pfSense English Support > IPv6

IPv6 Port Forwarding

(1/2) > >>

joel0:
Can I do port forwarding with IPv6?  I know the standard answer is to use the firewall with a routed prefix of public IPs.  But that is not the solution to my situation.  I want to rewrite the port in addition to forwarding the traffic to the loopback address.  In other situations, I may want to port forward to a site-local address on the LAN.

More details about my specific use case: I'm trying to use the Acme plugin for a Let's Encrypt certificate.  The acme challenge requires the server to be on port 80 of the WAN interface.  My pfSense is behind my university's NAT, so I must use pfSense's public IPv6 address.  The Acme standalone web server can't bind to port 80 because the WebConfigurator is bound to that.  I would like to bind the Acme standalone server to port 81 and use port forwarding on the WAN IPv6 address port 80 to the loopback IPv6 address on port 81.

Napsterbater:

--- Quote from: joel0 on February 07, 2018, 12:26:06 pm ---Can I do port forwarding with IPv6?
--- End quote ---

Not unless you NAT, and pfsense does not support IPv6 NAT, just NPt.


--- Quote ---In other situations, I may want to port forward to a site-local address on the LAN.
--- End quote ---

Why? assign a global address to that device/app, firewall off all but needed port/s, NAT is bad. Try to break that IPv4 mindset.


--- Quote ---I'm trying to use the Acme plugin for a Let's Encrypt certificate
--- End quote ---

And you can't use a DNS challenge by chance?

joel0:

--- Quote from: Napsterbater on February 07, 2018, 03:31:38 pm ---Why? assign a global address to that device/app, firewall off all but needed port/s, NAT is bad. Try to break that IPv4 mindset.

--- End quote ---
You're preaching to the choir on that one.  NATv6 is bad in most situations.  One situation I'm forced into is that we have a handful of static IPv6 addresses for hosting services to the Internet.  We also will have a delegated prefix for outbound traffic, but I don't know if DHCPv6 (or SLAAC) gives us enough control to avoid setting static IPv6s on each machine to provide a service.  Our public IPv6 addresses will change frequently and should be managed by the firewall, not static IPs on each host.  If the university imposes an inbound firewall on our delegated prefix, port forwarding would be the only realistic option.


--- Quote ---And you can't use a DNS challenge by chance?

--- End quote ---
My DNS is with NameCheap for their email forwarding service.  The Acme plugin doesn't support NameCheap.

Napsterbater:

--- Quote ---
--- Quote ---And you can't use a DNS challenge by chance?

--- End quote ---
My DNS is with NameCheap for their email forwarding service.  The Acme plugin doesn't support NameCheap.

--- End quote ---

May I suggest delegating to/using Cloudflare for DNS hosting, it is free even if you don't use their reverse proxy setup you can use their DNS hosting, note namecheap will still be your registrar of course (who is also my registrar), and it works with the acme plugin.

joel0:

--- Quote from: Napsterbater on February 07, 2018, 04:14:14 pm ---May I suggest delegating to/using Cloudflare for DNS hosting, it is free even if you don't use their reverse proxy setup you can use their DNS hosting, note namecheap will still be your registrar of course (who is also my registrar), and it works with the acme plugin.

--- End quote ---

Namecheap only provides email forwarding if I use their DNS too (dumb restriction).  It may be possible to delegate a subdomain to a different DNS provider that works with the Acme plugin (I believe Cloudflare requires my full DNS be delegated to them), but with that much effort, it's just easier to use the HAProxy workaround.

Navigation

[0] Message Index

[#] Next page

Go to full version