Forward IPv6 from WAN to Server with IPv4

Question

I have a server with multiple VMs running. I want to access some of those machines from the internet. However some should be only accessible from the local network. My ISP gives me a public IPv6 range and a IPv4 address behind a NAT.

My usecases are:

1. get to the internet from every machine
2. Access webserver from external and internal client as well as laptop (best case by using one public IPv6 address.
3. Access database only from internal client/ webserver and pfSense.
4. Keep things as simple/ usefull

I decided to use IPv4 internally for simplicity. I forwarded every connection from Fritzbox to PfSense, so that i could access the admin panel from WAN (deactivated that rule again for security rules). However i don't know how to forward all traffic from WAN to PfSense on port 443 to 192.168.2.1. Is it possible to forward IPv6 traffic to a IPv4 address? Should i use an other setup instead ? How can i setup PfSense to Forward to the Webserver ? Are there any special keywords i can search for ?

   +------------------------+
   |                        |
   |  Client                |
   |  some random IPv6      |
   |                        |
   +------------------------+
                |
                |
   +------------v-----------+
   |     Internet           |
   +------------------------+
                |
   +------------v--------------+               +-------------------------+
   |                           |               |                         |
   |  Fritzbox from ISP        |               |  Laptop                 |
   |  public IPv6 range:       |               |  public IPv6:           |
   |  1234:2548:c25a:ff00::/56 +--------------->  1234:2548:c25a:ff00::2 |
   |                           |               |                         |
   |  one IPv4 address,        |               |  local IPv4:            |
   |  not accessable from      |               |  192.168.1.2            |
   |  Internet                 |               |                         |
   |  123.45.56.78             |               +-------------------------+
   |  192.168.1.1              |
   +---------------------------+
                |
                |
   +------------v--------------+
   |                           |
   | PfSense Virtual Machine   |
   | public IPv6:              |
   | 1234:2548:c25a:ff00::3    |
   |                           |
   | local IPv4:               |
   | 192.168.1.3               |
   | 192.168.2.1               |
   |                           |
   +----------------------------------------------------+
          |                      |                      |
          |                      |                      |
          |                      |                      |
   +------v-------+       +------v------+       +-------v-----+
   |              |       |             |       |             |
   |  Webserver:  |       | Client      |       | Database:   |
   |  local IPv4: |       | local IPv4: |       | local IPv4: |
   |  192.168.2.2 |       | 192.168.2.3 |       | 192.168.2.4 |
   |              |       |             |       |             |
   +--------------+       +-------------+       +-------------+

Answer 1

I got my Problem solved, however i had to switch IPv6 for this. I used this tutorial as a help: https://blog.veloc1ty.de/2015/08/22/pfsense-ipv6-delegation-hinter-fritzbox/

Basicly i had to configure my Fritzbox to allow secondary routers and give them a Prefix < 64 Bit (I used the IA_PD and IA_NA Method).

Then i configured the Gateway like shown in the turoial with 60 bits. After that i just needed to create a Firewall Rule for Port 443.

On the Clients a added iface eth0 inet6 dhcp to the /etc/network/interface

Answer 2

A reverse proxy like HAProxy can be configured to listen on both IPv4 and IPv6, and then proxy inbound connections to either IPv4 or IPv6 backends.