IPv6 with a static, routed /64 connecting to back-end servers behind the firewal

Started by gmwnet, January 08, 2026, 04:45:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 08, 2026, 04:45:51 PM
Greetings-

I have an OPNSense box protecting three main servers - 2 back-end web servers and a nginx/varnish proxy server that answers public queries on ports 80/443.  In IPv4 this works great and as you would expect - I use private IP address space for the servers, the OPNsense box port forwards 80/443 to the proxy and then that proxy server sends the requests to each web server per some VCL rules I have setup.  Works just as you expect, using the public IPv4 of the firewall.  I have a VPN back to headquarters and we access the servers for management over that using the private IPv4 addresses.  Easy, breezy.

Now - IPv6.  We only receive one /64 statically routed subnet from our ISP.  No DHCPv6 or PD on the WAN available. I contacted them for a possible /56 but the answer was no. I have configured the WAN interface with the ::1 of that routed /64 subnet we were assigned, allowed ICMP in firewall rules - and I can ping the firewall via IPv6 ::1 address.  Great.

Now, how to get port 80 & 443 traffic to the proxy server behind OPNSense on IPv6?  Seems like with only a static /64, this might be a job of NPT and ULA addresses.  I know ULAs are depreciated, but I'm trying to wrack my brain on how to get some IPv6 connectivity to the proxy server, so that it can serve public requests via IPv6.

I've searched and found several guides on this forum, and my apologies for any duplicate questions, but none of the guidance I have found seems to work exactly.  Does anyone have any insights on this type of setup?

Many thanks,
Garrett
January 08, 2026, 05:09:20 PM #1 Last Edit: January 08, 2026, 05:12:38 PM by Monviech (Cedrik)
You could most likely use this tool, but only if the ISP sends Router Advertisements. If everything is static, no chance other than NAT66 or NPT6 with ULAs (and ulas are not deprecated).

https://docs.opnsense.org/manual/ndp-proxy-go.html

Another plan could be using a reverse proxy or load balancer like caddy or ha-proxy that receives IPv6 on the WAN, and proxies IPv4 to the server.
Hardware:
DEC740
January 09, 2026, 05:38:34 PM #2
Thank you - appreciate it.  I will investigate those options for us.
Print
Go Up Pages1
User actions