IPv6 Port Forwarding
-
Can I do port forwarding with IPv6? I know the standard answer is to use the firewall with a routed prefix of public IPs. But that is not the solution to my situation. I want to rewrite the port in addition to forwarding the traffic to the loopback address. In other situations, I may want to port forward to a site-local address on the LAN.
More details about my specific use case: I'm trying to use the Acme plugin for a Let's Encrypt certificate. The acme challenge requires the server to be on port 80 of the WAN interface. My pfSense is behind my university's NAT, so I must use pfSense's public IPv6 address. The Acme standalone web server can't bind to port 80 because the WebConfigurator is bound to that. I would like to bind the Acme standalone server to port 81 and use port forwarding on the WAN IPv6 address port 80 to the loopback IPv6 address on port 81.
-
Can I do port forwarding with IPv6?
Not unless you NAT, and pfsense does not support IPv6 NAT, just NPt.
In other situations, I may want to port forward to a site-local address on the LAN.
Why? assign a global address to that device/app, firewall off all but needed port/s, NAT is bad. Try to break that IPv4 mindset.
I'm trying to use the Acme plugin for a Let's Encrypt certificate
And you can't use a DNS challenge by chance?
-
Why? assign a global address to that device/app, firewall off all but needed port/s, NAT is bad. Try to break that IPv4 mindset.
You're preaching to the choir on that one. NATv6 is bad in most situations. One situation I'm forced into is that we have a handful of static IPv6 addresses for hosting services to the Internet. We also will have a delegated prefix for outbound traffic, but I don't know if DHCPv6 (or SLAAC) gives us enough control to avoid setting static IPv6s on each machine to provide a service. Our public IPv6 addresses will change frequently and should be managed by the firewall, not static IPs on each host. If the university imposes an inbound firewall on our delegated prefix, port forwarding would be the only realistic option.
And you can't use a DNS challenge by chance?
My DNS is with NameCheap for their email forwarding service. The Acme plugin doesn't support NameCheap.
-
And you can't use a DNS challenge by chance?
My DNS is with NameCheap for their email forwarding service. The Acme plugin doesn't support NameCheap.
May I suggest delegating to/using Cloudflare for DNS hosting, it is free even if you don't use their reverse proxy setup you can use their DNS hosting, note namecheap will still be your registrar of course (who is also my registrar), and it works with the acme plugin.
-
May I suggest delegating to/using Cloudflare for DNS hosting, it is free even if you don't use their reverse proxy setup you can use their DNS hosting, note namecheap will still be your registrar of course (who is also my registrar), and it works with the acme plugin.
Namecheap only provides email forwarding if I use their DNS too (dumb restriction). It may be possible to delegate a subdomain to a different DNS provider that works with the Acme plugin (I believe Cloudflare requires my full DNS be delegated to them), but with that much effort, it's just easier to use the HAProxy workaround.
-
Our public IPv6 addresses will change frequently and should be managed by the firewall, not static IPs on each host.
Does the prefix change? If not, a MAC based SLAAC address is pretty much static. On Windows there is also a random number address that does not change.
-
Does the prefix change? If not, a MAC based SLAAC address is pretty much static. On Windows there is also a random number address that does not change.
Unfortunately, the prefix does change. It is a unique use case, for sure. DHCPv6 may be able to help us, if we work around its limitations in the GUI.
On IPv4, we deal with the situation by putting each set of virtual IPs on a different NIC (along with a separate NIC for all outgoing NAT traffic). This solution lets us change our set of public IPs immediately with no changes to the LAN addressing. With IPv6 port forwarding, this could be done for IPv6 using site-local addresses for the destinations (DHCPv6 or static). Otherwise I'd need to configure the DHCPv6 server to assign correct world-routable addresses with static mappings to each host. The problem is that it's not easy to change the DHCPv6 static mappings in bulk, and the other records would be deleted, not deactivated.
In any case, it's only public services that I want to apply port forwarding to. All outbound Internet traffic would be through a routed subnet with no NAT.
