Blueprint for exposing services via IPv6?
-
So I have IPv6 running on my pfSense (2.6.0), a prefix is advertised in my LAN subnet, hosts configure their IPv6 addresses just fine, https://test-ipv6.com etc. show all green.
On the firewall outgoing IPv6 traffic is allowed, inbound IPv6 traffic is limited to ICMPv6.
Now I want to expose a few services in the internet via IPv6. Currently this works with IPv4, DynDNS, NAT, and port forwarding.
Super easy because of IPv6, right?
Candidates for this are VPN access (IPSec and OpenVPN running on pfSense), nextcloud running in a jail on FreeBSD / TrueNAS, a virtual tabletop (a games server) also in a jail on TrueNAS.
What is the recommended best way to do this (low cost / no cost scenario)?
I see 2 tasks:
- Publish the IPv6 address to a DynDNS service. (DynDNS because the prefix and thus the IP adresses may change).
- list itemCreate firewall rules to allow access to the exposed services only.
Is there a blueprint for how to do this?
-
Your IPv6 addresses will likely be virtually static, so you can use an ordinary DNS server. It doesn't have to by dyndns.
You'll want to ensure Do not allow PD/Address release in the WAN configuration is selected.
My IPv6 prefix has survived replacing, at different times, the modem and complete computer that I run pfsense on.
-
@jknott If the addresses do not change this is indeed easy, because I can use the hosts addresses directly in the DNS.
I'm aware of this switch and activated it. However reportedly my Provider (Deutsche Telekom) does not respect this and I must assume the prefix will change. Thus my question for a blueprint for the case witch changing addresses ...
-
You could get a /48 and it will be be static. I'm using two of them, and they are fine for years now.
But there is probably a trade of : speed.See https://www.tunnelbroker.net/ and Configuring IPv6 Through A Tunnel Broker Service.
I'm using a existing domain name on my LAN's and the hots names with IPv6 are written into the DNS server and thus are known globally. Some RFC 2136 scheme is used for this.