OPNsense Forum

English Forums => General Discussion => Topic started by: robert199311 on February 08, 2023, 03:45:08 pm

Title: IPV6 Webserver
Post by: robert199311 on February 08, 2023, 03:45:08 pm

Hi All,

I'm running into an issue. (Quite new to IPV6)

I've enabled IPV6 successfully on both DMZ and LAN. IPV6 tests are all successful.
This is the situation:
WAN prefix: 2a02:a45a:9668::/48
LAN: 2a02:a45a:9668:0::
DMZ (webserver adress): 2a02:a45a:9668:1::c3c3

I can locally connect to the webserver IPV6 adres without any problems.

In my DMZ I'm trying to make my webserver publicly available: 2a02:a45a:9668:1::c3c3 . But that's where the challenge starts. I thought the only thing I need to do is to Pass 443 to the IPV6 address on the WAN port, but that doesn't cut it.

(Tested with http://ipv6.my-addr.com/ipv6-ready-ipv6-connectivity-ipv6-website-test.php.php?site=2a02%3Aa45a%3A9668%3A1%3A%3Ac3c3)

Any ideas on what I'm doing wrong?

Kind regards,

Robert

Title: Re: IPV6 Webserver
Post by: Patrick M. Hausen on February 08, 2023, 04:11:10 pm

Rule goes on the WAN interface:

Source: any
Source port: any
Destination: IPv6 address of web server in DMZ
Destination port: 443
Protocol: TCP

Should work. Does the web server have an IPv6 default gateway?

Title: Re: IPV6 Webserver
Post by: robert199311 on February 08, 2023, 04:32:52 pm

Thanks for your quick reply. Unfortunately it doesn't work though. That's exactly what I've setup on the WAN interface.

default gateway on the server seems to work as well:

Code: [Select]

ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2a02:a45a:9668:1::c3c3 dev ens18 proto kernel metric 100 pref medium
2a02:a45a:9668:1::/64 dev ens18 proto ra metric 100 pref medium
fe80::/64 dev ens18 proto kernel metric 1024 pref medium
default via fe80::21a:8cff:fe6c:1a56 dev ens18 proto ra metric 100 pref medium
The "fe80::21a:8cff:fe6c:1a56" address also shows on the DMZ interface in the admin GUI.

I should not use the Link-local address to accept the traffic right? (I didn't but just double checking)

Title: Re: IPV6 Webserver
Post by: robert199311 on February 08, 2023, 04:40:07 pm

When I changed the firewall rule it worked for a second. But that could have been a false positive.
This is how the rule is setup now.

Title: Re: IPV6 Webserver
Post by: Patrick M. Hausen on February 08, 2023, 05:36:41 pm

Not /64 - just a single host as the destination. For a better overview create an alias of type host, name it e.g. host6_webserver with just this single address, then use that as the destination in your rule.

You are right - use the global unicast address, not the link local one. On the other hand it is perfectly ok if the web server has the link local address of OPNsense in that DMZ as the default gateway.

Title: Re: IPV6 Webserver
Post by: robert199311 on February 08, 2023, 05:45:32 pm

Oh stupid me :-) It works now! Thank you very much!