Webserver the IPV6 way???
-
I have an Comcast IPV6 connection and a bunch of boxes behind an pfSense box and all is working well for both IPV4 and IPV6.
One of these boxes provides web services to the public network.
In the NAT/IPV4 environment:
- pfSence dyndns client keeps a public DNS domain A record with the IPV4 address assigned to the pfSense WAN side.
- The webserver box on the LAN is given a static LAN side IPV4 address by the pfSense DHCP server.
- Port 80 is port forwarded to the webserver's static IPV4 address.
How can I achieve public access to this webserver via IPV6?
- I can't run DHCPV6 to assign static addresses since the DHCP6 server requires that the LAN side IPV6 address be static, and it can't be with pfSense 2.1.
- dyndns doesn't seem to support IPV6.
- I can reach one of the LAN side boxes from the public side, but there's no way to predict a LAN side IPV6 address.
-
Do you have your own domain, or do you use one of the dynamic DNS providers? In the former case, you could delegate it to dns.he.net, and then use e.g. inadyn-mt on your server to update an AAAA record. I don't think any of the usual dynamic DNS providers support IPv6 at this time, so not sure what to do in the latter case.
Also, I would highly recommend putting the server on a separate VLAN with a second IPv6 prefix (Comcast will give you up to 16 of them) so you can easily open ports to the server without opening them to any other IPv6 address on your LAN as well.
-
I have my own domain, which I can delegate to dns.he.net so I'll look into that.
I'm not clear on the whole VLAN thing. Wouldn't I need a second LAN side interface on the pfSense box, or a managed switch to support that?
What does 'open a port' mean in the IPV6? Do you mean an WAN side port specific rule?
-
Yes, you'd either need either a second physical interface or a switch that supports VLANs (or at least passes VLAN tags through unmodified).
Unless you actually want to allow all incoming IPv6 traffic from the WAN through to the LAN side (probably not a good idea), you'll have to create pass rules for the services that you want to expose. Because your LAN prefix is dynamically assigned by Comcast (and changes e.g. on every reconnect), you can't (easily) create a pass rule that only applies to your server and not to all the other machines on your LAN as well. An easy way around this problem is to put all your public machines on a separate interface (and prefix) and add a rule that allows the desired traffic to e.g. "OPT1 subnet" (which will just match whatever prefix is assigned to that interface at any given time).