Provider: Prefix delegation. Prefix changes. HA proxy?

pixel24

Hi@all,

I have a cable connection from Vodafone. It is a DS-Light (IPv6 only). I get a /59 prefix delegated by the provider. A Fritz! box (6690) is connected to the connection itself. The pfSense is connected to the FB.

I forward the PD on the FB to the pfSense:

Assign DNS server, prefix (IA_PD) and IPv6 address (IA_NA).

I have activated and configured IPv4 on the pfSense:

In the LAN, I have activated SLAAC for IPv6 on my server VMs. I then received a valid address on these from the area delegated by the provider.

A corresponding subdomain has been created for each host (server VM) at the hosting provider (Strato). The hosts are running ddclient which writes the assigned IPv6 address to the AAA record at the provider.

After I have allowed access in the firewall rules, I can access the hosts from outside (HTTPS).

So far so good. The problem I see is when the prefix of the provider changes. Which it will do at some point. Then I have to adjust the firewall rules every time, which is of course unpleasant.

It occurred to me that I should configure additional ULA addresses in the LAN in addition to the public IPv6 addresses that come from the provider.

Then I could receive the HTTPS connections on the pfSense with the HA proxy, check for the URL (subdomain) called up and forward it to the appropriate ULA address of the target host if there is a match.

Does this work at all?

I already have an HA proxy setup that does exactly that, but with IPv4. I would adapt this accordingly.

with best
pixel24

Bob.Dig

@pixel24 said in Provider: Prefix delegation. Prefix changes. HA proxy?:

with best

Really? I can't read your screenshots. Seems to be a foreign language. Tschüss!

pixel24

In the LAN, I use fixed ULA addresses on the server VMs in addition to the public IPv6 addresses that come from the provider

An example. My media server has the following IP configuration:

2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether xx:xx:xx:f7:e3:ee brd ff:ff:ff:ff:ff:ff
    altname enp6s18
    inet 192.168.83.10/24 brd 192.168.83.255 scope global dynamic ens18
       valid_lft 41630sec preferred_lft 41630sec
    inet6 xxxx:xxxx:2180:8e1c:5c20:3aff:fef7:e3ee/64 scope global dynamic mngtmpaddr 
       valid_lft 86188sec preferred_lft 14188sec
    inet6 fdd0:a044:f4c::a/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::5c20:3aff:fef7:e3ee/64 scope link 
       valid_lft forever preferred_lft forever

A corresponding AAAA record is set in the subdomain at the domain host. I now create the firewall rule:

Everything works. It is unfortunate that when the provider changes the PD, I have to adjust the firewall rules every time :-(

I wanted to get the HA proxy to listen on the WAN interface (as I did with IPv4) and accept the HTTPS requests.

If the requested URL matches the host, it is forwarded to its ULA address;

but I do not have access to it. Does it even work in the HA proxy to accept an incoming connection on the public IPv6 address and forward it to a host based on its ULA address?

In the diagnostics, I can ping the target host in the LAN under its public IPv6, its ULA address and with its host name.