"
Thank you - appreciate it. I will investigate those options for us.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
General Discussion / Re: IPv6 with a static, routed /64 connecting to back-end servers behind the firewal
January 09, 2026, 05:38:34 PM #2
General Discussion / IPv6 with a static, routed /64 connecting to back-end servers behind the firewal
January 08, 2026, 04:45:51 PM
Greetings-
I have an OPNSense box protecting three main servers - 2 back-end web servers and a nginx/varnish proxy server that answers public queries on ports 80/443. In IPv4 this works great and as you would expect - I use private IP address space for the servers, the OPNsense box port forwards 80/443 to the proxy and then that proxy server sends the requests to each web server per some VCL rules I have setup. Works just as you expect, using the public IPv4 of the firewall. I have a VPN back to headquarters and we access the servers for management over that using the private IPv4 addresses. Easy, breezy.
Now - IPv6. We only receive one /64 statically routed subnet from our ISP. No DHCPv6 or PD on the WAN available. I contacted them for a possible /56 but the answer was no. I have configured the WAN interface with the ::1 of that routed /64 subnet we were assigned, allowed ICMP in firewall rules - and I can ping the firewall via IPv6 ::1 address. Great.
Now, how to get port 80 & 443 traffic to the proxy server behind OPNSense on IPv6? Seems like with only a static /64, this might be a job of NPT and ULA addresses. I know ULAs are depreciated, but I'm trying to wrack my brain on how to get some IPv6 connectivity to the proxy server, so that it can serve public requests via IPv6.
I've searched and found several guides on this forum, and my apologies for any duplicate questions, but none of the guidance I have found seems to work exactly. Does anyone have any insights on this type of setup?
Many thanks,
Garrett
I have an OPNSense box protecting three main servers - 2 back-end web servers and a nginx/varnish proxy server that answers public queries on ports 80/443. In IPv4 this works great and as you would expect - I use private IP address space for the servers, the OPNsense box port forwards 80/443 to the proxy and then that proxy server sends the requests to each web server per some VCL rules I have setup. Works just as you expect, using the public IPv4 of the firewall. I have a VPN back to headquarters and we access the servers for management over that using the private IPv4 addresses. Easy, breezy.
Now - IPv6. We only receive one /64 statically routed subnet from our ISP. No DHCPv6 or PD on the WAN available. I contacted them for a possible /56 but the answer was no. I have configured the WAN interface with the ::1 of that routed /64 subnet we were assigned, allowed ICMP in firewall rules - and I can ping the firewall via IPv6 ::1 address. Great.
Now, how to get port 80 & 443 traffic to the proxy server behind OPNSense on IPv6? Seems like with only a static /64, this might be a job of NPT and ULA addresses. I know ULAs are depreciated, but I'm trying to wrack my brain on how to get some IPv6 connectivity to the proxy server, so that it can serve public requests via IPv6.
I've searched and found several guides on this forum, and my apologies for any duplicate questions, but none of the guidance I have found seems to work exactly. Does anyone have any insights on this type of setup?
Many thanks,
Garrett
Pages1
