OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: Tubs on May 04, 2019, 05:33:55 pm
-
Hello,
can I use nginx plugin as reverse proxy from IPv6 address to internal server with IPv4 address only?
With all I tried so I do not get it running.
My starting point is that my IPv4 setup is running: WAN IPv4 --> nginx --> DMZ IPv4
I set-up IPv6 GIF tunnel (HE) and in firewall I allow on tunnel interface ICMP and port 80 and 443 to "this firewall'.
No further set-up of IPv6 address to any other interface.
When I look on sockets bindings of nginx to ports looks OK for IPv6:
www nginx tcp6 *:443 *:*
root nginx tcp6 *:80 *:*
root nginx tcp6 *:443 *:*
Ping from outside to local GIF address is working fine.
But http and https access from outside to local GIF address timed out. Nothing I can see in the firewall logs.
Any idea what to do?
Or is it simple not possible what I want to do?
-
What kind of timeout (before or after nginx)?
In theory your setup should not cause any issues as it is intended to be supported.
Client <-- IPv6 --> OPNsense (nginx) <-- IPv4 --> Backend
Client <-- IPv4 --> OPNsense (nginx) <-- IPv6 --> Backend
Can you try curl on "::1" as it should work as well but no external network is used (I would expect a routing issue) and it is not a firewall rule or routing issue.
-
Good to hear that in general it should work what I want to do.
But it looks like my explanation was not precise enough.
The timeout I got on external machine (IPv4/IPv6 client) before opnsense WAN interface.
From the same external machine over IPv4 I can reach webserver on backend and I can ping opnsense
From the same external machine over IPv6 I can ping opnsense.
I tested curl on opnsense cli, both to localhost and to external IP:
ping 127.0.0.1 --> OK
ping6 ::1 --> OK
ping xxx.xxx.xxx.xxx --> OK
ping6 xxxx:xxxx:xxxx:xxxx::xxxx --> OK
curl http://127.0.0.1 --> empty return
curl http://[::1] --> curl: no match
curl http://xxx.xxx.xxx.xxx --> OK, response from nginx
curl http://[xxx:xxxx:xxxx:xxxx::xxxx] --> curl: no match
So, I am a little bit closer. Routing issue or issue with binding of nginx to IPv6.
Any further ideas where to look next?
-
Looks like there is some internal issue in FreeBSD.
root@opn:~ # curl -I "http://[global unicast ip]:8080/"
HTTP/1.1 403 Forbidden
Server: nginx
Date: Sun, 05 May 2019 08:53:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=821af9dcbd0717c132159e99ba9fe06e; path=/
Set-Cookie: PHPSESSID=821af9dcbd0717c132159e99ba9fe06e; path=/; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
and
root@opn:~ # curl -Iv "http://[::1]:8080/"
* Trying ::1...
* TCP_NODELAY set
* Immediate connect fail for ::1: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server
With ULA:
curl -Iv "http://[fe80::a00:27ff:fe5b:210a]:8080/"
* Trying fe80::a00:27ff:fe5b:210a...
* TCP_NODELAY set
* Immediate connect fail for fe80::a00:27ff:fe5b:210a: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server
Since all vhosts in the nginx plugin are bound to ::, nginx listens on all interfaces and IP addresses.
@fichtner, @lattera: maysomething in the kernel network stack be broken? No route to host on localhost is quite strange (even when pf is disabled).
-
Are there any news about this topic?
Is it something on OPNsense side or is it only my system that is screwed up?
The update to 19.1.8 did not changed anything and I do not know where to continue to search.
-
not from my side.
-
there is a core bug which is blocking ipv6: https://github.com/opnsense/core/pull/3501/files