No access to internet with "Routed" mode on pure IPv6 clients

[squromiv]

Same problem.
Also "docker logs -f WirtBot":

[b-m-f]

One error in the logs should be ok on first start.

Can you show the output of

nft list ruleset

[squromiv]

[b-m-f]

Sorry,

inside of the container I mean.

[squromiv]

[b-m-f]

Have you added

    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0

to your docker-compose file?

[squromiv]

Yes.

[b-m-f]

OK.
Maybe something slipped through.

Will test this again later.

[squromiv]

The fix from here still works.

[b-m-f]

Hi @squromiv,

I have dug deeper on this and basically ended the research here.

To get routed IPv6 working too many things are required at the moment.

• Make your docker daemon aware of IPv6 https://docs.docker.com/config/daemon/ipv6/
• Making sure you choose the subnet assigned to you by your hoster, as a global and not link-local IPv6 address is required

Problem

The setup is too complicated for now.
moby/moby#20559
docker/compose#4958

Solution

There must be a way to MASQUERADE IPv6 traffic from the server interface inside the container to IPv4.
This would then allow purely IPv6 addresses inside the WireGuard network but also properly routed traffic to the internet.

Unfortunately I am not aware of any method to do this at the moment.
I could not find anything in the nftables wiki.

If anyone reading this knows a solution Id love to hear about it.

What now?

I will leave this issue open until a good fix can be implemented.
The Interface also only allows creating Hybrid IPv4, IPv6 configs - I assume you encountered this error with manually changed config?

Anw -> Pure IPv6 should be allowed on the Dashboard once this issue can be closed.

[squromiv]

@b-m-f
Most likely it is very interesting for technically skilled persons, but I am not like that. :) So what should I do until the best solution will appear? To use the fix with manual install of iptables? Is it possible to include this in docker image? Sorry for stupid questions.

[b-m-f]

Hi @squromiv,

looks like you are using a hybrid setup.
But there was indeed a problem left in the firewall configuration.

Version 2.6.5 is currently running through the CI pipeline and should be available in a few hours.
It should hopefully fix your problem.

I just tested it on a fresh installation.

Please just leave this issue open though, as pure IPv6 still can not work.

Also no worries, there exist no stupid questions :)
& thanks for all your quick feedback.
Anyone installing it from now on will be thankful

[squromiv]

looks like you are using a hybrid setup

Hi, Maximilian. I do not know how to name it, but I use standard WirtBot docker container with added commands, proposed by you.

docker exec -ti WirtBot /bin/bash
apt install iptables
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -j MASQUERADE

It simply works. And due to my low tech skills, I do not understand, how the discussed issue is connected to "pure IPv6 clients", because clients, I tested, were not "pure IPv6" (as I understand it).

[b-m-f]

Yup, exactly.

So I think that your issue will be resolved in v2.6.5. Should be online soon.

There was a problem in the firewall configuration.

[squromiv]

that your issue will be resolved in v2.6.5

It looks like working. Very quick fix. Thanks. I will continue testing.