Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual-Stack NAT Port-Forward Mess

    Scheduled Pinned Locked Moved NAT
    8 Posts 2 Posters 222 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phipac
      last edited by

      Greetings, all. I'm opening myself up for some schooling here, so have at me! I'll try to simply lay out what I'm trying to do.

      DNS A Record > IPv4_WAN:port_a > NAT > IPv4_LAN:port_b

      Works great, as it always has for the last 40 whatever years. The puzzle I have is, how do I achieve the same once I add a DNS AAAA record with the same hostname? I want my "users" to be able to go to host,name.com:port and have their connection work whether it be IPv4 or IPv6. If it's IPv4, then the flowchart above applies. But what about IPv6? I don't want them to have to use a different host name or a different port. Since one does not NAT or port forward on IPv6, how can this be accomplished?

      DNS AAAA Record > IPv6_WAN:port_a > whatever > IPv6_LAN:port_b

      Again, I realize IPv6 is designed so each host can have it's own unique public address. I guess I'm trying to not have to use a bunch of fourth-level domain names all pointing to unique addresses. OK let the games begin! And thank you.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @phipac
        last edited by

        @phipac your AAAA record would point to the IP of the device your wanting to talk too. You wouldn't do a port forward, you would just allow the traffic on the firewall.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        P 1 Reply Last reply Reply Quote 0
        • P
          phipac @johnpoz
          last edited by

          @johnpoz said in Dual-Stack NAT Port-Forward Mess:

          @phipac your AAAA record would point to the IP of the device your wanting to talk too. You wouldn't do a port forward, you would just allow the traffic on the firewall.

          I forgot to add one very important piece of information. The domain name I am using can be used with several different ports to access various services on the network. Some of those services would have different unique IPv6 addresses.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @phipac
            last edited by johnpoz

            @phipac port has nothing to do with dns..

            If you point host.domain.tld to ipv6address of your server, you can allow whatever port you want on what services your running - dns is not part of that equation

            Some of those services would have different unique IPv6 addresses.

            Why are they different servers? Then they should have a different fqdn.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            P 1 Reply Last reply Reply Quote 0
            • P
              phipac @johnpoz
              last edited by

              @johnpoz said in Dual-Stack NAT Port-Forward Mess:

              @phipac port has nothing to do with dns..

              If you point host.domain.tld to ipv6address of your server

              Some of those services would have different unique IPv6 addresses.

              Why are they different servers? Then they should have a different fqdn.

              Yeah I was trying to avoid creating more fqdns, but that does make sense. I wish the world would just get on with IPv6 already!

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @phipac
                last edited by johnpoz

                @phipac you could use a reverse proxy if you wanted to.. Then you can send ipv6:portX to ipv6:port where you can change up that ip or port depending on whatever wanting to do.

                But if your talking to a different host then it would be a different fqdn.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                P 1 Reply Last reply Reply Quote 0
                • P
                  phipac @johnpoz
                  last edited by

                  @johnpoz said in Dual-Stack NAT Port-Forward Mess:

                  @phipac you could use a reverse proxy if you wanted to..

                  I do that for web page based services, but TCP connections for services like Munin I don't believe work with reverse proxy. Or am I about to learn something else new?

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @phipac
                    last edited by johnpoz

                    @phipac it is possible to do reverse proxy with tcp ports - I haven't had a need to do such a thing.

                    but why would you not just have munin.domain.tld for that service and other.domain.tld for whatever other services your trying to talk to.. they could resolve to the same IPv6 or different.

                    edit: or if you happy with how IPv4 is working - why throw ipv6 into it at all.. There is nothing saying you have to use IPv6, unless your behind a cgnat and that is the only way to get unsolicited inbound into your network.

                    Just because IPv6 is the future, doesn't mean that future for you is now ;) Could be 20 some years before IPv6 is the main protocol to be honest.

                    My isp doesn't even provide it - I have had ipv6 from like 2011 or something via HE tunnel.. I sure don't use it for any services I provide or use while I am remote to get into my network. As you said IPv4 with nat and port forwards work just fine. ;) Providing those services via IPv6 gets me nothing other than more complexity. Shoot most of my users of my plex server don't have IPv6, or even know what IPv4 is let alone IPv6 ;)

                    Not sure what all services you want to provide to the internet - but any services I need to access on my network while I am about I just vpn in - via IPv4 ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.