New ISP with IPv6 internet reachable only

monsen · 10. November 2023

You mean SFTP as protocol type? Any product suggestion?

gderf · 10. November 2023

SFTP is a part of SSH. OMV already has SSH, so it also has SFTP. There is also an SFTP plugin you can use to setup jails for users.

I already mentioned Filezilla for client side use. Available for Mac, Windows, Linux, and maybe others.

monsen · 10. November 2023

Yes i am aware of the SFTP protocol. I am not sure that the OMV built in SFTP plugin allows me to do what i need. i remember i exchanged it versus glftpd due to limitations in administration. I will check once more and see.

I remember there were painful limitations on how the jails and access to filesystem works. Can i use a bind mount with it?

Filezilla of course i do know.

gderf · 10. November 2023

I don't use the OMV SFTP plugin. My use history of SFTP long precedes my use of OMV (v2) so I always just set it up by hand and carried that into OMV. From what I can tell, the plugin is capable of doing what I have done all by hand.

I bind a mergerfs pool to a sftp user's jail in fstab.

monsen · 10. November 2023

Ok thanks. I will check it out.

Alternative suggestions welcome

gderf · 10. November 2023

Zitat von monsen

Alternative suggestions welcome

Those will depend on your exact requirements and how they deviate from standard solutions.

monsen · 10. November 2023

I did post my requirements a few posts before. To repeat them once more here:

- Access to local files from remote

- Fast and reactive GUI

- lightweight

- User accounts with selective access rights

It would be smart if it is web based so i can run it through a cloudflare tunnel and comes with a lightweight webserver or i can use my existing swag container.

monsen · 12. November 2023

This looks pretty interesting. Anyone know it? https://github.com/drakkan/sftpgo

olduser · 12. November 2023

What kind of traffic hits your FTP? Whoever connects should know to use IPv6.

I have no idea about this but it uses node.js: https://github.com/rejetto/hfs It seemingly supports resume for uploads.

monsen · 12. November 2023

Well traffic should not be that much. I believe i can handle IPv4 via cloudflare or an alternative proxy/tunnel.

This thing seems to be pretty cool. It is capable of SFTP, Webdav, HTTP and allows administration via Web GUI. And after a first try it is really responsive (not like nextcloud).

monsen · 12. November 2023

I poked around with sftpgo a bit and have to say it is pretty neat. Can recommend it. It has ton of functionality and configuration options.

By far the best i found for sharing of files from a local storage with multiple users.

monsen · 28. November 2023

I am still struggling getting IPv6 to work in Docker.

I got my bridge network to provide an IPv6 subnet but all connected containers do not receive an IPv6 up to here. Even when taking them down and redeploying them via compose.

Code

root@debnas:~# docker network inspect bridge
[
    {
        "Name": "bridge",
        "Id": "7f68f050a116f36fc5810d6b82fed1b98697b37917d93cc5a129f523c7ce3ec4",
        "Created": "2023-11-28T21:51:56.579487106+01:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.17.0.0/16",
                    "Gateway": "172.17.0.1"
                },
                {
                    "Subnet": "2001:db8:1::/64"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "356e71d186718be0196483069f30a968b483e0d22551b88414ef2a438d3873c4": {
                "Name": "jellyfin",
                "EndpointID": "485348ee08aee4147f7a932e31460351d28d2b5c0ecdf572993477b0b82b5bba",
                "MacAddress": "02:42:ac:11:00:02",
                "IPv4Address": "172.17.0.2/16",
                "IPv6Address": ""
            },
            "3a5c3f1b4560235f27a3d69aae833c13b16fecab1fccf652b853bd287a25cd50": {
                "Name": "iobroker",
                "EndpointID": "da3d9f4521b64170d6cc5f7ca05f823817d5f70d021dfe0af029e6fc0761c375",
                "MacAddress": "02:42:ac:11:00:03",
                "IPv4Address": "172.17.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"
        },
        "Labels": {}
    }
]

Alles anzeigen

daemon.json:

Code

{
  "data-root": "/var/lib/docker",
  "experimental": true,
  "ip6tables": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}

Any documentation i tried failed. No idea how i can get the containers of my bridge network to pick up IPv6 adresses yet.

monsen · 1. Dezember 2023

It's weird. Even though the docker containers don't receive an IPv6 I can still access the dockers via the host IPv6 adress and respective open port of the docker service. Not sure how that works but possibly docker is doing some internal IPv6 to IPv4 NAT?

So this for example

Code

http://[fd00::d250:99ff:fe76:7d98]:8082/

Works for my iobroker docker that only has an IPv4 on the bridge network.

sfcampbell · 2. Dezember 2023

Zitat von monsen

I am still struggling getting IPv6 to work in Docker.
I got my bridge network to provide an IPv6 subnet but all connected containers do not receive an IPv6 up to here. Even when taking them down and redeploying them via compose.

My brother from an OMV mother: No disrespect but I think you're way overcomplicating the IPv6 vs. IPv4 issue... IPv6 is only a constraint/problem to your gateway. Once external traffic hits your router [allegedly via IPv6 since you say your ISP forces this] you can shape the traffic "port-forwarded" into your LAN however you need it. I can't imagine any circumstance that utilizing IPv6 within your LAN domain is easier or necessary compared to IPv4.

Why not just set up a reverse proxy i.e. NGINX Proxy Manager (even easily deployable as a Docker container!) and direct all port 80 & 443 port-forwards from your router to that address? Any IPv6 requests from WAN will be redirected to that host, even if the Proxy Manager is at a LAN IPv4 address -- likewise the Proxy Manager can access hosts at their respective IPv4 LAN address.

Added bonus: set up your DNS Overrides on your LAN DNS service to redirect those FQDNs from within your LAN to the Proxy Manager and you'll be able to access the same services with the same FQDN whether you're within your LAN or away from home.

monsen · 2. Dezember 2023

Well actually i already solved everything regarding services i want to make available to the outside doing a hop over Cloudflare.

The main issue i had to overcome as you can read in the first pages of this thread was that if you access my services from e.g. an IPv4 Wifi to internet it is just impossible to get in as i only have a public IPv6 address. This is now solved via Cloudflared.

Everything locally works nicely in IPv4 and Cloudflare works as the proxy to the outside world.

I also have the DNS override running that you mention via my Pihole.

Nevertheless i got interested in IPv6 and am just now trying to activate native IPv6 in my whole LAN infrastructure. I do not really need it, but I just got interested in setting it up.

I also got IPv6 running by now even my dockers are accessible via IPv6. Although i honestly do not understand why. That is what my last post is about.

The long term benefit (beside educating myself) i can see of this exercise is that I can at some point in the future switch off Cloudflare again. That will be the case when IPv6 is wide spread and available from any remote network i use. (no idea when that will be the case though)

Jetzt mitmachen!