techblog.koponen.se

 _______ ____ ____ __  __ ____  __   ______ ______
/_   __// __// __// /_/ // _ / / /  / __  // ____/
  / /  / __// /_ / __  // _ < / /_ / /_/ // /_  /
 /_/  /___//___//_/ /_//____//___//_____//_____/
  techblog.koponen.se

 [ / ] [ howto ] [ reviews ] [ webapps ] [ youtube ] [ links ] [ about ]
-------------------------------------------------------------------------

  techblog.koponen.se
 
 [ / ] 
 [ howto   ] [ reviews ] [ webapps ] 
 [ youtube ] [ about   ] [ links   ] 
-------------------------------------

HOWTO
IPV6
ADDING EXTERNAL IPv4 ACCESS TO A SERVICE ON AN INTERNAL IPv6 ONLY NETWORK

Published: 20190125

Tested on:
Raspberry Pi 2 Model B
Raspbian GNU/Linux 9 (aka "stretch")
HAProxy 1.7.5-2 (Raspbian stock)

In this HOWTO we are assuming that the Load Balancer is a Linux machine with 2 NIC:s
We are also assuming that the service is a webserver running on 2 machines

Here's the idea:

          ( The Internet )
                  |
                  |
  ------------------------------------- External IPv4 Network
                  |                     (or dual stack)
           _______|_______
          |   | NIC-0 |   |
          |   |_______|   |             NIC-0 : Is configured with a public IPv4 address
          |               |
          | Load Balancer |             NIC-1 : Is configured with an IPv6-address
          |    _______    |                     It can be 2001::/3 or fe80::/10 or fc00::/7
          |   | NIC-1 |   |                     Just make sure it is the same subnet as
          |___|_______|___|                     machine-0 and machine-1)
                  |
                  |
  ------------------------------------- Internal IPv6-only Network
          |               |
     _____|_____     _____|_____
    |  | NIC |  |   |  | NIC |  |
    |  |_____|  |   |  |_____|  |
    |           |   |           |
    | Machine-0 |   | Machine-1 |
    | IPv6-only |   | IPv6-only |
    |___________|   |___________|

Of course "Load Balancer" can also mean "Router" or "Routing Firewall".

Make sure that the public hostname of your service (i.e. www.example.com) has an A record pointing to the IPv4 address on NIC-0.
If you want your service to also be reachable over IPv6 you can add an IPv6 address to NIC-0 and then you add an AAAA record to the public hostname of your service.
You could point the AAAA record directly to the "internal" machines, but it is most likely not best practise.

For this particular use case, We're using these addresses:

Load Balancer NIC-0 IPv4 address: 192.0.2.1/24
Load Balancer NIC-1 IPv6 address: 2001:db8::1/64
Machine-0     NIC   IPv6 address: 2001:db8::10/64
Machine-1     NIC   IPv6 address: 2001:db8::11/64

Install HAProxy on the "Load Balancer":

sudo apt install haproxy

Edit /etc/haproxy/haproxy.cfg and add a couple of lines at the bottom:

frontend justarandomname123
  bind *:80
  mode http
  default_backend webservers123
backend webservers123
  mode http
  balance roundrobin
  option forwardfor
  server web0 [2001:db8::10]:80 check
  server web1 [2001:db8::11]:80 check

Restart HAProxy

sudo service haproxy restart

Now if you surf to Load Balancer you will get the content from Machine-0 and/or Machine-1