp"
comment: "Emby"
- dport: 8097
family: 6
proto: "tcp"
comment: "Jellyfin"
- dport: 8098
family: 6
proto: "tcp"
comment: "Piwigo"