Page 1 of 1

ipv6-to-ipv4 port forwarding

Posted: Thu Sep 27, 2018 11:13 pm
by tyoma53
Greetings all,

i have an old WD network storage, that i can reach from outside per ftp using dstnat rule.
/ip firewall filter
add action=accept chain=input comment="Accept (established, related)" connection-state=established,related
add action=accept chain=input comment="Accept (FTP)" dst-port=21 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop external" in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Forward to FTP" dst-port=21 in-interface-list=WAN protocol=tcp to-addresses=192.168.xxx.xxx to-ports=21
my ISP already has support of ipv6, but unfortunately NAS itself can't ipv6. is this possible to forward request to WAN ipv6 address on 21st port to NAS ipv4, similar like socat can do?

socat TCP6-LISTEN:1234,fork TCP4:1.2.3.4:1234

thanks.

Re: ipv6-to-ipv4 port forwarding

Posted: Fri Sep 28, 2018 1:48 am
by Sob
Short answer: no

Long answer: Even if RouterOS had something general for tcp connections, it would not help you anyway. You can't pick worse service than ftp for this, because every single transfer (upload, download, even directory listing) means new established connection and info about used addresses and ports is part of protocol, i.e. transferred inside control connection. It could work in some cases, if clients would use only EPSV commands to establish data connections, and if the server supports it. Which it likely doesn't, because it usually goes hand in hand with IPv6 support. You need some specialized ftp proxy for this.

Re: ipv6-to-ipv4 port forwarding

Posted: Fri Sep 28, 2018 10:33 am
by tyoma53
Short answer: no

Long answer: Even if RouterOS had something general for tcp connections, it would not help you anyway.
thanks.
this was not a question about ftp, but about possibility to forward request from ipv6 WAN to ipv4 LAN. there can be any other protocol/port, e.g. http instead of ftp or 8080 instead of 21.
did i got it right, that routeros can't do ipv6-ipv4 forwarding at the moment?

Re: ipv6-to-ipv4 port forwarding

Posted: Fri Sep 28, 2018 1:00 pm
by Anumrak
It's called NAT 64. And ROS can't do it. But why you don't want to use ipv6 unique local unicast routing inside your LAN? It's fc00::/7 and it's not routable in global net.

Re: ipv6-to-ipv4 port forwarding

Posted: Fri Sep 28, 2018 3:06 pm
by Sob
Because the question was about accessing internal IPv4-only device using IPv6. And no matter what kind of IPv6 addresses you use in LAN, it will still be IPv4-only device unaware of IPv6.

Re: ipv6-to-ipv4 port forwarding

Posted: Fri Sep 28, 2018 3:18 pm
by Anumrak
Because the question was about accessing internal IPv4-only device using IPv6. And no matter what kind of IPv6 addresses you use in LAN, it will still be IPv4-only device unaware of IPv6.
IPv6 freely supported by all OS. TS can manage it easy.

P.S.: my mistake, cause ULU addresses can't be answered from Internet. So, NAT 64 only.

Re: ipv6-to-ipv4 port forwarding

Posted: Fri Sep 28, 2018 4:57 pm
by Sob
Maybe standard OSes, they do have IPv6 support available since many years back. But there are various kinds of NAS devices, IP cameras, etc. A lot of them don't need to be older than few years to not have any idea about IPv6. Even some currently sold new ones still don't have it.

Re: ipv6-to-ipv4 port forwarding

Posted: Sat Sep 29, 2018 4:40 pm
by tyoma53
thank you all.
i have known about unsupported by routeros NAT64, but hoped there is still something to forward request.

theme can be closed.

Re: ipv6-to-ipv4 port forwarding  [SOLVED]

Posted: Mon Oct 01, 2018 5:50 pm
by ThomasLevering
+ for IPv6 NAT64
and NAT IPv4 to IPv6 (I have a small Programm, that can do this, incl. add/remove SSL)

IP-Cloud Adress is now IPv4 and IPv6
Forwarding Port 80 to Server works for IPv4
IP-Cloud IPv6 Adress is to Router not Server

Dyndns IPv4 and IPv6 -> IPv6 Firewall must be changed every IPv6 Subnet change,
(or IPv6 Dyndns in AdressList in IPv6 Firewall)
I need a Firewall Rule for IPv6 match only the last ::/64
aaaa:aaaa:aaaa:aaaa:bbbb:bbbb:bbb:bbbb Part "aaaa" is Dynamic and "bbbb" fixed/Internal part from IP