I’ve just moved my work PC from a cast off from a customer - it had a BIOS date stamped 2012, and was a rather shag Lenovo with a … Intel Core something and four GB RAM. Cheap though, ie free. I did wedge in a SSD to make it usable.

I run KDE which isn’t known for being tiny and I have a Postgres DB and a few containers for experiments running. The new box is a i5 Intel G13 thingy - HP mini jobbie. Luxury

To ensure that I am as disadvantaged as everyone else, I run ESET Endpoint AV and full disc encryption on it. It boots EFI and Secure Boot is enabled. I will pass a Cyber Essentials Plus audit (UK standard) without having to employ any misdirection. I’ve also read up on the US standards. The STIG for Ubuntu 22.04 is doable but my desktop is running 23.04 and 24.04 has just come out.

I run my company and we have some customers who have some rather more stringent requirements than others. We also have our own standards.

I once named a load of servers for a helicopter company in the UK with elements. The cluster nodes were copper, silicon, etc. The cluster itself was called iron. The volumes were labelled fe_function.

It worked - it was easy to read and the bits that implied “cluster” were grouped appropriately. All the other servers had random elemental names unless they were associated in some way, in which case the group would be used. The engineers (real engineers with oil or distressingly nasty lubricants in their veins) loved it - it made sense, without being too quirky. It was very legible.

When those systems were hoicked out and replaced, the usual nonsense was applied: 2 char country code + 2 char site code etc etc ad nauseam. Followed by my absolute pet hate: 01. Oh so you might need 99 domain controllers? Yes you might, but not on one site.

Let’s face it, it is mostly AD admins who don’t get hostnames. I blame MS - their docs and blogs strive to be … authoritative or at least look so. An entire generation (possibly two) of sysadmins have been sold up the river by MS and their wankery.

That IPv6 forwarding page is strange. IPv6 does not need forwarding.

Anyway, I am trying to find a manual for your router. A Google search shows that it is probably NL localized and probably Asian manufactured for NL ISPs. Are you able to get a manual from your ISP? Their website looks just like one of ours - no help at all. I have also tried searching on the model and not much comes back.

I’m off on holidays for a few days. I’ll be back on dinsdag/tuesday (08/08/2023).

That is for ping. ICMP v6 REQ: REQ means request and is a NAT type of terminology. A firewall rule allows some form of inbound traffic - here ICMP ping inbound (REQ), and then creates a state entry which allows the corresponding return traffic (RESP or response) - pong!

ping can be useful to determine connectivity and that rule will not open you up to anything nasty.

Your router seems to have been designed by someone who gives a shit about security, which is a good sign.

You don’t need to put the IPv6 address into your browser. The host command shows that you have got DNS sorted - try:

$ dig @9.9.9.9 myserver.now-dns.net AAAA

That should return an IPv6 address and the @9.9.9.9 means: use the Quad9 DNS server - 1.1.1.1 or 8.8.8.8 will also try external DNS servers - CloudFlare and Google. Hopefully that’s naming sorted out.

Now to actual access. Your router will (probably), by default, block all inbound connections. I’ve just had a look at your screenshot and it has a menu entry: “Port forwarding IPv6”. IPv6 doesn’t need port forwarding really but I suspect that is how you allow access. I am now guessing. There is such a thing as IPv6 NAT and something called NPT (Network Prefix Translation) which is not for the faint of heart!

Have a look around in that menu a screen shot might help.

It might help if you tell us where you are (very roughly - country and perhaps city), your ISP and router model. I can get you to the point of all of this working but there are rather a lot of unknowns. I can see that your router offers Dutch or English so I will guess you are from the Netherlands.

As well as a link local address you should also have one or more globally routeable ones too. Hopefully you have at least one of those set up in DNS with a AAAA address. Therefore you should be able to put the address of your web server into your browser and off it goes. In theory IPv6 should be preferred by your browser, so even if both an A record and a AAAA record resolve for the name, IPv6 should kick in.

A quick check would be:

$ host mywebserver.example.co.uk

That should return an IPv4 and an IPv6 address. The IPv6 address is the same for internal and external - there is no distinction, which can be surprising if you are used to IPv4 and NAT. The final bit of the equation is that your internet router needs to allow access “from all to globally routeable ipv6 address of the web server”.

I can see that you have bound nginx to port 80 on both IPv4 and 6 - the two Listen directives.

• Can you get to it locally via IPv6 as well as IPv4?
• Can you get to it via IPv4 externally?

Let’s get right down to basics:

• ping -6 google.com - from the web server, does it work?
• ping -6 google.com - from your PC/laptop.phone, does it work?
• https://test-ipv6.com

I’m on GMT+1/BST/UTC+1 so its a bit late now. I’ll pick up tomorrow pm

Best of luck. Let us know how you get on

There is a lot going on there so I suggest divide and conquer. Shut down Caddy and configure something like nginx or apache with a simple static index.html page with a single word in it. Does that work? Start really simple, so open port 80 as well as 443 and add ssl only once you have proven http works OK.