How to proxy all traffic received on an ipv6 interface to a specific external ipv4 only server

S

sjohn

We use cloud based pbx servers which are ipv4 only but have clients on ipv6 networks. Outgoing calls work but the pbx is unable to find the connected clients for incoming calls. We managed to get vpn connected but this doesn't work either. I recently brought a phone home for testing and my home internet is ipv6 based though I can of course reach ipv4 addresses. It might be possible to setup an intermediate FreeBSD gateway with ipfw that would take all connections on ipv6 and forward them to the PBX ipv4 address and traffic from the ipv4 PBX forwarded back to the ipv6 client(s).

I setup a FreeBSD server on Azure (ping times are good but probably not the best choice since connections are natted but I won't digress). I was looking at the ipfw nat64 and the page at https://bsdrp.net/documentation/examples/nat64#nat64 .. and I am frankly kind of lost. Maybe going about this all the wrong way, and also wondering if this might require the PBX to set the nat64 proxy ipv4 address as the default gateway?

So far I got the proxy setup with 2 vNIC's each with an ipv4 and ipv6 address. For the second nick I managed to set a static route to 2 other FreeBSD servers and this did allow ping though ssh worked sometimes sometimes not from the other servers. Then tried out routing with fib in rc.conf...

# main
ifconfig_hn0="SYNCDHCP"
ifconfig_hn0_ipv6="inet6 fddd:dddd:dddd:1::6 prefixlen 64"
ipv6_defaultrouter="fddd:dddd:dddd:1::6"

# proxy
ifconfig_hn1="inet 192.168.90.90 netmask 255.255.255.0 fib 1"
static_routes="r1 r2"
route_r1="-inet 192.168.90.0/24 192.168.90.1 -fib 1"
route_r2="-inet default 192.168.90.1 -fib 1"
ifconfig_hn1_ipv6="inet6 fddd:aaaa:aaaa:1::90 prefixlen 64 fib 1"
ipv6_static_routes="v1 v2"
ipv6_route_v1="fddd:aaaa:aaaa:1:: -prefixlen 64 fddd:aaaa:aaaa:1::90 -fib 1"
ipv6_route_v2=":: fddd:aaaa:aaaa:1::90 -fib 1"

I could ping all 4 addresses, but only ssh to the main NIC. I checked with ipfw log and clearly the ssh request comes in by hn1 and then tries to go out hn0. Getting this to work isn't that important so move on.

For testing I'd like to be able to send a curl request to the second NIC interface and get a web page from an IP address setup in ipfw.rules. I have used nat before to forward connections to an internal VM but I am stumped. Anyone have idea where to start. The bsdrp page doesn't seem that complete. I have used simple tables before for a list of addresses to firewall. I noticed bsdrp is using key value pairs.

Thanks in advance
 
Well I found a nifty utility socat which allows you to forward incoming connections from a port to another IP and port. Worked flawlessly for doing a web connection in the office from one server to the proxy to a second server, got a nice little curl output of the webpage. Got home and started programming POS Grandstream (not Point Of Sale) and finally after 45 minutes was able to access the admin webpage with an ipv6 address. Then I configured socat on my FreeBSD proxy machine using the main4 and main6 ethernet interface to forward udp 5160 ipv6 to the FreePBX udp ipv4 and any udp ipv4 5160 to the phone udp 5160 ipv6 (5160 on this pbx for pjsip). Now I know sip may be doing more than just a connection but I am thinking it should have registered and it didn't, in fact I was not even able to ping the phone's ipv6 from the proxy ipv6 which means T-Mobile Home Internet is blocking incoming connections (errr I knew that already doh). So the way I get around that is to use openvpn and connect out to one of my FreeBSD servers, and do the same from the office, and route traffic between with hub and spoke model. We have tried connecting phones directly to the FreePBX servers via openvpn and that doesn't work either. So now I am wondering if I connect the phone to my own server via openvpn with the ipv4 tunnel either inside ipv4 or ipv6 .. maybe ... it's all a shot in the dark.

Damn facist network providers! Ha! But I like the speed, what do I give up for speed and low price. Convenience, data sovereignty, the ability to configure my own router? Maybe just impossible? A little frustrated ....

I guess this is getting farther a field from just a FreeBSD thing, but hey if I manage to get it working with openvpn on FreeBSD, I'll update.
 
ipv6 is the biggest mistake in the history of networking. All we needed was 2 more bytes in the address. What a disaster
 
Barney said:
ipv6 is the biggest mistake in the history of networking. All we needed was 2 more bytes in the address. What a disaster
Click to expand...
At the risk of going offtopic... I kinda disagree. Yes, it can be a hassle, but just because some solutions sound easy enough doesn't automagically make them feasible. I can come up with a ton of issues with merely expanding the current IPv4 stack ("you accidentally added a dot behind your IP address, so now you changed it into IPv4_2.0 sir, that's why your firewall didn't pick up the incoming attack").
 
ShelLuser said:
At the risk of going offtopic... I kinda disagree. Yes, it can be a hassle, but just because some solutions sound easy enough doesn't automagically make them feasible. I can come up with a ton of issues with merely expanding the current IPv4 stack ("you accidentally added a dot behind your IP address, so now you changed it into IPv4_2.0 sir, that's why your firewall didn't pick up the incoming attack").
Click to expand...

So you’re trying to make the case the coming up with something completely different; something completely incompatible, something that tens of thousands of people who barely understand subnets have to learn,; something that uses addresses impossible to remember and that you’d likely make a mistake writing it down; is better than adding a country code and region byte? That’s what the phone companies did. No need to reinvent the wheel, particularly when the “new” wheel sucks rocks.
 
Not secure way: get ip6 address from tunnel broker.
More secure way: VPS with ip6 -- [ wireguard with splitted GUA or ULA ] -- server.

Barney said:
is better than adding a country code and region byte? That’s what the phone companies did.
Click to expand...
IPv6 is... exactly like postal system. "big region code" + "internal region code" + "your post code" and underlaying post roads, like in life, from point to point (link-local).
 
If it's web (HTTP) traffic or plain TCP, use a reverse proxy like net/haproxy, you can set up an incoming on IPv6 and use IPv4 for the backends.
 
CeXP1917 said:
IPv6 is... exactly like postal system. "big region code" + "internal region code" + "your post code" and underlaying post roads, like in life, from point to point (link-local).
Click to expand...

Yeah, if the world had 5 post offices. Totally useless in practice. IPV6 exists because Cisco saw it as a way to maintain their market lead for decades, and in the 1990s Cisco was the internet.
 
Well I guess the creators of IPV6 wanted enough addresses so that ai robots can expand and fill the universe each with their own ipv6 address, after killing off their creators for being inefficient *grin*. My take on the issue is that I'm not going to grumble about something I have no power to change, ipv6 is here so I have to use it.

SirDice

I may check that out, standard SIP uses UDP though I know my boss has configured one on-site pbx server with a TCP SIP channel as well, not sure the reason. My current research turned up siproxyd and kamailio and from what I read sip proxies can get around the double nat issue (with double nat sip connects but voice only in one direction). I had similar problems with StarLink customers, so finding a work around would be a feather in my cap. I'll play with the sip proxy server on Debian and FreeBSD see where it leads. Apparently siproxyd isn't a standard package on stable FreeBSD or Debian. I am not sure how it would help though since the kamilio server would be behind my TMobile router as well but the hype says it will solve the problem so worth a shot.

I have also been wondering if the openvpn implementation on the phones and/or PBX is just for sharks. As I mentioned the old Grandstream took me 45 minutes to get it to do ipv6. Then randomly stops accepting admin login (just won't submit) from firefox, reboot try again, switch to chromium, chrome, brave, tor sometimes works when this happens. Admittedly the boss did give me the phone for free and it isn't new, but I've never been impressed with voip telco gui interfaces in general. As I said phone implementation of openvpn does connect but doesn't solve double nat, which doesn't make sense it is after all in a tunnel. If I setup a tunnel between my home machine and a server, with a "real" openvpn connection and route the phone through it, it might work. Seems like with double nat the SIP connects but RTP voice side of the connection isn't routed through the tunnel?

Well I'm rambling, I'll just start with getting a sip proxy to work from the office, if I get it to connect, take it home and try it.

My issue with phones is not solved, but according to my topic the solution is to use socat to make an ipv6 to ipv4 converting proxy, at least for http requests.
 
sjohn said:
Well I guess the creators of IPV6 wanted enough addresses so that ai robots can expand and fill the universe each with their own ipv6 address, after killing off their creators for being inefficient *grin*. My take on the issue is that I'm not going to grumble about something I have no power to change, ipv6 is here so I have to use it.
Click to expand...

Ah, but millions of people grumbling is how change is realized. Millions of people grumbling is how we’ve avoided a complete cutover for many years.

I block ipv6 on my networks. It just creates a lot of unnecessary traffic.
 
Barney

You have converted me, I agree! Elect me as a world dictator and I'll change it. I kind of like the use of hex in the visible address as it makes the end use address shorter than decimal but 128 bits is totally overkill, we don't need half of that, let's change it to 64 bits which will be a lot more readable, usable, and provide more than enough for a very long time.

aaaa:bbbb:cccc:dddd very readable and what is that 36,893,488,147,400,000,000 addresses roughly? I had to look it up but it is 36 quintillion or something?

Or maybe everyone can just agree to just use the 3 for each organization/department and the last for internal subnetting and ignore everything in between. That way won't have to change something that is half way implemented anyway but just use it in an easier way. Make it a grass roots movement to push for a RFC rule, so we can say the middle part of IPV6 space reserved for future use. Probably easier than electing me as world dictator.

So this would look like aaaa:bbbb:cccc::1 is my router and aaaa:bbbb:cccc::2-ffff for local endpoints, that would be 65535 for my local addresses and still 281,474,976,711,000 or 281 trillion organizations. You still might need some convention for automatic assignments based on mac address but I'm not sure why that is necessary, I like arp tables. One annoying thing I found with ipv6 is it seems to be pretty hard to find ipv6 addresses of devices on your network, they're not in the arp table and too many addresses to scan. I did try ndp and couldn't find the IPv6 of the phone from my Debian box, I would guess it'd be in the router though again I can't access anything on my TMobile router, another POS.
 
You must log in or register to reply here.
Back
Top