IPV6 Webserver

Started by robert199311, February 08, 2023, 03:45:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 08, 2023, 03:45:08 PM
Hi All,

I'm running into an issue. (Quite new to IPV6)

I've enabled IPV6 successfully on both DMZ and LAN. IPV6 tests are all successful.
This is the situation:
WAN prefix: 2a02:a45a:9668::/48
LAN: 2a02:a45a:9668:0::
DMZ (webserver adress): 2a02:a45a:9668:1::c3c3

I can locally connect to the webserver IPV6 adres without any problems.

In my DMZ I'm trying to make my webserver publicly available: 2a02:a45a:9668:1::c3c3 . But that's where the challenge starts. I thought the only thing I need to do is to Pass 443 to the IPV6 address on the WAN port, but that doesn't cut it.

(Tested with http://ipv6.my-addr.com/ipv6-ready-ipv6-connectivity-ipv6-website-test.php.php?site=2a02%3Aa45a%3A9668%3A1%3A%3Ac3c3)

Any ideas on what I'm doing wrong?

Kind regards,

Robert
February 08, 2023, 04:11:10 PM #1
Rule goes on the WAN interface:

Source: any
Source port: any
Destination: IPv6 address of web server in DMZ
Destination port: 443
Protocol: TCP

Should work. Does the web server have an IPv6 default gateway?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 08, 2023, 04:32:52 PM #2 Last Edit: February 08, 2023, 04:34:49 PM by robert199311
Thanks for your quick reply. Unfortunately it doesn't work though. That's exactly what I've setup on the WAN interface.

default gateway on the server seems to work as well:
Code Select
ip -6 route show
::1 dev lo proto kernel metric 256 pref medium
2a02:a45a:9668:1::c3c3 dev ens18 proto kernel metric 100 pref medium
2a02:a45a:9668:1::/64 dev ens18 proto ra metric 100 pref medium
fe80::/64 dev ens18 proto kernel metric 1024 pref medium
default via fe80::21a:8cff:fe6c:1a56 dev ens18 proto ra metric 100 pref medium

The "fe80::21a:8cff:fe6c:1a56" address also shows on the DMZ interface in the admin GUI.

I should not use the Link-local address to accept the traffic right? (I didn't but just double checking)
February 08, 2023, 04:40:07 PM #3 Last Edit: February 08, 2023, 04:58:17 PM by robert199311
When I changed the firewall rule it worked for a second. But that could have been a false positive.
This is how the rule is setup now.
February 08, 2023, 05:36:41 PM #4
Not /64 - just a single host as the destination. For a better overview create an alias of type host, name it e.g. host6_webserver with just this single address, then use that as the destination in your rule.

You are right - use the global unicast address, not the link local one. On the other hand it is perfectly ok if the web server has the link local address of OPNsense in that DMZ as the default gateway.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 08, 2023, 05:45:32 PM #5
Oh stupid me :-) It works now! Thank you very much!
Print
Go Up Pages1
User actions