Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Provider: Prefix delegation. Prefix changes. HA proxy?

    Scheduled Pinned Locked Moved IPv6
    3 Posts 2 Posters 442 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pixel24
      last edited by pixel24

      Hi@all,

      I have a cable connection from Vodafone. It is a DS-Light (IPv6 only). I get a /59 prefix delegated by the provider. A Fritz! box (6690) is connected to the connection itself. The pfSense is connected to the FB.

      I forward the PD on the FB to the pfSense:

      Assign DNS server, prefix (IA_PD) and IPv6 address (IA_NA).

      I have activated and configured IPv4 on the pfSense:
      bd62058d-333b-43ed-a661-8dc8bb38d668-grafik.png

      d073f7f3-f86e-4622-a994-84d5913f5fe2-grafik.png

      710cf5aa-fafa-41e7-877d-fb40005f987d-grafik.png

      a5ff69d0-5a0d-4b7d-a860-c6140b9c7382-grafik.png

      In the LAN, I have activated SLAAC for IPv6 on my server VMs. I then received a valid address on these from the area delegated by the provider.

      A corresponding subdomain has been created for each host (server VM) at the hosting provider (Strato). The hosts are running ddclient which writes the assigned IPv6 address to the AAA record at the provider.

      After I have allowed access in the firewall rules, I can access the hosts from outside (HTTPS).

      So far so good. The problem I see is when the prefix of the provider changes. Which it will do at some point. Then I have to adjust the firewall rules every time, which is of course unpleasant.

      It occurred to me that I should configure additional ULA addresses in the LAN in addition to the public IPv6 addresses that come from the provider.

      Then I could receive the HTTPS connections on the pfSense with the HA proxy, check for the URL (subdomain) called up and forward it to the appropriate ULA address of the target host if there is a match.

      Does this work at all?

      I already have an HA proxy setup that does exactly that, but with IPv4. I would adapt this accordingly.

      with best
      pixel24

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @pixel24
        last edited by Bob.Dig

        @pixel24 said in Provider: Prefix delegation. Prefix changes. HA proxy?:

        with best

        Really? I can't read your screenshots. Seems to be a foreign language. Tschüss!

        1 Reply Last reply Reply Quote 0
        • P
          pixel24
          last edited by

          In the LAN, I use fixed ULA addresses on the server VMs in addition to the public IPv6 addresses that come from the provider

          An example. My media server has the following IP configuration:

          2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether xx:xx:xx:f7:e3:ee brd ff:ff:ff:ff:ff:ff
    altname enp6s18
    inet 192.168.83.10/24 brd 192.168.83.255 scope global dynamic ens18
       valid_lft 41630sec preferred_lft 41630sec
    inet6 xxxx:xxxx:2180:8e1c:5c20:3aff:fef7:e3ee/64 scope global dynamic mngtmpaddr 
       valid_lft 86188sec preferred_lft 14188sec
    inet6 fdd0:a044:f4c::a/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5c20:3aff:fef7:e3ee/64 scope link 
       valid_lft forever preferred_lft forever

          A corresponding AAAA record is set in the subdomain at the domain host. I now create the firewall rule:

          bd68baf2-35c9-4f66-a956-44d5eab8fe7f-grafik.png

          Everything works. It is unfortunate that when the provider changes the PD, I have to adjust the firewall rules every time :-(

          I wanted to get the HA proxy to listen on the WAN interface (as I did with IPv4) and accept the HTTPS requests.

          If the requested URL matches the host, it is forwarded to its ULA address;

          6d60347e-9dd0-4fb0-a953-ad52ef32d61a-grafik.png

          6a9dd3c6-bd40-42f0-98bc-f22222930ca2-grafik.png

          1eab4595-f341-4e7d-b3d9-0ff9738e2549-grafik.png

          ea61d6b8-f80b-4369-bab9-e0bb20e64978-grafik.png

          fe2df45f-7740-4eaa-b3da-e09cdc70d080-grafik.png

          but I do not have access to it. Does it even work in the HA proxy to accept an incoming connection on the public IPv6 address and forward it to a host based on its ULA address?

          In the diagnostics, I can ping the target host in the LAN under its public IPv6, its ULA address and with its host name.

          1 Reply Last reply Reply Quote 0
          • P pixel24 referenced this topic on
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.