Unable to reach ipv6 address from outside.

[sagaracharya]

I have read some posts here and they mention that firewall should be disabled. I have already done that and allowed all inbound requests in router's firewall settings.

I do have Jio home router with a plan of Rs.399 per month and I use Parabola GNU/Linux OS.

When I execute curl localhost:<portnumber> , I get the correct response, but
on curl [ipv6]:<portnumber> , even on the server itself, I get connection refused at port <portnumber>.

I did check that the address on inet6 is same as my public ip. I did try to ping it from outside the network but can't connect.

I have fiddled a lot with firewall setting and have also tried both nat and classical routing options under routing, much to my disappointment. It should probably mean only that JIO has blocked all ports.

Please help in case someone has solved this thing.

 

[aztatine]

I run some servers on Jio fiber over IPv6 and they are accessible just fine from outside after adding an inbound IPv6 rule in the firewall.
If you get connection refused even from the same machine then chances are your server is only listening on IPv4 which is default for many programs. Post the output of

ss -6ltp

and

ss -4ltp

. In routing option you should stick to NAT.

 

[sagaracharya]

Aah yes. You're correct. There's no output for

ss -6ltp

And the server processes for -4 can be seen. Thanks, I'll get back once I proceed further.

 

[sagaracharya]

I changed my server config for ipv6.

Now, I can access through curl from local jio network (other device). I tried to use

curl [ip6]:<port>

from other network (ipv4 based from jio mobile tethering). And I get the following error:

curl: (7) Couldn't connect to server

I guess that the ipv6 doesn't translate to ipv4 correctly.

 

[aztatine]

The service can only be accessed over IPv6 from outside your home network. Currently IPv6 is supported mostly by mobile networks in India only. If it's a web server and you have a domain you can use cloudflare as a proxy to allow access from IPv4 networks.

 

[sagaracharya]

Thanks. I have set it up, reluctantly. Cloudfare collects almost all of my user's metadata but can't do much about that currently. What DNS settings should I have. I currently have ipv6 records straight through DNS without proxying and there's an A record with probably ipv4 of cloudfare VM, which doesn't route correctly.

What settings should I have on cloudfare to route ipv4 users to ipv6-only server?

 

---

[aztatine]

Without proxying there's no reason to use Cloudflare here. Their DNS service is just serving your IPv6 address and IPv4-only devices cannot connect. If you enable proxying cloudflare will announce it's own v4 and v6 address and forward the HTTP requests to your local device over IPv6 so anybody can connect. When proxying they will decrypt your HTTPS traffic so will have access to the full contents, not just statistical metadata.

 

[sagaracharya]

Yes, I saw their insane requirement for own Origin CA Cert. There's no way I'm allowing them to view full contents. That isn't happening. I'd rather shift to slower MTNL. If I do that, I might even create my own ipv4 to ipv6 proxying service. It shouldn't be that difficult to create.

I was hoping to proxy v4 requests and keep v6 requests direct from DNS.

 

[aztatine]

I was hoping to proxy v4 requests and keep v6 requests direct from DNS

I would also like to do that. This is technically possible but Cloudflare probably does not support that use case, at least according to this thread: Change to mode "DNS & Proxy" only for ipv6 AAAA record, but also get ipv4 A record affected unexpectedly

Just hope more wired broadband providers support IPv6 here soon. 🙂

 

[ackr8]

Yes, I saw their insane requirement for own Origin CA Cert.

That is only if you want Cloudflare SSL throughout the chain, you can use Let's Encrypt's certificate and set Security to Full.
EDIT : typo

 

[ackr8]

Also CF has DDoS and built in Firewall as well; it helps masking you are origin server to some extent atleast and you can take advantage of CF's CDN.

 

[sagaracharya]

I'll be using Ungleich . It's just Rs.40 a month, it doesn't ask me to trust them and is in line with my principles of freedom respecting software. I didn't like Cloudflare's analytics. Pretty sure it tracks everything of users coming on my site. Thanks, ackr8. Thanks aztatine for specially making an account to solve my question 😉😀

 

[ackr8]

Cloudflare analytics are for geolocation and website protection, they wont share your website's data. Ungleich is 399 not 40, atleast according to their website, they sell a minimum of 10 domains, even then their datacenter is in Switzerland so ping and speed will be way way higher in contrast to CF's Mumbai datacenter. CF is best imo YMMV.

 

[sagaracharya]

Every proprietary service says, they don't share our secrets. Unfortunately, I can't assume so. It's very evident that they use our secrets (data, a deceptive word for information which they should not know) against us.

I have mailed Ungleich for 0.5CHF. I'll see their reply. Ping is not an issue.

Let me try CF again. I am not trusting them with my data at all. I merely want them to forward packets, preferably just that much. Can you post the configuration for CF for Jio Fiber for encryption with Let's encrypt cert? I tried yesterday but I got error 521. I have allowed all IPs in firewall so Origin CA cert is the only thing left according to CF.

What does set security to FULL mean? I have preference for strongest ciphers algos for Let's Encrypt on my default server config. Does that count for FULL security? I will definitely not have Origin CA cert.

 

[ackr8]

Im not talking about general security of your server. BTW every service is the same you can never 100% trust a service with your data. Im talking about CF SSL level, set that to Full ig DBTech made a video on it. Use Lets Encrypt's certificates if you dont trust CF.