[squid-users] Outgoing IPv6 address with no IPv4 address access

Mon Nov 2 05:05:52 UTC 2015

On 2/11/2015 2:07 p.m., Eliezer Croitoru wrote:
> Hey Robert,
> 
> It is really unclear what you need or want(at least to me).
> The basic way that the routing world works is that if you try to access
> an IPV4 address is by using the IPV4 routing world.
> It means that you need to use an IPV4 address to access IPV4 resources
> or networks.
> 
> I remember talks here and there about making it possible from a routing
> and networking aspect of things to be able to use an IPV6 address to
> access an IPV4 network. From what I know it requires some special
> networking settings and special equipment\software.
> In any case you would need somewhere in your setup a place which can
> access either two stacks(IPV4+IPV6) or some other solution which I
> suspect doesn't exist yet.

There is NAT64 nowdays. But that is even more nasty than two layers of
NAT44.

There are also ALG translators for most protocols. Squid being one of
those for HTTP.

What Robert is possibly seeing may be Squid ALG features translating
between IPv4-only servers and IPv6 clients.

> 
> From squid aspect it can interact the world with both IPV6 and IPV4
> while the decision is based on the DNS response which is either an A
> record or AAAA record.
> If you would use an IPV6 DNS servers the answer would be the same for
> both A and AAAA queries, V4 or V6..
> The default from squid point of view is to use it's own IP address while
> accessing the network unless you are using TPROXY.
> 
> What you see is how things should work.
> 
> All The Bests,
> Eliezer Croitoru
> 
> On 01/11/2015 18:38, Robert Conlustro wrote:
>> I have an IPv6 outgoing address setup and it works correctly but when
>> I access a website that has an IPv4 address it uses the main IP of the
>> server,

This should not be for _any_ website with IPv4. Squid by default will
use IPv6 in preference over IPv4 when both are available. Only using
IPv4 if there is no IPv6 connectivity to the server.

You have to have explicitly configured "dns_v4_first on" to make Squid
use IPv4 when there is working IPv6 to the server. Using that option is
discouraged.
In this case, make sure it is removed entirely from your config.

>> is there any way to disable the use of the main IPv4 address
>> of the server and only use the IPv6 outgoing address? I have tried to
>> add only IPv6 DNS nameservers and that didn’t work. Any ideas would be
>> greatly appreciated.

Not when contacting IPv4 servers. src-IP and dst-IP must be of the same
IP version to make a connection.

The best way to prevent IPv4 traffic flowing around your network is to
firewall IPv4 so that it meets your requirements. If a firewall rejects
IPv4 connectivity properly Squid will obey and move on to other IPs the
site has or send a 5xx error to the client informing them it is
unavailable. No Squid config needed.

Amos