Unable to reach ipv6 address from outside.

  • Thread starter sagaracharya
  • Start date
  • Replies: Replies 17
  • Views: Views 2,000
S

sagaracharya

Messages
9
Location
Mumbai
ISP
MTNL, BSNL, JIO.
I have read some posts here and they mention that firewall should be disabled. I have already done that and allowed all inbound requests in router's firewall settings.

I do have Jio home router with a plan of Rs.399 per month and I use Parabola GNU/Linux OS.

When I execute curl localhost:<portnumber> , I get the correct response, but
on curl [ipv6]:<portnumber> , even on the server itself, I get connection refused at port <portnumber>.

I did check that the address on inet6 is same as my public ip. I did try to ping it from outside the network but can't connect.

I have fiddled a lot with firewall setting and have also tried both nat and classical routing options under routing, much to my disappointment. It should probably mean only that JIO has blocked all ports.

Please help in case someone has solved this thing.
 
A

aztatine

Messages
4
Location
West Bengal
ISP
Jio Fiber, Vi
I run some servers on Jio fiber over IPv6 and they are accessible just fine from outside after adding an inbound IPv6 rule in the firewall.
If you get connection refused even from the same machine then chances are your server is only listening on IPv4 which is default for many programs. Post the output of
Code:
ss -6ltp
and
Code:
ss -4ltp
. In routing option you should stick to NAT.
 
S

sagaracharya

Messages
9
Location
Mumbai
ISP
MTNL, BSNL, JIO.
Aah yes. You're correct. There's no output for
Code:
ss -6ltp
And the server processes for -4 can be seen. Thanks, I'll get back once I proceed further.
 
S

sagaracharya

Messages
9
Location
Mumbai
ISP
MTNL, BSNL, JIO.
I changed my server config for ipv6.

Now, I can access through curl from local jio network (other device). I tried to use
Code:
curl [ip6]:<port>
from other network (ipv4 based from jio mobile tethering). And I get the following error:
Code:
curl: (7) Couldn't connect to server

I guess that the ipv6 doesn't translate to ipv4 correctly.
 
A

aztatine

Messages
4
Location
West Bengal
ISP
Jio Fiber, Vi
The service can only be accessed over IPv6 from outside your home network. Currently IPv6 is supported mostly by mobile networks in India only. If it's a web server and you have a domain you can use cloudflare as a proxy to allow access from IPv4 networks.
 
S

sagaracharya

Messages
9
Location
Mumbai
ISP
MTNL, BSNL, JIO.
Thanks. I have set it up, reluctantly. Cloudfare collects almost all of my user's metadata but can't do much about that currently. What DNS settings should I have. I currently have ipv6 records straight through DNS without proxying and there's an A record with probably ipv4 of cloudfare VM, which doesn't route correctly.

What settings should I have on cloudfare to route ipv4 users to ipv6-only server?
 


A

aztatine

Messages
4
Location
West Bengal
ISP
Jio Fiber, Vi
Without proxying there's no reason to use Cloudflare here. Their DNS service is just serving your IPv6 address and IPv4-only devices cannot connect. If you enable proxying cloudflare will announce it's own v4 and v6 address and forward the HTTP requests to your local device over IPv6 so anybody can connect. When proxying they will decrypt your HTTPS traffic so will have access to the full contents, not just statistical metadata.
 
S

sagaracharya

Messages
9
Location
Mumbai
ISP
MTNL, BSNL, JIO.
Yes, I saw their insane requirement for own Origin CA Cert. There's no way I'm allowing them to view full contents. That isn't happening. I'd rather shift to slower MTNL. If I do that, I might even create my own ipv4 to ipv6 proxying service. It shouldn't be that difficult to create.

I was hoping to proxy v4 requests and keep v6 requests direct from DNS.
 
ackr8

ackr8

Messages
85
Location
Hyderabad
ISP
Airtel Xstream Fiber
Jio Fiber
Airtel 4G
Jio 4G
BSNL 3G
Also CF has DDoS and built in Firewall as well; it helps masking you are origin server to some extent atleast and you can take advantage of CF's CDN.
 
S

sagaracharya

Messages
9
Location
Mumbai
ISP
MTNL, BSNL, JIO.
I'll be using Ungleich . It's just Rs.40 a month, it doesn't ask me to trust them and is in line with my principles of freedom respecting software. I didn't like Cloudflare's analytics. Pretty sure it tracks everything of users coming on my site. Thanks, ackr8. Thanks aztatine for specially making an account to solve my question ;):D
 
ackr8

ackr8

Messages
85
Location
Hyderabad
ISP
Airtel Xstream Fiber
Jio Fiber
Airtel 4G
Jio 4G
BSNL 3G
Cloudflare analytics are for geolocation and website protection, they wont share your website's data. Ungleich is 399 not 40, atleast according to their website, they sell a minimum of 10 domains, even then their datacenter is in Switzerland so ping and speed will be way way higher in contrast to CF's Mumbai datacenter. CF is best imo YMMV.
 
S

sagaracharya

Messages
9
Location
Mumbai
ISP
MTNL, BSNL, JIO.
Every proprietary service says, they don't share our secrets. Unfortunately, I can't assume so. It's very evident that they use our secrets (data, a deceptive word for information which they should not know) against us.

I have mailed Ungleich for 0.5CHF. I'll see their reply. Ping is not an issue.

Let me try CF again. I am not trusting them with my data at all. I merely want them to forward packets, preferably just that much. Can you post the configuration for CF for Jio Fiber for encryption with Let's encrypt cert? I tried yesterday but I got error 521. I have allowed all IPs in firewall so Origin CA cert is the only thing left according to CF.

What does set security to FULL mean? I have preference for strongest ciphers algos for Let's Encrypt on my default server config. Does that count for FULL security? I will definitely not have Origin CA cert.
 
ackr8

ackr8

Messages
85
Location
Hyderabad
ISP
Airtel Xstream Fiber
Jio Fiber
Airtel 4G
Jio 4G
BSNL 3G
Im not talking about general security of your server. BTW every service is the same you can never 100% trust a service with your data. Im talking about CF SSL level, set that to Full ig DBTech made a video on it. Use Lets Encrypt's certificates if you dont trust CF.