Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Force certain domains through IPv6 gateway

    Scheduled Pinned Locked Moved IPv6
    12 Posts 5 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      omnidan
      last edited by

      Hi all,

      I have an IPv6 tunnel from tunnelbroker/HE set up and working on my pfsense.
      Now I want to specify a firewall rule or a DNS-override that forces certain domains to only be accessed through the ipv6-gateway that goes to this tunnel.

      Here's how I think how it might work:
      A host on my LAN wants to access youtube.com.
      Pfsense with up&running DNS resolver should perform the DNS lookup at google's DNS servers for example but only tell the client the ipv6 address for this domain. Hence, the requesting client would automatically use IPv6 which automatically goes to the right gateway on my pfsense…

      How can I do this? Are there any better ideas?

      I don't wish to update any overrides manually when IP addresses for a domain change.

      Help gladly appreciated!

      Dan

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Most every client prefers Ipv6 out of the box, so it should be using ipv6 if it got back an AAAA for what it looked for, and you have a working ipv6 network.

        If your not using ipv6 to get to something that has IPv6 address, I would make sure you didn't change your client to prefer ipv6 or disabled in your browser to lookup ipv6, etc.

        I am on the other hand like the other way, I purposefully change all my clients to prefer ipv4 over ipv6, I only want to go Ipv6 when I specifically am trying to go to ipv6..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • O
          omnidan
          last edited by

          Thanks for the quick reply!

          I'm using this to unblock certain streamin sites ;) While safari on Mac indeed prefers IPv6, the YouTube app on the iPad does not for example. I found a little workaround:

          I created an alias for the domains I want to force to use IPv6 and then added a firewall rule to block all IPv4 traffic to this alias. It seems to work but I find it highly non-elegant  ::)

          Any better solutions still very welcome!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Really, I thought with the release of ios 9 ipv6 was going to be preferred, maybe I read it wrong.. Would have to do some testing with my own ipad but thought I recall reading back last year that ipv6 was going to be much more supported and even preferred in ios 9 going forward.

            I normally don't even give my ipad an IPv6 – but can sure test if it has one which one it likes best.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by

              @johnpoz:

              ….
              I normally don't even give my ipad an IPv6 -- ......

              You don't  need to "give" :) It just grabs one if you have an IPv6 LAN:

              2001:470:1f13:5c44:2::d5 		00:01:00:01:1b:46:42:ce:91:b9:31:77:5e:26 	90:b9:31:77:5f:26 (Apple) 	iPhone-5S-Gertjan
              

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                In my network I have to give it ;)  I have ipv6 on my lan and my normal secured wlan, but its all static, and do not even run RA..

                I guess could connect it or my phone to my play wifi segment where sure ipv6 is given out.  Maybe will play with this tonight?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • dennypageD
                  dennypage
                  last edited by

                  I don't think you read it wrong. There is a 25ms advantage now given to IPv6:

                  https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html

                  @johnpoz:

                  Really, I thought with the release of ios 9 ipv6 was going to be preferred, maybe I read it wrong..

                  1 Reply Last reply Reply Quote 0
                  • O
                    omnidan
                    last edited by

                    While this discussion is also very interesting, it does not propose a solution to my original question ;-) Blocking ipv4 by firewall is not working reliably. I would prefer for the clients to not know about ipv4 connectivity of the requested domain at all.
                    Does anyone know how to tweak the DNS in the desired way?

                    1 Reply Last reply Reply Quote 0
                    • dennypageD
                      dennypage
                      last edited by

                      I don't know of a way to selectively deny access to A records based on client and query domain short of writing your own dns forwarding engine. Others may, but I doubt it. And if there were a way to do it, it would still be simple for clients to bypass by using public DNS services.

                      If you set aside the narrow A vs AAAA record solution and describe the higher level problem you are trying to solve someone may be able to help you find a workable approach.

                      1 Reply Last reply Reply Quote 0
                      • O
                        omnidan
                        last edited by

                        Alright, let me try again by describing the highlevel problem :)

                        For various devices on my network (AppleTV, ipad, notebook etc.) I want to unblock georestictions of video streaming by routing the traffic of netflix, youtube etc. through an IPv6-HE-tunnel.

                        The tunnel is working and I have complete control over the devices. Some do have limited options for configuration, however, i.e. the appletv or ipad. All devices get their ipv6 configuration and route ipv6 traffic properly to the tunnel gateway. Some apps however still prefer ipv4 (25ms advantage of ipv6 or not). That's why I want to force ipv6 for certain domains like youtube.com, netflix.com etc.

                        1 Reply Last reply Reply Quote 0
                        • R
                          reinderien
                          last edited by

                          This works if you add bind and a domain redirect:

                          https://www.reddit.com/r/PFSENSE/comments/6weauh/ipv6_and_netflix_another_option/

                          1 Reply Last reply Reply Quote 0
                          • GertjanG
                            Gertjan
                            last edited by

                            @omnidan:

                            Alright, let me try again by describing the highlevel problem :)

                            For various devices on my network (AppleTV, ipad, notebook etc.) I want to unblock georestictions of video streaming by routing the traffic of netflix, youtube etc. through an IPv6-HE-tunnel.

                            The tunnel is working and I have complete control over the devices. Some do have limited options for configuration, however, i.e. the appletv or ipad. All devices get their ipv6 configuration and route ipv6 traffic properly to the tunnel gateway. Some apps however still prefer ipv4 (25ms advantage of ipv6 or not). That's why I want to force ipv6 for certain domains like youtube.com, netflix.com etc.

                            Netflix over IPv6 using he.net ?
                            That's would be a huge no-go. Netflix WILL block you.

                            Running IPv6 via he.net (tunnel broker) is ok, but all netflix.com traffic should be forced to chose IPv4.

                            @reinderien : Very nice. Gona try your solution.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.