Hi all -
I've been unable to figure this out, or find a previous thread that explains what I'm trying to do - I'd be glad of suggestions on how to make this work.
I have a public static IPv6 /56.
I have multiple web/app servers on the DMZ zone, each with TLS termination. The DMZ is IPv6 only. It looks like this:
https://server1.example.com > 1234::1 > DMZ > server1
https://server2.example.com > 1234::2 > DMZ > server2
https://server3.example.com > 1234::3 > DMZ > server3
Port 443 tcp/udp only for each address
I realize I can add VIP's, then point domain names to those, but don't understand how to forward from there to the actual servers in the DMZ. Could this be done with static ULA on the servers in the DMZ? e.g. Domain > VIP > DMZ > Static ULA?
I realize this can be done with Nginx/HAProxy on Opnsense, but a couple reasons I don't want that (I've used Nginx for this before:
Nginx: my configs are extremely complicated, and various settings I use are not in the Opnsense Nginx UI, meaning I had to do a lot of manual config via the terminal. It's messy, and fragile.
HAProxy: No UDP
As an interim measure I'm using Cloudflare tunnels, until I can figure it out.
Thanks!
Samvel
Hi Samvel, why not just give the DMZ a /64 from your /56 allocation? Set your web hosts up with static IP's from the /64 subnet and allow inbound traffic (e.g. TCP 443) on OPNsense firewall rules.
The OPNsense DMZ interface will need a static IP on the same subnet so you can set the default gateway on the web hosts.
External DNS is simple AAAA records for your web hosts. a.k.a. applying the KISS principle ;-)
Bart...
Quote from: bartjsmit on April 30, 2025, 08:18:01 AMThe OPNsense DMZ interface will need a static IP on the same subnet so you can set the default gateway on the web hosts.
You should use a link-local address as the default gateway. It's common and considered best practice. SLAAC will take care of that.
The rest of @bartjsmit's post is correct: there is no NAT with IPv6. Assign a /64 to your DMZ and let firewall rules take care of what is public and what is not.
Hi Bart & thanks.
Patrick - thank you too. Was just about to post and saw your reply.
You mean just open up 443 for the entire DMZ instead of trying to fiddle with rules to allow 443 per ip address? I'll give it a shot.
So 1234:5678::1/64 VIP allocation on the DMZ & disable DHCP server
1234:5678::2/128 interface
fe80::213:3bff:fee3:27bf GW
then 1234:5678::3/128 etc static IP's for the server?
I really struggle with IPv6
No, allow 443 per IP address but do not mess with inbound port forwarding, VIPs etc, but e.g. create a firewall alias with all your public servers and their native DMZ IPv6 addresses, then permit 443 in for that group.
- 1234:5678::1/64 static IPv6 on the OPNsense DMZ interface
- enable router advertisements on the DMZ interface
- boot your servers, check which IPv6 address they get - they will be automatic but static as long as the MAC address stays the same
- use that for public access
Patrick -
It doesn't work. When I set a static IPv6 on an interface, everything under it loses IPv6 connectivity, can't even ping. I know it should be simple but there's something wrong I can't figure out. If I leave the LAN interface for example as tracking, I can ping that interface, externally. If I set it static within my allocation, it can't be found, no route. RAD - I've tried each option. I can ping6 any static IPv6 from within the interface/network.
As you've seen above, I'm trying to do do what I can easily do with IPv4 and NAT/Port forward. Which would be:
https://domain1.example.com > 123.456.789.012 > 10.0.0.1
However on this network I'm IPv6 only - and even 'nattish' domain1.example.com > 1234:5678::1 > ULA fd:1 doesn't work
I'm not criticizing - there's really, little information. Frustrated, and sure that I'm missing something simple and fundamental.
I do know that I can't ping any IPv6 address I set as static.
I'm suspecting there's also some sysctl settings I need to figure out on my servers (Linux)
Patrick -
Indeed IPv6 issues with the servers (Linux). I'm still working on it but it involves:
several sysctl settings to allow SLAAC
per interface settings in Network Manager.
When I've got it working properly I'll explain it here in another comment - might be useful for someone else.
Samvel