(almost there) How to reach my NAS behind an IPv6-only router

[asheenlevrai]

Hi everyone

 

I just moved and my ISP changed my router. It used to be IPv4-only (it had no IPv6 address) but now it is IPv6-only (technically it still has an IPv4 but it is 10.xxx.xxx.xxx, I guess that's not a public/routable IPv4).

 

I guess my ISP is now using DS-lite or something similar.

 

When I go to online tools that allow me to find out my public IPv4 address I get something (213.xxx.xxx.xxx) that is different from what my router says (10.xxx.xxx.xxx) and probably corresponds to some gateway or something else along the network path of my ISP.

Well... anyways, I need to deal with IPv6 now and know nothing about it.

 

I used to use NAT and port forwarding in order to make my Synology NAS reachable from the outside. My NAS was also configured as a target for backups of a different NAS at work.

 

Now, with IPv6, AFAIU each of my local devices (the NAS and every other electronic device at home) have their own IPv6 and I should be able to reach them from the outside. Is that right?

However, I still need to open the ports I want on the target device. Via the firewall (of the device and via the firewall) of the router.

 

When I'm away from home, I can currently connect to my Synology NAS only if I meet the following conditions:

 - The network I'm using can access IPv6-only addresses

 - The firewall of my router has the necessary ports open (the firewall of my NAS is disabled by default)

 - I try to connect to my NAS using its IPv6 address (very inconvenient to type)

 

Currently, I'm facing different problems:

1) The Network at work is IPv4-only. This means I cannot connect to IPv6-only addresses from work. That sucks. Big time...

2) I tried to use different DDNS services that support IPv6 (from Synology or no-ip.com) but they don't work. It looks like they are using first the IPv4 when both v4 and v6 are available but since the IPv4 they have doesn't lead to my NAS, I get nowhere. So far, I couldn't find any DDNS service that could be IPv6-only (there is dynv6.com but I'm not smart enough to make it work on my Synology NAS)

EDIT: problem 2) is "solved" since synology taught me than specifying 0.0.0.0 as the v4 address for their DDNS service disables v4 and then only v6 is used (if different from 0:0:0:0:0:0:0:0). Now I just need to configure the firewall of my router correctly. I guess. I hope...

 

Currently, I fail at making my NAS at home reachable from work. My NAS at work cannot see it.

 

I guess my only options are:

 a) call IT at work and have them make our network compatible with IPv6 ASAP.

 b) find an IPv6-only DDNS service that works easily with Synology.

 

Thank you very much in advance for your help.

 

Best,

-a-

 

NOTE:

Now, there is a "connected devices" in the webUI of my router with 2 tables. one for IPv4 and one for IPv6.

 - In the IPv4 table, all my devices show up (7 of them, 2 on LAN  including my NAS, 4 on 5GHz wifi and 1 on 2.4GHz wifi). All their IPV4 are local IP as expected and I can also see their MAC address.

 

 - Now, in the IPV6 table only 6 devices show up (1 on LAN, 4 on 5Ghz and 1 on 2.4GHz wireless). And guess what, the missing one is my NAS.... As if my NAS didn't have an IPV6 address. Actually at some point my NAS showed up in the list of connected devices (IPv6). But after a while in went away... in both cases, I don't know what caused the change... The fact that the NAS is or is not present in this list doesn't change its accessibility via its IPv6 adress (it always has one) but I cannot crate any rule for this IPv6 in "RouterUI->IPv6->Access Control".

I have no idea if this has any other consequences or not.

[Thanatopsis]

can the router that your ISP provided do IPv4-IPv6 tunneling for incoming traffic?  or is it more of just a modem?  Also make sure your NAS is actually using a static IPv6 address.

[asheenlevrai]

23 hours ago, Thanatopsis said:

can the router that your ISP provided do IPv4-IPv6 tunneling for incoming traffic?  or is it more of just a modem?  Also make sure your NAS is actually using a static IPv6 address.

Thanks for your help.

 

What kind of tunneling would actually make sense then? The router cannot be reached via IPv4 and my work internet cannot access IPv6-only targets. I would need something in the middle that translates the IPv4 packets from my work into IPv6 packets.

 

My idea for now was to use IPv6-only DDNS (see updated initial post above), but it would only work from IPv6-compatible clients. I would still need to have IT at work implement IPv6 compatibility.

 

Please explain what you envision

 

 

I'm not sure exactly what the router can do but it is definitely more than just a modem. It does Firewall, NAT, (DECT) telephony, NAS/media server (USB ports), it can also deal with LTE connexion (via an USB SIM card reader, not provided), Parental control, . One 10GB LAN port, 4 gigabit LAN ports, dualband Wifi ac... Well who cares...

 

Where would tunneling option be located?

[asheenlevrai]

I was just directed to this great service that I didn't know of:

http://v4-frontend.netiter.com/

They provide a free "translation" of IPv4->v6 to allow computers in IPv4-only networks to reach servers located in IPv6-only networks (only for Http(s) traffic for obvious reasons).

By using their IPv4 and my IPv6 in my DDNS settings on my NAS at home, I can now reach it from computers at work (or any computer for the matter), but only to get to the webUI, I cannot use this to run backups since they most certainly block ports because of the traffic that it would generate.

 

Now I wonder if I could make my own little private V4-frontend-like server somewhere (a colleague's place or any location that has access to both IPv4 and IPv6) to handle the translation I need to run my backups from work to my NAS at home...

[Thanatopsis]

On 5/1/2020 at 11:10 AM, asheenlevrai said:

I was just directed to this great service that I didn't know of:

http://v4-frontend.netiter.com/

They provide a free "translation" of IPv4->v6 to allow computers in IPv4-only networks to reach servers located in IPv6-only networks (only for Http(s) traffic for obvious reasons).

By using their IPv4 and my IPv6 in my DDNS settings on my NAS at home, I can now reach it from computers at work (or any computer for the matter), but only to get to the webUI, I cannot use this to run backups since they most certainly block ports because of the traffic that it would generate.

 

Now I wonder if I could make my own little private V4-frontend-like server somewhere (a colleague's place or any location that has access to both IPv4 and IPv6) to handle the translation I need to run my backups from work to my NAS at home...

yes you should be able to I would actually assume that you could talk to the networking staff to see if they could just enable specific services on the office router.  if you are a small company and you are responsible for the IT look at setting up a PfSense router in your office that lets you do the ipv4-ipv6 tunneling  that way.  I do not have experience with that yet as im still learning how to take the concepts and put them into practice so sadly i can not walk you through the setup steps yet.

[asheenlevrai]

23 hours ago, Thanatopsis said:

yes you should be able to I would actually assume that you could talk to the networking staff to see if they could just enable specific services on the office router.  if you are a small company and you are responsible for the IT look at setting up a PfSense router in your office that lets you do the ipv4-ipv6 tunneling  that way.  I do not have experience with that yet as im still learning how to take the concepts and put them into practice so sadly i can not walk you through the setup steps yet.

We are a big institute. IT is slow and often inefficient.

I contacted them weeks ago about IPv6 compatibility and haven't heard back from them yet

 

I'll google PfSense

[asheenlevrai]

OK. IT at work was much better than anticipated.

We are now IPv6 compatible.

 

Now, the only issue that remains is the following:

 

 - The firewall of my router needs to have the necessary ports open

 

Unfortunately the UI of my router doesn't make any sense. For IPv4 (useless in my case) everything is fine.

However for IPv6 there is a distinct firewall and a distinct "Access Control" (whatever that is) allowing to set up rules but I don't understand what they actually do (maybe redirect the traffic reaching the router on a given port to a specified IPv6 behind the router on a specified port. I thought IPv6 didn't need any "port forwarding" or stuff like that.

The IPv6 firewall consists only in a list of check-boxes to open predefined ports (or series of ports) corresponding to usual services (HTTP, FTP, SMTP, AOL, Telnet, Netmeeting, VPN) and the last checkbox corresponds to "all other ports". Nonsense...

 

 

For my backups, I need to open port 6281 (cannot change this one on the server side unfortunately). But obviously, 6281 is not among the ports I can chose from in the IPv6 firewall. In order for my backup server to be reachable, I need to open "all other ports" on my router and this is a BIG security risk. ( I can use the firewall on my NAS to leave only 6281 open but for all my other gadget at homes there is no such option. They are now all vulnerable through IPv6)

 

I tried going into "IPv6"->"Access Control" and create a rule where traffic on port 5190 (AOL instant messaging) would be redirected to port 6281 on the IPv6 of my NAS. And then open port 5190 in the IPv6 firewall. But this didn't work (NAS is unreachable from the source)

 

...

 

Help?

-a-

 

[JCV]

Hi asheenlevrai,

 

I know it's quite old, but did you come up with a solution?

 

I face exactly the same issue 2 years later...

 

Could you help me?

 

Thanks!