How to port-forward IPv6 in m0n0wall?

How do i port-forward IPv6 packets in m0n0wall?

For example i want to forward traffic arriving on port 443 of my router to another IPv6 address:

  • Interface: WAN
  • Protocol: TCP
  • External port range: 443
  • Destination address: 2607:f8b0:4009:801::1053
  • Destination port range: 443
  • Description: https goes to secure server

Or for other kinds of services:

  • Interface: WAN
  • Protocol: TCP+UDP
  • External port range: 3784
  • Destination address: 2607:f8b0:4009:801::1058
  • Destination port range: 3784
  • Description: Ventrilo

IPv6 removes the need for NAT; but how do i port-forward?


Bonus Question

How do i port-forward IPv4 in m0n0wall?

For example i want to forward traffic arriving on port 443 of my router to another IPv4 address:

  • Interface: WAN
  • Protocol: TCP
  • External port range: 443
  • Destination address: 74.125.225.53
  • Destination port range: 443
  • Description: https goes to secure server

Or for other kinds of services:

  • Interface: WAN
  • Protocol: TCP+UDP
  • External port range: 3784
  • Destination address: 74.125.225.58
  • Destination port range: 3784
  • Description: Ventrilo

i know how to NAT to a private internal address, but my servers are not behind a NAT proxy - they are directly connected to the internet, each with a publically routable IPv4 address, e.g.

74.125.225.53

i want people to only have to know one address, e.g.:

superuser.com -> 64.34.119.12

but have my m0n0wall router forward the packets to the appropriate machine.

Extraneous bonus chatter

i have a web-server that is directly connected to the internet using IPv6, listening on port 80.

In the olden days i would give people one address:

superuser.com

and that address resolves to a router, which forwards packets to the appropriate machine.

But with the advent of IPv6, and the removal of NAT, it is no longer possible to give people on address name, e.g.:

  • http://superuser.com
  • irc://superuser.com
  • ftp://superuser.com
  • news://superuser.com
  • https://superuser.com
  • ventrilo://superuser.com
  • torrent://superuser.com

doesn't work. That's because superuser.com resolves to the same IPv6 address, e.g.:

2607:f8b0:4009:801::100e

And the other servers are on other addresses:

http      -> 2607:f8b0:4009:801::1031
irc       -> 2607:f8b0:4009:801::1041
ftp       -> 2607:f8b0:4009:801::1059
news      -> 2607:f8b0:4009:801::1026
https     -> 2607:f8b0:4009:801::1053
ventrilo  -> 2607:f8b0:4009:801::1058
torrent   -> 2607:f8b0:4009:801::1097

So a user is now forced to memorize other address names, e.g.:

www.superuser.com
wwws.superuser.com
ventrilo.superuser.com
torrent.superuser.com
irc.superuser.com
news.superuser.com

rather than the single:

superuser.com

for everything.

i like only having to know one name. i want that back again. How do i get it back again? How do i port-forward in IPv6?


Update 2:

Another issue is when multiple host names are supposed to be the same server

http://www.superuser.com:80
http://m.superuser.com:80
http://mobile.superuser.com:80
http://english.superuser.com:80
http://spanish.superuser.com:80
http://latin.superuser.com:80
...

What i really want is just:

*.superuser.com

to resolve to the same address, and :80 is forwarded to the server.


Solution 1:

I think what you are looking for could be a load balancer. But i dont think m0n0wall has one.

Solution 2:

First part

There is no NAT in IPv6 (or at least there shouldn't be). So you will not be forwarding ports. You have a few options to do the equivalent of the port translation you are used to in IPv4:

  1. Use an identical port on the destination machine (which it looks like you are doing) so you don't need the port translated. You will only need to create a firewall rule to allow access to that port. No translation of address is needed either.
  2. Use a port proxy to translate TCP or UDP ports and addresses. Static NAT essentially.

Bonus part 1

Exact same situation here in IPv4 without NAT as in the above response regarding IPv6 without NAT.

Bonus Part 2

I do not recommend routing based on port. Routing based on port number is against the paradigms of networking. Routing should be based on address. And that address may be based on DNS. There are extensions to DNS to specify services and ports known as SRV records but they do not exist for all servers (like HTTP or SSH).

If you must route on port, then again, you can use port proxies to redirect certain TCP or UDP services to other machines.

Bottom Line:

Do not route based on port; route based on address. Sorry but that means you need separate DNS entries for each service.