Messages

Patrick -

Indeed IPv6 issues with the servers (Linux). I'm still working on it but it involves:
several sysctl settings to allow SLAAC
per interface settings in Network Manager.

When I've got it working properly I'll explain it here in another comment - might be useful for someone else.

Samvel

Patrick -

It doesn't work. When I set a static IPv6 on an interface, everything under it loses IPv6 connectivity, can't even ping. I know it should be simple but there's something wrong I can't figure out. If I leave the LAN interface for example as tracking, I can ping that interface, externally. If I set it static within my allocation, it can't be found, no route. RAD - I've tried each option. I can ping6 any static IPv6 from within the interface/network.

As you've seen above, I'm trying to do do what I can easily do with IPv4 and NAT/Port forward. Which would be:
https://domain1.example.com > 123.456.789.012 > 10.0.0.1

However on this network I'm IPv6 only - and even 'nattish' domain1.example.com > 1234:5678::1 > ULA fd:1 doesn't work

I'm not criticizing - there's really, little information. Frustrated, and sure that I'm missing something simple and fundamental.

I do know that I can't ping any IPv6 address I set as static.

I'm suspecting there's also some sysctl settings I need to figure out on my servers (Linux)

Hi Bart & thanks.
Patrick - thank you too. Was just about to post and saw your reply.

You mean just open up 443 for the entire DMZ instead of trying to fiddle with rules to allow 443 per ip address? I'll give it a shot.

So 1234:5678::1/64 VIP allocation on the DMZ & disable DHCP server
1234:5678::2/128 interface
fe80::213:3bff:fee3:27bf GW
then 1234:5678::3/128 etc static IP's for the server?

I really struggle with IPv6

Hi all -

I've been unable to figure this out, or find a previous thread that explains what I'm trying to do - I'd be glad of suggestions on how to make this work.
I have a public static IPv6 /56.
I have multiple web/app servers on the DMZ zone, each with TLS termination. The DMZ is IPv6 only. It looks like this:

https://server1.example.com > 1234::1 > DMZ > server1
https://server2.example.com > 1234::2 > DMZ > server2
https://server3.example.com > 1234::3 > DMZ > server3
Port 443 tcp/udp only for each address

I realize I can add VIP's, then point domain names to those, but don't understand how to forward from there to the actual servers in the DMZ. Could this be done with static ULA on the servers in the DMZ? e.g. Domain > VIP > DMZ > Static ULA?

I realize this can be done with Nginx/HAProxy on Opnsense, but a couple reasons I don't want that (I've used Nginx for this before:
Nginx: my configs are extremely complicated, and various settings I use are not in the Opnsense Nginx UI, meaning I had to do a lot of manual config via the terminal. It's messy, and fragile.
HAProxy: No UDP

As an interim measure I'm using Cloudflare tunnels, until I can figure it out.

Thanks!

Samvel