Hi, I have a n00b problem. I have spent quite a while trying to solve it myself, but I still could not figure it out.
My Chateau LTE18 ax router running ROS 7.13.2 successfully receives a single dedicated IPv6 address (not a subnet prefix, expectedly) from my mobile operator. So I use IPv6 NAT to publish some local resources globally. For that, I have added the following IPv6 firewall rules:
/ipv6 firewall filter
add chain=forward dst-address=<LOCAL-HTTPS-SERVER-ADDRESS> protocol=tcp dst-port=443 action=accept comment="allow HTTPS"
/ipv6 firewall nat
add chain=srcnat out-interface-list=WAN action=masquerade
add chain=dstnat in-interface-list=WAN protocol=tcp dst-port=443 action=dst-nat to-address=<LOCAL-HTTPS-SERVER-ADDRESS> comment="forward HTTPS"
This way I can successfully access my local HTTPS server from the Internet using my public IPv6 address, as well as a dynv6 domain name.
The only remaining problem is that I cannot access the HTTPS server from LAN using the public IPv6 or DNS name. It works fine using the LOCAL-HTTPS-SERVER-ADDRESS, but I want to use the public DNS name always to avoid TLS issues.
As far as I understand, in IPv4 this problem can be solved by hairpin NAT. However, I couldn’t manage to implement it with IPv6 and I’m not sure it’s even applicable here.
Thanks in advance for your help!