IPv6 Routing Issue: Docker containers reachable outbound but not inbound via VM router

J

jasonschell

Member
Jul 13, 2021
5
0
21
27
I have been struggling with an IPv6 routing issue for about 6 months now, looked up tremendous amounts of forum threads and Claude AI-chats, but nothing solved my issue. The setup worked perfectly until late last year, then suddenly stopped working without any configuration changes on my part (maybe there was an update someday). Maybe someone here see's something what I've been overseeing all the time...

Current behavior:
  • ✅ Docker containers can reach the internet (outbound traffic works)
  • ❌ Docker containers cannot be reached from Proxmox host or external networks (inbound traffic fails)

Environment​

  • Proxmox VE: 9.0.6 running on Debian 13
  • Router VM (docker1): Debian 13 with Docker containers
  • Network: Public IPv6 subnet with VM acting as router for container subnet
  • The Root server is from Hetzner, and I have been given the IPv6 subnet 2a01:xxxx:242:1496::/64, which I am separating into one /80 subnet for my Proxmox Virtual Machines and another /80 which I want to let my docker1 VM use for all docker containers I want to be accessible from the internet (in this case my GitLab Container Registry).
Code: 
docker version
Client: Docker Engine - Community
 Version:           28.3.3
 API version:       1.51
 Go version:        go1.24.5
 Git commit:        980b856
 Built:             Fri Jul 25 11:34:10 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          28.3.3
  API version:      1.51 (minimum version 1.24)
  Go version:       go1.24.5
  Git commit:       bea959c
  Built:            Fri Jul 25 11:34:10 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.27
  GitCommit:        05044ec0a9a75232cad458027ca83437aae3f4da
 runc:
  Version:          1.2.5
  GitCommit:        v1.2.5-0-g59923ef
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Network Setup​

Infrastructure​

Code: 
Internet
    ↓
ve1 (Proxmox Host): 2a01:xxxx:242:1496::1/128
    ↓
SDN VNet "excweb"
    ├── Subnet A: 2a01:xxxx:242:1496:a::/80 (direct VMs)
    └── Subnet D1: 2a01:xxxx:242:1496:d1::/80 (via docker1 router)
            ↓
        docker1 VM: Router for container subnet
            ↓
        Docker containers in d1 subnet

IP Configuration​


ve1 (Proxmox host):
Code: 
2a01:xxxx:242:1496::1/128 on enp35s0 (uplink)
2a01:xxxx:242:1496:a::1/80 on excweb (SDN bridge)

docker1 VM:
Code: 
2a01:xxxx:242:1496:a::d1/80 on ens18 (uplink to ve1)
2a01:xxxx:242:1496:d1::1/80 on br-8eb121751eea (Docker bridge)

GitLab container example:
2a01:xxxx:242:1496:d1::2/80 with gateway 2a01:xxxx:242:1496:d1::1

Current Routing Tables​


ve1 routing:
Code: 
ip -6 r s
2a01:xxxx:242:1496::1 dev enp35s0 proto kernel metric 256 pref medium
2a01:xxxx:242:1496:a::/80 dev excweb metric 1024 pref medium
2a01:xxxx:242:1496:b::/80 dev onhweb proto kernel metric 256 pref medium
2a01:xxxx:242:1496:d1::/80 via 2a01:xxxx:242:1496:a::d1 dev excweb metric 1024 pref medium
fe80::/64 dev excweb proto kernel metric 256 pref medium
fe80::/64 dev ipv4 proto kernel metric 256 pref medium
fe80::/64 dev nat proto kernel metric 256 pref medium
fe80::/64 dev onhweb proto kernel metric 256 pref medium
fe80::/64 dev enp35s0 proto kernel metric 256 pref medium
default via fe80::1 dev enp35s0 proto kernel metric 1024 onlink pref medium

docker1 routing:
Code: 
2a01:xxxx:242:1496:a::/80 dev ens18 proto kernel metric 256
2a01:xxxx:242:1496:d1::/80 dev br-8eb121751eea proto kernel metric 256
default via 2a01:xxxx:242:1496:a::1 dev ens18 metric 1024

Problem Analysis​

Working: Outbound traffic (Container → Internet)​

root@gitlab:/# ping google.com
Code: 
PING google.com (2a00:1450:4001:82a::200e): 56 data bytes
64 bytes from 2a00:1450:4001:82a::200e: seq=0 ttl=117 time=5.351 ms
✅ SUCCESS

Failing: Inbound traffic (ve1 → Container)​

Code: 
root@ve1:~# ping6 2a01:xxxx:242:1496:d1::2
PING 2a01:xxxx:242:1496:d1::2 (2a01:xxxx:242:1496:d1::2) 56 data bytes
❌ 100% packet loss

Troubleshooting Done​

Packet Flow Analysis​

On docker1 during failed ping from ve1:
Code: 
# tcpdump -i ens18 icmp6 and host 2a01:xxxx:242:1496:d1::2
✅ Packets arriving on ens18: 39 packets captured
Code: 
# tcpdump -i br-8eb121751eea icmp6 and host 2a01:xxxx:242:1496:d1::2
❌ Packets NOT reaching Docker bridge: 0 packets captured

Conclusion: Packets reach docker1 but are not forwarded from ens18 to br-8eb121751eea.


Configuration Verification​

IPv6 forwarding enabled:
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1

Docker network properly configured:
Code: 
docker network inspect ipv6                          
[
    {
        "Name": "ipv6",
        "Id": "8eb121751eeaa38ede9a9a9f58402d5a2e5dd3afa0c6d06f2d475703442f487e",
        "Created": "2025-08-30T12:48:58.735861925+02:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv4": true,
        "EnableIPv6": true,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.19.0.0/16",
                    "Gateway": "172.19.0.1"
                },
                {
                    "Subnet": "2a01:xxxx:242:1496:d1::/80",
                    "Gateway": "2a01:xxxx:242:1496:d1::1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "07c8dd50e1f365d1d84a063f5d2188358061b69f58dbcad396d65fdf608b5743": {
                "Name": "gitlab-gitlab-1",
                "EndpointID": "f209a92ad847e0c205dcd70f28c390e84c80f51f0d51d24bab344a44c9698d9a",
                "MacAddress": "62:da:c8:15:fa:45",
                "IPv4Address": "172.19.0.2/16",
                "IPv6Address": "2a01:xxxx:242:1496:d1::2/80"
            }
        },
        "Options": {},
        "Labels": {}
    }
]

Local connectivity works:
Code: 
# From docker1, both work:
ping6 2a01:xxxx:242:1496:d1::1    # Docker bridge gateway
ping6 2a01:xxxx:242:1496:d1::2    # GitLab container

What I've Tried​

  1. Migrated from bridge setup to Proxmox SDN - same issue persists
  2. Verified all IPv6 forwarding settings - enabled everywhere
  3. Checked firewall rules - disabled/not blocking
  4. Added explicit ip6tables FORWARD rules - no effect
  5. Verified routing tables multiple times - appear correct
  6. Tested different route configurations - via gateway vs dev interface

Key Mystery​

This exact setup worked perfectly until late 2024. No configuration changes were made on my side, but suddenly inbound traffic on that ipv6 network stopped working while outbound continued to function normally.

Note on Routing Approach​

I specifically want to use native IPv6 routing without Neighbor Discovery complexity. This setup worked perfectly throughout 2024 using simple static routes and direct IPv6 forwarding between interfaces. I do not want to use Router Advertisements, SLAAC, or any ND-based solutions. The routing should work exactly like IPv4 - with static routes, explicit gateways, and direct packet forwarding between interfaces. This approach was reliable and predictable before the issue started, and I want to maintain the same simple routing methodology.

Any insights or suggestions would be greatly appreciated. This has been driving me crazy for months!
 
Last edited:
You must log in or register to reply here.
Top Bottom