Access my website from WAN IP

Bob.Dig

@ciros55 A simple IPv6 NAT Portforward is looking like this, in my example it is an email service, change to your needs accordingly. The "host_mail" alias contains the ULA of the machine. This is enough for connecting from the outside to it via IPv6.

JKnott

@bob-dig said in Access my website from WAN IP:

A simple IPv6 NAT Portforward is looking like this

Please don't do that. There's no need for that on IPv6. The reason for NAT was to get around the IPv4 address shortage and it causes problems in the process.

NAT is a curse on the Internet.

Bob.Dig

@jknott said in Access my website from WAN IP:

Please don't do that.

I do because I can and pfSense is missing the DDNS- capability in this regard.

johnpoz

@bob-dig said in Access my website from WAN IP:

pfSense is missing the DDNS- capability in this regard

Why would pfsense be needing to create a ddns entry somewhere for some IPv6 device, not a pfsense IP..

Just have the client register its IP in whatever ddns you want.

Trying to run a mail server off some dynamic IP is bad idea anyway, be it IPv4 or IPv6..

Glad you found a work around that works for you natting IPv6 - but with jknott on this, there is no reason to do that.

ciros55

@jknott said in Access my website from WAN IP:

test-ipv6.com

the result from test-ipv6.com is 10/10.

the iPv6 Prefix = 64

ISP changes IP every 24 hours.

johnpoz

@ciros55 so your using ULA internally, because your isp does not provide any sort of IPv6 delegation? And you only have the one pfsense public IPv6? On the wan?

Yet another ISP without a clue how to do IPv6 ;) And you think IPv6 is ready for prime time jknott, when ISPs do shit like that?

JKnott

@ciros55 said in Access my website from WAN IP:

ISP changes IP every 24 hours.

You mean the prefix? Did you check that setting? If you're running SLAAC on the local network, you will have up to 8 public addresses. One is consistent and there will be up to seven privacy addresses. You get a new one every day, with the oldest expiring after 7 days. As I mentioned, you use the consistent address for DNS.

If the ISP deliberately changes the prefix, they are a crappy ISP. There is no need to do that on IPv6 or IPv4 for that matter.

JKnott

@johnpoz said in Access my website from WAN IP:

when ISPs do shit like that?

Some ISPs should be shot!

ciros55

@bob-dig
I've had tried that but it didn't work.

and I manage to break DHCP and DHCPv6 oopsie that was caused by me.

ciros55

Hi, again

I've managed to get @Bob-Dig solution to work. (finally)
(i know that I shouldn't do it like this but I only want one IP and connected to DDNS.)

Thanks, Everyone. Have a great day.

Gertjan

@jknott said in Access my website from WAN IP:

There is no need to do ....

If I was an "ISP" I could have on my wish-list :
How can I make it difficult for my clients to host services ?

The why part easy is to understand :
The help desk can be short about questions like : 'My mail server ....".
The answer would fall trough right away to : you can't / not supported.

I presume most ISP sell 'access' to the net. Not some scheme where you could be 'part' of the Internet.

Btw : IMHO and me thinking out loud.

Bob.Dig

@johnpoz said in Access my website from WAN IP:

@bob-dig said in Access my website from WAN IP:

pfSense is missing the DDNS- capability in this regard

Why would pfsense be needing to create a ddns entry somewhere for some IPv6 device, not a pfsense IP..

Just took a look again and there is no free and current or decent looking DDNS Client for windows that supports IPv6.

johnpoz

@bob-dig but how do you expect pfsense to register a ddns for an IP that is not its IP?

Bob.Dig

@johnpoz That is easy, if it has been given out by the DHCPv6 Service. There are even DDNS options already in it, but they are not usable with the DDNS-Clients in pfSense.
Also I know a router that already does this for you.

So it is doable and it looks like there is everything already there, it only has to be put together by some talented folks.

johnpoz

@bob-dig said in Access my website from WAN IP:

it only has to be put together by some talented folks

so what you want is pfsense to register dhcpv6 entries into some ddns service.

That would be a feature request or bounty..

What about clients that are using SLAAC? ;)

Bob.Dig

@johnpoz said in Access my website from WAN IP:

@bob-dig said in Access my website from WAN IP:
What about clients that are using SLAAC? ;)

I don't think that DDNS and SLAAC are going well together and they don't have to. ;)

Kinda off-topic: I run a teamspeak server where only a few chosen ones are allowed to join and I use their DDNS addresses in an alias for that. But I just saw in the log that Teamspeak on Windows will use the Temporary IPv6 Address too, so no chance to solve that via DDNS.
IPv4 for the win, long live NAT.

johnpoz

@bob-dig said in Access my website from WAN IP:

Windows will use the Temporary IPv6 Address too

These are going to used more often then not for outbound connections. Its the whole privacy thing of IPv6 ;) hehehe

If your wanting to lock down which IPv6s can talk to your service, its prob best to get their /64 prefix vs a specific IP. And allow the whole prefix. But problem is with many an ISP is these prefixes change all the time.

Bob.Dig

@johnpoz Yes, that is the case with IPv4 and IPv6 here and it will stay like that I am sure.
And I will not go out and get everyone a HE-tunnel.

Bob.Dig

@johnpoz said in Access my website from WAN IP:

That would be a feature request or bounty..

I am going with feature request.