Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default deny rule IPv6 (1000000105) - it's happening again!

    Firewalling
    2
    23
    735
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lifespeed @johnpoz
      last edited by lifespeed

      @johnpoz what you described is what I have done. I have NAT for IPv4, and a separate rule for IPv6. Although this doesn't seem that elegant, either.

      This largely works, but the problem I'm encountering now is I would like to be able to use my FQDN to access servers from either inside my LAN or from the WAN outside from the internet at large. For most apps this works, Blue Iris, and Emby are fine connecting to myhost.mydomain.com.

      However, one android client app (to Homeseer) insists on accessing the server from the LAN using myhost, while it must use myhost.mydomain.com from the WAN. It is not at all satisfactory to edit the domain to connect from inside or outside my network. It is not clear this is a firewall configuration problem, as this seems to be the only client exhibiting this problem connecting to one of several servers.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @lifespeed
        last edited by johnpoz

        @lifespeed you want a local device to use your public fqdn host.yourpublic.com domain setup a host override that points host.yourpublic.com domain to whatever local IP 192.168.1.100 for example..

        Now local devices resolve host.yourpublic.com fqdn to your wan IP, and your local devices using your dns would resolve it to your local rfc1918 address.

        Using your public IPv4 for devices to access local resources would require nat reflection to be setup.

        combining IPv4 and IPv6 rules seems nothing but problematic to me.. I would for sure keep them separate.. Might be fine if you have some rule that allows outbound to something like tcp on port 443 to anything either ipv4 or IPv6.

        But using that with an alias that needs to resolve both A and AAAA for the same resource.. doesn't seem like a good idea to me.. especially if you where having both public IPv4 and local IPv4 needing to be resolved, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        L 1 Reply Last reply Reply Quote 0
        • L
          lifespeed @johnpoz
          last edited by

          @johnpoz first let me say thanks for all your help. We've established and I've implemented the following:

          • alias' and firewall rules , despite the option to do so, realistically can't and shouldn't combine IPv4 and IPv6. Instead use separate alias' and rules to handle NAT IPv4 as well as GUA IPv6.

          • The LAN domain name shouldn't be the same as the public domain name, a recommended LAN name is home.arpa.

          • public-facing servers at myhost.mypublicdomain.com can be accessed from LAN or WAN using firewall and NAT rules. From the LAN only, they can be resolved by pfSense DNS using myhost or myhost.home.arpa. This is an acceptable and expected result. Browser and app URL configuration can function regardless of connection to LAN or the internet at large, pointing to myhost.mypublicdomain.com.

          • private servers not firewalled and NAT'd are accessible only from the LAN at myhost or myhost.home.arpa, which is also expected. Remote access to these private servers, if desired, would be implemented with OpenVPN to the LAN. They were never expected to be available at myhost.mypublicdomain.com.

          All that said, I do have flaky behavior from the Homeseer4 server, where the Android app can connect from the WAN using myhost.mypublicdomain.com, but fails to connect from the LAN using the same FQDN. As this behavior does not replicate with any other of the several public-facing servers on this network, I'm ascribing this to a flaky old Android app.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post