Access my website from WAN IP
-
Hi, I'm very new to pfSense and iPv6
Is it possible to host a website on LAN Private iPv6 and access it from WAN Public iPv6?
if it is possible please tell me how to do that, I've I been trying for 2 days now.
-
Why not just use a public address? If you have a decent size prefix, you should have gazillions of 'em.
I hope you're not one of these "NAT provides security" types.
-
@jknott
I'm sorry, I have no clue how to set them.
I don't know about iPv6 at all.
and also the reason why I only want one iPv6 IP is because of DDNS. -
@ciros55 said in Access my website from WAN IP:
and also the reason why I only want one iPv6 IP is because of DDNS.
So you want pfSense to do the DDNS update, which is in fact a shortcoming of pfSense, to only do it for its own Interfaces.
But then you're also new to pfsense at all which might be a problem.
To begin with, you should host an existing website with pfSense on IPv4 first. -
@bob-dig said in Access my website from WAN IP:
@ciros55 said in Access my website from WAN IP:
and also the reason why I only want one iPv6 IP is because of DDNS.
So you want pfSense to do the DDNS update, which is in fact a shortcoming of pfSense, to only do it for its own Interfaces.
But then you're also new to pfsense at all which might be a problem.
To begin with, you should host an existing website with pfSense on IPv4 first.my iPv4 is CGNAT.
-
Do you actually have IPv6? Go to test-ipv6.com to see.
If you do, you place your server on your local network and use the consistent address, often based on the MAC address, to point the DNS to.
With IPv6, you typically get a /56 or /48 prefix. A /56 provides 256 /64 networks, each of which contain 18.4 billion, billion addresses. A /48 provides 65536 /64s.
If you have a decent ISP, your IPv6 addresses should not change¹, which means you can use plain DNS and don't need DDNS.
- Ensure Do not allow PD/Address release, on the WAN page is selected.
-
@ciros55 A simple IPv6 NAT Portforward is looking like this, in my example it is an email service, change to your needs accordingly. The "host_mail" alias contains the ULA of the machine. This is enough for connecting from the outside to it via IPv6.
-
@bob-dig said in Access my website from WAN IP:
A simple IPv6 NAT Portforward is looking like this
Please don't do that. There's no need for that on IPv6. The reason for NAT was to get around the IPv4 address shortage and it causes problems in the process.
NAT is a curse on the Internet.
-
@jknott said in Access my website from WAN IP:
Please don't do that.
I do because I can and pfSense is missing the DDNS- capability in this regard.
-
@bob-dig said in Access my website from WAN IP:
pfSense is missing the DDNS- capability in this regard
Why would pfsense be needing to create a ddns entry somewhere for some IPv6 device, not a pfsense IP..
Just have the client register its IP in whatever ddns you want.
Trying to run a mail server off some dynamic IP is bad idea anyway, be it IPv4 or IPv6..
Glad you found a work around that works for you natting IPv6 - but with jknott on this, there is no reason to do that.
-
@jknott said in Access my website from WAN IP:
test-ipv6.com
the result from test-ipv6.com is 10/10.
the iPv6 Prefix = 64
ISP changes IP every 24 hours.
-
@ciros55 so your using ULA internally, because your isp does not provide any sort of IPv6 delegation? And you only have the one pfsense public IPv6? On the wan?
Yet another ISP without a clue how to do IPv6 ;) And you think IPv6 is ready for prime time jknott, when ISPs do shit like that?
-
@ciros55 said in Access my website from WAN IP:
ISP changes IP every 24 hours.
You mean the prefix? Did you check that setting? If you're running SLAAC on the local network, you will have up to 8 public addresses. One is consistent and there will be up to seven privacy addresses. You get a new one every day, with the oldest expiring after 7 days. As I mentioned, you use the consistent address for DNS.
If the ISP deliberately changes the prefix, they are a crappy ISP. There is no need to do that on IPv6 or IPv4 for that matter.
-
@johnpoz said in Access my website from WAN IP:
when ISPs do shit like that?
Some ISPs should be shot!
-
@bob-dig
I've had tried that but it didn't work.and I manage to break DHCP and DHCPv6 oopsie that was caused by me.
-
Hi, again
I've managed to get @Bob-Dig solution to work. (finally)
(i know that I shouldn't do it like this but I only want one IP and connected to DDNS.)Thanks, Everyone. Have a great day.
-
@jknott said in Access my website from WAN IP:
There is no need to do ....
If I was an "ISP" I could have on my wish-list :
How can I make it difficult for my clients to host services ?The why part easy is to understand :
The help desk can be short about questions like : 'My mail server ....".
The answer would fall trough right away to : you can't / not supported.I presume most ISP sell 'access' to the net. Not some scheme where you could be 'part' of the Internet.
Btw : IMHO and me thinking out loud.
-
@johnpoz said in Access my website from WAN IP:
@bob-dig said in Access my website from WAN IP:
pfSense is missing the DDNS- capability in this regard
Why would pfsense be needing to create a ddns entry somewhere for some IPv6 device, not a pfsense IP..
Just took a look again and there is no free and current or decent looking DDNS Client for windows that supports IPv6.
-
@bob-dig but how do you expect pfsense to register a ddns for an IP that is not its IP?
-
@johnpoz That is easy, if it has been given out by the DHCPv6 Service. There are even DDNS options already in it, but they are not usable with the DDNS-Clients in pfSense.
Also I know a router that already does this for you.So it is doable and it looks like there is everything already there, it only has to be put together by some talented folks.