Can ipv6 virtual server point at ipv4 pool elements?



  • Any reason a virtual server on the WAN with an ipv6 address can't include a server member in its balancing pool on a LAN side subnet that has a private (RFC 1918) ipv4 address?

    It ought to work, but then…


  • Rebel Alliance Developer Netgate

    With the built-in load balancer (relayd) it's all done in NAT so you can't do that. With a true proxy like HAproxy, it might work but I haven't tried it.

    Relayd doesn't actually proxy. The source address is preserved and the original connection is forwarded, so it all has to stay in the same address family.

    HAProxy accepts a connection and initiates its own new connection out to the server locally, so it's possible that might be able to mix families in this way, though I wouldn't hold my breath.



  • HAProxy should be able to mix v6 frontends and v4 backends and/or the other way around.. The transparent-clientip feature wont work due to the fact that v4 and v6 dont cannot be mixed in 1 ip connection.. Other that that it should all be fine :).



  • Thanks everyone!

    For me IPv6 awaits what you might call a 'killer app'.  Right now, it represents a black hole for work time, and what do I have to talk about to people who use tech as an everyday tool?  "Well, you can do everything you did before, except some websites won't work."

    For transitional purposes, what I'd really like to see is a pure outbound NAT that could map a whole block of v6 on the lan side to a single v6 on the wan side– because 'real isps' don't 'just delegate' /64 or anything else for that matter consistently.

    Longer term:  In the same spirit as the 'just click this if you want a transparent proxy" for squid, I'd like to see a similar 'one click config' that maps an internal fc00:/something space to two ISPS in a 'real' way ( choosing ISP via per dest ip metric).  The Npt/load balancer gateway possibility is a 'sort of'.  A necessary feature is the ability to deny IPv6 access to all in an alias because some users want routine access to Netflix or other services that ... do ... not ... like ... this v4 range or that v6 range.


  • Rebel Alliance Developer Netgate

    1. As IPv4 addresses evaporate, some sites will be IPv6 only. If it hasn't started happening already, it's only a matter of time.

    2. No. Just NO. You do not need nor want NAT with IPv6 and doing that only allows ISPs to get away with bad and invalid IPv6 configurations. IPv6 is not scarce. Do not allow them to treat it as such.

    3. There is already an example config for IPv6 Multi-WAN. No need to use private space on LAN, you can use one native and NPt to map the other. It does require static addressing on both IPv6 WANs, though.



  • Thanks much.

    Re #1: So true, and so opaque to the nice folks who have this long list of things they'd like done.

    Re #2…. The firm but gentle encouragement I give along these lines has the same result the cashier at the grocery store gives when I explain "But I contribute to open source software, do I still have to pay?"

    Re #3:  Time for a "Track" option on Npt.  Until then, I'd like to see the "Filer" package back so I don't have to move custom scripts along with config.xml.

    Still need a way to 'turn off' v6 only for all hosts in an alias as a transitional thing.



  • @hcoin:

    Re #2…. The firm but gentle encouragement I give along these lines has the same result the cashier at the grocery store gives when I explain "But I contribute to open source software, do I still have to pay?"

    Not an apt comparison at all. If you're paying someone for connectivity and they aren't routing you an IPv6 block for use internally, they aren't providing what you're paying for.