2

I setup access to my family's home server over VPN, restricted by ip address. Sometimes a family member would have an ip6 address (they Google "ip") from their location. My firewall (pfsense) accepts ip6 addresses but the VPN refuses to connect to their ip6 address. When I look at my firewall's logs, I see an ip4 address on a specific port attempting to connect to my firewall. If I use that ip4 address that I found in the logs as the VPN source, the VPN starts working.

Are the ip6 addresses being translated to ip4 address with a specific port? Currently, I only add the ip4 address part. Am I allowing a larger range of ips to connect to my firewall since I'm not specifying the port?

Improve this question
5
  • Are the IPv6 addresses global or private? Does the IPv4 address belong to the same ISP? Are you able to provide the un-obscured addresses here?
    – grawity_u1686
    Commented Jun 10, 2018 at 16:48
  • @grawity I'm assuming the IPv6 address are public since its provided by my sis's ISP. We are using different ISPs.
    – SILENT
    Commented Jun 10, 2018 at 21:52
  • 1) Unfortunately you cannot assume public based on only that – not even for IPv6. Do your family's IPv6 addresses start with a '2' or with a 'f'? Roughly speaking, the former is public, the latter isn't. 2) I was asking to compare the v4 address you see and the v6 address that you expected to see, i.e. both from the same side.
    – grawity_u1686
    Commented Jun 11, 2018 at 4:04
  • @grawity Sorry for the delay. Thought this question was dead. My sis's ip address starts with a 2. Same side? My sis is using her own internet at her place. She sent me a screen shot.
    – SILENT
    Commented Sep 2, 2018 at 23:27
  • You should be asking this question from the ISP that is generating it. If the address sometimes arrives as IPv6 and sometimes as IPv4, then perhaps that ISP is using both. For example, it may prefer IPv4 as some clients don't support IPv6, but needs to use IPv6 when it runs out of IPv4 addresses. If this bothers you, you might ask the ISP if it has an option for a static IPv4 address (which might cost some more).
    – harrymc
    Commented Sep 3, 2018 at 7:13

2 Answers 2

Reset to default
1
+50

The ISP of your sister seems to have chosen an IP address transition method called Dual-stack IP implementation.

With this solution, every networking device, server, switch, router and firewall in the ISP's network is configured with both IPv4 and IPv6 connectivity capabilities (if it supports the later). This allows the ISP to process IPv4 and IPv6 data traffic simultaneously.

This is a diagram of what it looks like :

Dual-stack IP implementation

For your sister this means that she is be able to surf the Internet without wondering if her connection will stop working because of IP address incompatibility.

For you this means that your sister can be reached via two IP addresses. She may verify that point by surfing to the IPv4/IPv6 Dual Stack Test page on whatismyipaddress.com to see if she has both addresses.

If this situation is problematic for you, your sister might ask her ISP if it has an option for a static IPv4 address. This might be a free option or it might not.

She could also disable IPv6 on her router, which will cause it to use exclusively an IPv4 address. However, there might be a problem if the ISP is in danger of running out of IPv4 addresses in its assigned IPv4 address space.

In any case, in our dual-IP world such cases will become more and more common.

Improve this answer
-1

You're seeing an IPv4 address in your logs because the source likely has both an IPv6 and IPv4 address. Since IPv6 is still not very widespread, devices are usually assigned an IPv4 address along with the IPv6 address to aid in compatibility. You can see this on sites like https://ipleak.net. v6 and v4 addresses are usually not related at all and may change independently of each other. My advice would be to only allow IPv4 traffic past the firewall to the VPN server as it seems the VPN server will prefer the v6 address over the v4 address, which is not what you want. Also, if you're using OpenVPN, it's much easier and more secure to use certificate authentication rather than authenticating by IP.

What ports you allow will not affect which IPs can connect.

Improve this answer
2
  • 1
    I've read about ipv4 being generated to be backwards compatible for ipv6. However, I am successfully receiving ipv6 requests for other sites yet why does ipv4 show up instead of ipv6 for my sis? For bidirectional traffic, I prefer a combination of both ip and certificate. How can I get vpn request to come in as ipv6 request?
    – SILENT
    Commented Sep 3, 2018 at 1:28
  • @SILENT IPv6 is designed to play as nicely as possible with IPv4 however there are still several hiccups. Almost all traffic with an IPv6 address will have an IPv4 address, so the server or firewall are probably only configured to log one type of address, which is why you're seeing both types. You'll probably have to configure your server to authenticate based on the type of address you want. You probably wouldn't want to use IPv6 for auth since it's common for devices on the same network to have the same public IPv6 address, unlike IPv4, where many devices share an address using NAT.
    – wispi
    Commented Sep 3, 2018 at 2:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .