Fighting with IPv6

December 12, 2024

Problem statement: I want to self host a bunch of things over my home broadband.

I point some DNS records to my fixed IPv4 address, set up port forwarding to a Pi, and whoopdedoo.

Nah. My router is crap and can’t do hairpin NAT (it says it can, but it can’t). I can see the services from OUTSIDE my network, but if I try to connect from inside, it just won’t have it.

But I’m very smart. If I use IPv6 I can make that problem go away. I point an IPv6 AAAA record at the Pi, open up ports on the firewall (the router will let me do that) and we are winning. Internally (because my network and devices are all IPv6 capable) it will use that in preference to IPv4. Externally you can connect either way.

I’ve had this setup running for a while and it’s fine.

But I now want to run a bunch more things and containerise it all so erm, docker. (Perhaps I should have gone there with Kubernetes, but docker was already installed on my Synology NAS, and it’s otherwise a bit under-used)

I could use the Pi as an ingress point, point v6 and v4 DNS to it, and reverse proxy internally over ipv4 to services on docker I want to expose. Sweet. That’s how you’re reading this…

But if those services want to be able to see each other via their public addresses (think OIDC flows or activitypub services) I hit the same issue – hairpin NAT doesn’t work. I need to use the same trick again, but my docker bridge networks are IPv4 only. Surely that will be a matter of minutes to fix?

Lol.

Synology inexplicably hobble IPv6 in their “Container Manager” docker setup, but I eventually found a script someone had done to work around it. Looks like I can now create IPv6 bridge networks.

This is where I've got to: I can now access the various things from around my network via the IPv6 address of the synology. From within the Syno I can ping said containers. From within a container I can ping the syno AND other containers.

But… from within a container I can't see the rest of my network, and I can't see the outside world. I've clearly done something wrong.

Update – several weeks later:

In the end, the move was to fix the fundamental issue; that my ISP-supplied router wasn’t able to do either hairpin-NAT or static routes. The new one can – including static ipv6 routes. Everything is now glorious and my internal stuff can see my external stuff.