This is a small personal network. My ISP earlier let me get a ipv4 address that was routed, so I could reach my web server from the internet. I got a new address recently (standard good ipv4 address via DHCP) and it is not routed. However I can reach my server with ipv6 (tried ping).
What is the best strategy to let traffic in to the web server (only 443) via ipv6? I tried to make a rule and point out the servers ipv6 address, but in the alias section, there is no such possibility, it doesn't like ipv6 addresses. So what do I do?
The ipv6 address span is a /56 that I get from my IPS, and I give it out to four separate networks inside.
A host alias takes an IPv6 address and you can then easily create a rule on WAN like:
direction: in
protocol: IPv6, TCP
source: any
destination: your web server alias
destination port: 443
action: allow
That's all. Works splendidly.
I must have chosen something wrong when I tries to make an alias, because it didn't like ipv6 addresses. Now it works Thanks
If your ISP uses dynamic IPv6 prefixes (many do), then you can create a "dynamic IPv6 host" alias using the EUI-64 and the interface it is on.
Of course, with dynamic prefixes, you also need a dynamic DNS service that allows you to use an IPv6 address that is using a predefined EUI-64 part. If it can only register the outbound IPv6, it will only see OpnSense's WAN IPv6, so you must be able to mix in the lower 64 bits if the target IP is not OpnSense itself.
Another way to do this is using a reverse proxy like Caddy, HAproxy or NGinx on OpnSense, in which case the dynamic DNS update gets easier, because OpnSense itself is the target, then. When you use that, you do not even have to use IPv6 for your internal web service, plus you do not need a specific firewall rule.