How to set-up IPv6 Dual Stack fo Init7 and Server publishing via IPv6

Hi Everyone

I have a home Environment running a few Servers (Git Hosting, Website, Blog) behind my Turris Omnia Router. The Provider is the fantastic Init7 and I have a delegated /48 Prefix for use.

I would like to set-up IPv6 additional to IPv4 and make my services available through that as well. Previous attempts have resulted in all IPv6 Traffic, that did not find an endpoint to be routed to the turris omnia Webinterface even from external IP’s. I am an absolute newcomer when It comes IPv6 so any details you can add makes things easier to read.

I have the following Questions:

  1. How can i publish servers via my delegated Prefix to the WAN so that they can be reached directly and not via IPv4 NAT.
  2. How can I prevent requests from WAN via IPv6 to end up on the Webinterface.
  3. How can I force Devices to try again with IPv4 if they do not find an IPv6 Endpoint. For example pkg.openindiana.org(Not hosted by me) is only reachable via IPv4 If I try to download software from there with a server that has an IPv6 Address defined I end up being routed to the Turris Omnia Webinterface instead of where I would like to go. The only way to reach pkg.openindian.org from behind the Turris Omnia is to have IPv6 disabled.

Thanks for any pointers

Greetings
Till

I am going to assume you have one IPv4 address and a /48 IPv6 subnet.

  1. You will need to set the firewall to allow IPv6 traffic to your servers and they’ll go directly there assuming your DNS is set correctly:
    server1.myhost.com <IPv6 address>
    server2.myhost.com <IPv6 address>
    etc.
    This will be more difficult with IPv4 (assuming you only have one address) but can be done with either a reverse proxy web server (assuming only web traffic) or using a traefik server if it’s other ports or services.
    In this case all your domainnames will point to the same IP.
    You can also have your domainnames each have an A record and an AAAA record.
  2. If you’re talking specifically about the Omnia Webinterface, I believe by default it will only take connections from LAN subnets.
  3. If you have a server that only has an IPv6 address and you’re trying to get to an IPv4 only host, you’ll need a NAT64 gateway running somewhere.

I’m leaving out a lot of detail here and probably have some of this wrong or not the best solution, but this is how I would start.

Yes I have one IPv4 address and a /48 IPv6 subnet

  1. The Problem is that I land on the Webinterface of my Turris instead of on the server. How do I configure the Firewall to pass me through to my server?
  2. No it is dual stack.

are the servers having a GUA or an ULA only? If the servers (TO clients) having a GUA it should be different from the TO’s own GUA (where you are ending up):

  • different prefix unless a /48 for the GUA is delegated by the TO to the clients
  • different GUA suffix (IID)

If the TO clients got an GUA it requires their firewall ports to be open for the service they are providing and it should not require port forwarding on the TO. And if you are running multiple services on the same domain/ip TCP port, e.g. 80 or 443, you probably require a reverse proxy server to filter incoming traffic.

If the TO clients got only an ULA it would require port forwarding on the TO. However, that feature is currently not implemented in OpenWrt’s UCI | LuCI [1]. Workaround described here [2].
(re)Foris is not meant to provide such functionality, being designed for less simplistic usage than LuCI.


[1] https://github.com/openwrt/luci/issues/925
[2] https://forum.openwrt.org/t/firewall-ipv6-port-redirect-not-implemented/50911/4

Thanks for all the answers. I managed to get my services published via IPv6 However I have enabled DHCPv6 and it started working this time…

I have one client OS (illumos/OpenSolaris) which seems to get redirected to my reverse proxy whenever trying to acces an IPv4 only site. Linux fallsback to IPv4 but not illumos.

Doing a Traceroute I get

traceroute pkg.openindiana.org
traceroute: Warning: pkg.openindiana.org has multiple addresses; using $REVERSE_PROXY_ADDRESS
traceroute: Warning: Multiple interfaces found; using $REVERSE_PROXY_ADDRESS @ web0:1
traceroute to pkg.openindiana.org ($REVERSE_PROXY_ADDRESS), 30 hops max, 60 byte packets
 1  $REVERSE_PROXY_ADDRESS  0.085 ms  0.060 ms  0.025 ms

Why would I get the Reverse proxies own address back If I want to contact a system on the Internet?