Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blueprint for exposing services via IPv6?

    Scheduled Pinned Locked Moved IPv6
    4 Posts 3 Posters 826 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • -flo- 0-
      -flo- 0
      last edited by

      So I have IPv6 running on my pfSense (2.6.0), a prefix is advertised in my LAN subnet, hosts configure their IPv6 addresses just fine, https://test-ipv6.com etc. show all green.

      On the firewall outgoing IPv6 traffic is allowed, inbound IPv6 traffic is limited to ICMPv6.

      Now I want to expose a few services in the internet via IPv6. Currently this works with IPv4, DynDNS, NAT, and port forwarding.

      Super easy because of IPv6, right?

      Candidates for this are VPN access (IPSec and OpenVPN running on pfSense), nextcloud running in a jail on FreeBSD / TrueNAS, a virtual tabletop (a games server) also in a jail on TrueNAS.

      What is the recommended best way to do this (low cost / no cost scenario)?

      I see 2 tasks:

      • Publish the IPv6 address to a DynDNS service. (DynDNS because the prefix and thus the IP adresses may change).
      • list itemCreate firewall rules to allow access to the exposed services only.

      Is there a blueprint for how to do this?

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @-flo- 0
        last edited by

        @flo-0

        Your IPv6 addresses will likely be virtually static, so you can use an ordinary DNS server. It doesn't have to by dyndns.

        You'll want to ensure Do not allow PD/Address release in the WAN configuration is selected.

        My IPv6 prefix has survived replacing, at different times, the modem and complete computer that I run pfsense on.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        -flo- 0- 1 Reply Last reply Reply Quote 0
        • -flo- 0-
          -flo- 0 @JKnott
          last edited by

          @jknott If the addresses do not change this is indeed easy, because I can use the hosts addresses directly in the DNS.

          I'm aware of this switch and activated it. However reportedly my Provider (Deutsche Telekom) does not respect this and I must assume the prefix will change. Thus my question for a blueprint for the case witch changing addresses ...

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @-flo- 0
            last edited by

            @flo-0

            You could get a /48 and it will be be static. I'm using two of them, and they are fine for years now.
            But there is probably a trade of : speed.

            See https://www.tunnelbroker.net/ and Configuring IPv6 Through A Tunnel Broker Service.

            I'm using a existing domain name on my LAN's and the hots names with IPv6 are written into the DNS server and thus are known globally. Some RFC 2136 scheme is used for this.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.