Force certain domains through IPv6 gateway



  • Hi all,

    I have an IPv6 tunnel from tunnelbroker/HE set up and working on my pfsense.
    Now I want to specify a firewall rule or a DNS-override that forces certain domains to only be accessed through the ipv6-gateway that goes to this tunnel.

    Here's how I think how it might work:
    A host on my LAN wants to access youtube.com.
    Pfsense with up&running DNS resolver should perform the DNS lookup at google's DNS servers for example but only tell the client the ipv6 address for this domain. Hence, the requesting client would automatically use IPv6 which automatically goes to the right gateway on my pfsense…

    How can I do this? Are there any better ideas?

    I don't wish to update any overrides manually when IP addresses for a domain change.

    Help gladly appreciated!

    Dan


  • Rebel Alliance Global Moderator

    Most every client prefers Ipv6 out of the box, so it should be using ipv6 if it got back an AAAA for what it looked for, and you have a working ipv6 network.

    If your not using ipv6 to get to something that has IPv6 address, I would make sure you didn't change your client to prefer ipv6 or disabled in your browser to lookup ipv6, etc.

    I am on the other hand like the other way, I purposefully change all my clients to prefer ipv4 over ipv6, I only want to go Ipv6 when I specifically am trying to go to ipv6..



  • Thanks for the quick reply!

    I'm using this to unblock certain streamin sites ;) While safari on Mac indeed prefers IPv6, the YouTube app on the iPad does not for example. I found a little workaround:

    I created an alias for the domains I want to force to use IPv6 and then added a firewall rule to block all IPv4 traffic to this alias. It seems to work but I find it highly non-elegant  ::)

    Any better solutions still very welcome!


  • Rebel Alliance Global Moderator

    Really, I thought with the release of ios 9 ipv6 was going to be preferred, maybe I read it wrong.. Would have to do some testing with my own ipad but thought I recall reading back last year that ipv6 was going to be much more supported and even preferred in ios 9 going forward.

    I normally don't even give my ipad an IPv6 – but can sure test if it has one which one it likes best.



  • @johnpoz:

    ….
    I normally don't even give my ipad an IPv6 -- ......

    You don't  need to "give" :) It just grabs one if you have an IPv6 LAN:

    2001:470:1f13:5c44:2::d5 		00:01:00:01:1b:46:42:ce:91:b9:31:77:5e:26 	90:b9:31:77:5f:26 (Apple) 	iPhone-5S-Gertjan
    

  • Rebel Alliance Global Moderator

    In my network I have to give it ;)  I have ipv6 on my lan and my normal secured wlan, but its all static, and do not even run RA..

    I guess could connect it or my phone to my play wifi segment where sure ipv6 is given out.  Maybe will play with this tonight?



  • I don't think you read it wrong. There is a 25ms advantage now given to IPv6:

    https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html

    @johnpoz:

    Really, I thought with the release of ios 9 ipv6 was going to be preferred, maybe I read it wrong..



  • While this discussion is also very interesting, it does not propose a solution to my original question ;-) Blocking ipv4 by firewall is not working reliably. I would prefer for the clients to not know about ipv4 connectivity of the requested domain at all.
    Does anyone know how to tweak the DNS in the desired way?



  • I don't know of a way to selectively deny access to A records based on client and query domain short of writing your own dns forwarding engine. Others may, but I doubt it. And if there were a way to do it, it would still be simple for clients to bypass by using public DNS services.

    If you set aside the narrow A vs AAAA record solution and describe the higher level problem you are trying to solve someone may be able to help you find a workable approach.



  • Alright, let me try again by describing the highlevel problem :)

    For various devices on my network (AppleTV, ipad, notebook etc.) I want to unblock georestictions of video streaming by routing the traffic of netflix, youtube etc. through an IPv6-HE-tunnel.

    The tunnel is working and I have complete control over the devices. Some do have limited options for configuration, however, i.e. the appletv or ipad. All devices get their ipv6 configuration and route ipv6 traffic properly to the tunnel gateway. Some apps however still prefer ipv4 (25ms advantage of ipv6 or not). That's why I want to force ipv6 for certain domains like youtube.com, netflix.com etc.





  • @omnidan:

    Alright, let me try again by describing the highlevel problem :)

    For various devices on my network (AppleTV, ipad, notebook etc.) I want to unblock georestictions of video streaming by routing the traffic of netflix, youtube etc. through an IPv6-HE-tunnel.

    The tunnel is working and I have complete control over the devices. Some do have limited options for configuration, however, i.e. the appletv or ipad. All devices get their ipv6 configuration and route ipv6 traffic properly to the tunnel gateway. Some apps however still prefer ipv4 (25ms advantage of ipv6 or not). That's why I want to force ipv6 for certain domains like youtube.com, netflix.com etc.

    Netflix over IPv6 using he.net ?
    That's would be a huge no-go. Netflix WILL block you.

    Running IPv6 via he.net (tunnel broker) is ok, but all netflix.com traffic should be forced to chose IPv4.

    @reinderien : Very nice. Gona try your solution.