I’m still trying to figure out how to use Docker with an unstable prefix (hey Docker, this is as much your problem as the ISPs, honestly) as any of the v6NAT solutions I’ve found that enable the same full containerization available on IPv4 all require you feed the Docker daemon a fixed prefix on startup. Frustrating.
I’m also tired of reading posts about v6NAT being irrelevant because half of the point of containers is the interchangeability, Docker containers aren’t supposed to be routable unless you intentionally put them on the host network! Docker just needs to work the same on v4 and v6!
Tor as a hole puncher is an intriguing idea but I don’t think I would use it for something customer facing… Too many moving parts. We like to use Wireguard and a tiny cloud VPS instance when someone needs to punch into an unreliable network around here.
Depending on your network, an ULA can help keep the local prefix the same, and use something like NPTv6 to translate the IPv6 address quite well. Unlike IPv4 NAT, NPTv6 will just swap out the prefix with a local one (i.e. 2001:db8:1001:1234:abcd to fd00::1234:1001 and back) so you can still use a normal IPv6 firewall and to the outside it’s like your addresses are all completely stable.
This will also make it easier to switch ISPs and adds the possibility to use a fail over from another ISP with another prefix without your entire network freaking out.
It’s not exactly recommended (prefixes should just be static ffs) but it’s a possibility.
I’m still trying to figure out how to use Docker with an unstable prefix (hey Docker, this is as much your problem as the ISPs, honestly) as any of the v6NAT solutions I’ve found that enable the same full containerization available on IPv4 all require you feed the Docker daemon a fixed prefix on startup. Frustrating.
I’m also tired of reading posts about v6NAT being irrelevant because half of the point of containers is the interchangeability, Docker containers aren’t supposed to be routable unless you intentionally put them on the host network! Docker just needs to work the same on v4 and v6!
Tor as a hole puncher is an intriguing idea but I don’t think I would use it for something customer facing… Too many moving parts. We like to use Wireguard and a tiny cloud VPS instance when someone needs to punch into an unreliable network around here.
Depending on your network, an ULA can help keep the local prefix the same, and use something like NPTv6 to translate the IPv6 address quite well. Unlike IPv4 NAT, NPTv6 will just swap out the prefix with a local one (i.e. 2001:db8:1001:1234:abcd to fd00::1234:1001 and back) so you can still use a normal IPv6 firewall and to the outside it’s like your addresses are all completely stable.
This will also make it easier to switch ISPs and adds the possibility to use a fail over from another ISP with another prefix without your entire network freaking out.
It’s not exactly recommended (prefixes should just be static ffs) but it’s a possibility.