Messages

I got this working!  Here's the update in case it's useful for anyone else...

So in setting up NPTv6 in the web UI of OPNSense, I forgot to add the network notation at the end - that was it (duh, DUMMY!)  I'm rolling my eyes at myself.  I had originally put in the prefixes alone xxx:xxx:xxx:: and once I added xxx:xxx:xxx::/64 to both - bam.  It started working. And that makes complete sense - it needs to know the network size to do the translation. It's funny there is no UI error in adding them without the /64 or /whatever.  Sometimes it's the simplest of things...

Anyways - added appropriate firewall rules and it's a win.  I know the server itself will prefer IPv4 for originating outbound because the server IP6 addresses are ULA, but that's fine.  My web services I needed to answer on IP6 via the NPTv6 are now answering on the public translated IP6 addresses and it's all good.

Thank you - appreciate it.  I will investigate those options for us.

Greetings-

I have an OPNSense box protecting three main servers - 2 back-end web servers and a nginx/varnish proxy server that answers public queries on ports 80/443.  In IPv4 this works great and as you would expect - I use private IP address space for the servers, the OPNsense box port forwards 80/443 to the proxy and then that proxy server sends the requests to each web server per some VCL rules I have setup.  Works just as you expect, using the public IPv4 of the firewall.  I have a VPN back to headquarters and we access the servers for management over that using the private IPv4 addresses.  Easy, breezy.

Now - IPv6.  We only receive one /64 statically routed subnet from our ISP.  No DHCPv6 or PD on the WAN available. I contacted them for a possible /56 but the answer was no. I have configured the WAN interface with the ::1 of that routed /64 subnet we were assigned, allowed ICMP in firewall rules - and I can ping the firewall via IPv6 ::1 address.  Great.

Now, how to get port 80 & 443 traffic to the proxy server behind OPNSense on IPv6?  Seems like with only a static /64, this might be a job of NPT and ULA addresses.  I know ULAs are depreciated, but I'm trying to wrack my brain on how to get some IPv6 connectivity to the proxy server, so that it can serve public requests via IPv6.

I've searched and found several guides on this forum, and my apologies for any duplicate questions, but none of the guidance I have found seems to work exactly.  Does anyone have any insights on this type of setup?

Many thanks,
Garrett