IPV6 possible to route internally in server?



  • Hello,

    I have pfsense installed on my server.

    Input to the server is an IPv6-address: that I want to route to an internal ip-address (ipv4 and ipv6 available) of a virtualmachine that is running a webserver.

    Is this even possible? Google said no.
    Prefer without using a  Tunnel Broker. As far as I researched isn't that needed, because I already have IPv6 address that can be called.

    My AAAA-records is already added to a DNS of a domain.

    Goal to achieve is:

    Access domain www.helloworld.com with help of IPv6 (on server and DNS)

    If it is possible, can someone help me out with some tips where to look for, of some articles?

    More info:
    What I want is to a domainname to point to a webserver inside a server.

    Server: IPv6-address (public)
    Domain DNS AAA-record: IPv6-address
    VirtualMachine: IPv6 and IPv4 address (local addresses)

    How to: point Domains DNS to VirtualMachine that's in a server. With using an IPv6-address.


  • Banned

    Please, try to explain again. Are you trying to produce a pointless NAT on IPv6 or what?



  • What is your current IPv6 setup? You have functional v6 already?

    re: your reported post, doktornotor is just trying to get the necessary details for us to answer your question.



  • Edited the post.

    IPv6 is already up and running on the webserver, it all works on the server. The connection to the outside world / the outside world connection to the server isn't working yet.

    Gateway etc are set for IPv6. Didn't try NAT 1:1 of course, but NPt (added the full IP's instead of the prefixes). VirtualIP with an Alias.
    My public IP im referring always to /48 and internally to /64 for the IPs.


  • Banned

    • You do NOT NAT IPv6.
    • You do NOT produce absolutely pointless aliases.

    Allow the traffic on WAN, protocol IPv6 TCP, source any, destination webserver's IPv6 address, destination port 80 (+443 for HTTPS). Done.

    @renege:

    My public IP im referring always to /48 and internally to /64 for the IPs.

    Huh? So, you have one /48 which you literally wasted on WAN and your LAN's /64 subnets are inside that?  :o This will "work" exactly as "well" as if you placed say 10.10.10.10/8 on WAN and created a LAN with 10.0.0.0/24. Completely broken.



  • @doktornotor:

    • You do NOT NAT IPv6.
    • You do NOT produce absolutely pointless aliases.

    Allow the traffic on WAN, protocol IPv6 TCP, source any, destination webserver's IPv6 address, destination port 80 (+443 for HTTPS). Done.

    @renege:

    My public IP im referring always to /48 and internally to /64 for the IPs.

    Huh? So, you have one /48 which you literally wasted on WAN and your LAN's /64 subnets are inside that?  :o This will "work" exactly as "well" as if you placed say 10.10.10.10/8 on WAN and created a LAN with 10.0.0.0/24. Completely broken.

    I don't get what you mean with the last part of your reply.

    Attachments added to show settings:



  • Banned

    You clearly have absolutely no clue about what you are doing.

    - Remove the broken LAN subnet rule on WAN!!!

    • Put some /64 from the delegated /48 on WAN.
    • Put some /64 from the delegated /48 on your LAN.
    • Set up a simple rule on WAN as suggested above allowing access to the webserver's IPv6 ports 80/443 only.

    P.S. The webserver rule on LAN is completely useless.



  • @doktornotor:

    You clearly have absolutely no clue about what you are doing.

    - Remove the broken LAN subnet rule on WAN!!!

    • Put some /64 from the delegated /48 on WAN.
    • Put some /64 from the delegated /48 on your LAN.
    • Set up a simple rule on WAN as suggested above allowing access to the webserver's IPv6 ports 80/443 only.

    P.S. The webserver rule on LAN is completely useless.

    Thanks for the answer. And sorry for being not a sysadmin.

    I removed all LAN-things. And the broken Lan subnet rul on Wan.

    I probably have to choose something else then "Single host or Alias" as source/destination Type? But what, and which one should have /64, and which /48?



  • Banned

    You should have /48 configured nowhere. Already stated that repeatedly. None of this is going to work until you fix your WAN and LAN IPv6 configuration. I would strongly suggest to pay someone to do the job. Or do some basic reading on networking. Mistakes like the allow rule you had on WAN for LAN subnet make the firewall essentially non-existent with IPv6 in place, leaving your entire LAN directly accessible from Internet.



  • @doktornotor:

    You should have /48 configured nowhere. Already stated that repeatedly. None of this is going to work until you fix your WAN and LAN IPv6 configuration. I would strongly suggest to pay someone to do the job. Or do some basic reading on networking. Mistakes like the allow rule you had on WAN for LAN subnet make the firewall essentially non-existent with IPv6 in place, leaving your entire LAN directly accessible from Internet.

    Thought this was a forum. Too bad it isn't.


  • Banned

    Yeah, this is a pfSense forum. Configuring firewalls requires you understand at least basic concepts of networking. You are totally stuck with IPv4 mentality, which just does not apply to IPv6. Everyone has a public IPv6, every box can be reached directly unless you block the traffic by firewall. There is no NAT to hide behind.


Log in to reply