1

What am I trying to do?

  • Make my services, which are running on a Linux server, reachable over the internet;
  • My Linux server is connected to the internet through two 'consecutive' routers;
  • The problem is that the router connecting me to the internet only offers the possibility to do port forwarding over IPv6.

Below you'll find all the details of the hardware and network setup

Network Setup

Devices

Router 1 (R1)

  • R1 is connected to the ISP via fiber optics.
  • R1 is one of those "boxes" given by the ISP.
  • R1 has a DHCP service running and gives local addresses in IPv4 and IPv6 based on the MAC address of the chosen device.

R1 is NOT able to perform port forwarding with IPv4, it can ONLY do it with IPv6.

Locally, the IP address of R1 is 192.168.1.1

Router 2 (R2)

  • R2 is an 'old' Netgear WNDR3700v5. But it does the job so far: Gigabit Ethernet, 300Mbps Wifi -> it's WAY enough for what I need!
  • R2 is connected via its WAN port (ethernet cable) to R1 for the internet -> this works perfectly -> internet is reachable.
  • R2 gets TWO IP addresses from R1 (WAN): 192.168.1.42 and 2A02:842A:CCC0:A601:F2F8:CCB7:878B:4242/64 in IPv6. BOTH of those addresses are fixed manually in the DHCP service running on R1.
  • R2 on its own LAN operates on the network 192.168.42.0 / 255.255.255.0
  • R2 is able to act as a DHCP server for IPv4
  • R2 is NOT able to act as a DHCP server for IPv6 -> so R2 has an IPv6 on its WAN interface BUT R2 cannot be used as an IPv6 LAN router for its own LAN.

Router 3 (R3)

  • R3 is connected to R1 via Power-line communication (PLC)
  • R3 is a small wifi router that I can use as an alternative WiFi Network

Linux server (PC1)

Runs the services:

  • Openwebui/Ollama on port 3000
  • Emby on port 8096
  • Is connected via Ethernet cable to R2

Windows desktop computer (PC2)

  • This computer runs Windows
  • It is connected to R2 via ethernet cable

Mobile Phone (PC3)

  • I use it only to test stuff
  • I can easily connect it to R2 or R3, depending on which WiFi I choose to connect to.

Network Map

  • PC1&PC2 <==LAN-IPV4-ONLY==> R2 <==LAN-IPV4 and IPV6==> R1 <==Fiber Optics==> internet
  • PC3 <====WiFi====> R3 <======== PLC ===========>R1

Network Address Map

  • R1.lan.ipv4: 192.168.1.1

  • R1.lan.ipv6: <I actually don't know this one Oo>

  • R2.wan.ipv4: 192.168.1.42

  • R2.wan.ipv6: 2A02:842A:CCC0:A601:F2F8:CCB7:878B:4242/64

  • R2.lan.ipv4: 192.168.42.1

  • PC1.lan.ipv4: 192.168.42.2

  • PC2.lan.ipv4: 192.168.42.3

Port Forwarding

  • On R1, I have opened for both TCP and UDP the ports 3000 to 4000 for R2.wan.ipv6. This is the KEY part right here -> I would LOVE to open those ports on R1 for R2.wan.ipv4, but it's simply not possible, there's literally NO user interface allowing me to do that :(

Software Setup

On PC1 is running the service Openwebui, on port 3000. This service is accessible from PC2.

What works

  • PC2 can access services on PC1 using PC1.lan.ipv4:3000

What doesn't work

  • PC3 when connected to R3 cannot access anything on PC1.lan.ipv4:3000
  • And more importantly, I haven't managed to reach my service located at PC1.lan.ipv4:3000 from the "outside" (Internet)
Improve this question
5
  • Check this out Using Termux on Android for Self Hosting? Yes, really. Commented Sep 21 at 19:06
  • @guest271314 Thanks! I might consider this as a last resort solution, as this is not a 'normal' networking solution at all :') Commented Sep 21 at 19:26
  • TBH I havn't been able to follow everything you've got going on. These cell phones are computers and have all kinds of networking capabilities. Commented Sep 21 at 21:01
  • 1
    @guest271314 yeah alright, it's absolutely not about cellphones. It's 100% a PC/networking issue. The cellphone mentioned in this topic is only for test purposes Commented Sep 21 at 22:14
  • Yeah, I figured that. These cell phones are literally PC's. I havn't used Windows for anything in years. I'll peek back here to see how far you got. Commented Sep 21 at 22:24

2 Answers 2

Reset to default
2

The problem is that the router connecting me to the internet only offers the possibility to do port forwarding over IPv6. […] On R1, I have opened for both TCP and UDP the ports 3000 to 4000 for R2.wan.ipv6

This will not translate IPv6 packets to IPv4 packets. Your Netgear doesn't have that kind of NAT64 (I doubt any regular wifi router does).

The only way this is supposed to work is with IPv6 connectivity all the way to the server – i.e. have R2 obtain a LAN IPv6 prefix via DHCPv6-PD (assuming R1 can offer that), have PC1 obtain an IPv6 address, then configure R1 to allow connections directly to PC1's address (not R2's).

PC3 when connected to R3 cannot access anything on PC1.lan.ipv4:3000

R3 has no route towards R2's network 192.168.42.0/24, nor the other way around.

By default, R3 only knows about 1) the subnets it is directly connected to: 192.168.1.0/24 via its connection to R1, and the unspecified subnet managed by R3 itself (if it doesn't have one then it's not really a router), and 2) the default route via R1.

Meanwhile, R2's network is "distant" and not automatically known by 'sibling' routers. R3 needs to have a static route manually added to inform it that 192.168.42.0/24 is reachable via 192.168.1.42 (i.e. via R2's address which is already local to R3).

R2 by default assumes that it is connected to a "WAN" and might block direct inbound connections, so its firewall rules might need to be adjusted.

(Ideally, R2 should also have a return route to R3. It might work without, if R3 does NAT, which it probably does – by default it likely assumes that R1's network is "WAN" – although if possible, interior NAT should be avoided.)

If route configuration is not possible in R3, then the only other option for hosts in R3's network is to connect to R2's address (192.168.1.42) and rely on the "port forwarding" rules. (After all, from R2's perspective the connections are coming in from "WAN" anyway.)

And more importantly, I haven't managed to reach my service located at PC1.lan.ipv4:3000 from the "outside" (Internet)

Not going to happen. PC1's IPv4 address is not a public address; it is between two layers of NAT. The only public IPv4 address you have is the one assigned to R1, which as you said doesn't have any "port forwarding" features.

(Unless you missed them – 'port forwarding' is not universal terminology; some routers call the same feature "virtual server" or by the technical name "DNAT".)

If you're lucky and R1 supports offering DHCPv6 Prefix delegations to its LAN, then the Netgear should be able to get an IPv6 /64 from R1 through DHCPv6-PD (the same way as R1 got its own from the ISP), allowing PC1 to have IPv6 connectivity.

Otherwise you will likely need to a) replace R1 with something more capable, or b) check if R1 has any kind of "bridge" or "passthrough" mode allowing R2 to directly get the public IP address, or c) use third-party proxy services (ngrok/cloudflared/others).

Improve this answer
1
  • Thank you so much for the answer., I'm gonna check everything on my side, and come back here to tell what worked :3 Commented Sep 22 at 23:34
1

Ok so the solution was:

  • connect directly, using a switch instead of router, (PC1, PC2, PC3) to R1
  • On R1: associate an IPv6 address to the MAC address of PC1 (because it's the one hosting the services that I want to make accessible
  • Open the ports in R1's firewall to point at PC1
  • Done :3

And, to my surprise, it just works like that. What do I mean? Well, it's gonna sound crazy, but all the IPv6 addresses that R1 distributes locally seem to be also public IPs!

So, yes, you read me well, if I allocate the following addresses on my local network (using R1's DHCP for IPv6):

  • 2001:db8:abcd:1234::1
  • 2001:db8:abcd:1234::2
  • 2001:db8:abcd:1234::3
  • 2001:db8:abcd:1234::10
  • 2001:db8:abcd:1234::abcd

And let's say that I open the ports 3000 to 3004 for each of them. Then those addresses will be individually and directly accessible from the Internet

And, yes, I tested accessing my services from outside my local network, from a remote server that I own: it works!

One question remains in my mind: is this a 'normal' or 'expected' or 'typical' behavior for an IPv6 network? Is it well-known "oh in IPv6 all local addresses are also public"? I'm guessing it's not normal and it's due to R1 configuration.

I want to thank @grawity ( https://superuser.com/users/1686/grawity ) whose answer led me to the right tests.

For context the box "R1" is provided by SFR (French ISP), their documentation is currently there https://assistance.sfr.fr/internet-tel-fixe/box-nb6/maitriser-fonctions-avancees-box-nb6-box-plus.html

Anyway, for any SFR user who might read this: if you have NB6 box, and you want to open port. Use DHCP to allocate IPv6 address to your device, open the ports you need -> the IPv6 address you set locally is ALSO your public address that you can share with your friends!

Improve this answer
3
  • It's kind of the entire point of IPv6's existence. The only reason your devices can't have public IPv4 addresses and have to settle for a single v4 on the router is that there isn't enough of them anymore (in fact many ISPs no longer have enough even to assign one per customer). Thus IPv6 was created with much longer addresses – long enough that the ISP can afford to issue you a whole chunk (prefix) of its address space, and indeed long enough that space is now measured in whole 'subnets' (of standard size) rather than individual IPs. Good ISPs provide a /56 which is 256 public subnets. Commented Sep 23 at 11:42
  • (Hence the previous comments about "port forwarding" (i.e. DNAT translation) not really being a thing in IPv6 anymore. The router still has a firewall with similar-looking rules, but it only filters packets as they are, rather than having to rewrite/redirect them to a different (private) address like in IPv4. Although this doesn't always work in practice when chaining multiple 'home' routers, as the "outer" router sometimes lacks support for handing out sub-delegations – it gets a /64 for itself and that's it, as seems to be the case with yours, even if the ISP is likely offering more.) Commented Sep 23 at 11:44
  • @grawity Thanks for the explanation. <3 Commented Sep 23 at 20:26

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.