IPv6 behind pfsense.
-
Okay this is what i did to get an ipv6 tunnel to work behind pfsense. This should answer some questions for anyone else searching(i couldn't find much).
You can setup the tunnel on the pfsense box if you want(i didn't do this). Signup for a broker(/64) and do something like this.
ifconfig gif0 create ifconfig gif0 tunnel lan.ip.1.1 broker.ip.here.142 up ifconfig interface0 inet6 IPv6:Prefix:here::1 prefixlen 64 alias route add -inet6 default fe80::%gif0
So an example (don't actually use this).
ifconfig gif0 create ifconfig gif0 tunnel 192.168.1.1 202.157.186.227 up ifconfig fxp0 inet6 2001:db8:ff:ff::1 prefixlen 64 alias route add -inet6 default fe80::%gif0
Now if your setting this up behind your pfsense box signup for a broker(/64):
Linux:
So an example (don't actually use this).ip tunnel add mytbs mode sit remote 202.157.186.227 local 192.168.1.1 ttl 64 ip link set mytbs up ip link set mtu 1280 dev mytbs ip -6 addr add 2001:db8:ff:ff::1/64 dev eth0 ip -6 route add 2000::/3 dev mytbs
Windows:
firstly runipv6 install
So an example (don't actually use this).
netsh interface ipv6 6to4 set state disabled netsh interface ipv6 set privacy disabled netsh interface ipv6 add v6v4tunnel mytbs 192.168.1.1 202.157.186.227 netsh interface ipv6 add address "Local Area Connection" 2001:db8:ff:ff::1 netsh interface ipv6 add route 2000::/3 mytbs publish=yes
Use the very first example of what values need to be changed.
So you have your tunnel setup. Now lets allow traffic to flow(if you block outbound too you will need to add a rule for that).
Add a Firewall rule for the WAN interface the ipv6 data is being sent to.
Action: Pass
Interface: WAN
Protocol: any
Source: Specify Address in the examples this would be 202.157.186.227
Destination: any
Port Range: any
What this does is allow 202.157.186.227 to access the machine running the tunnel. so you need to trust your tunnel broker. Most of them are fine.IPV6 traffic should now be flowing to your tunnel :D
Now to automatically give all the computers on the lan addresses.
Install radvd(linux and bsd i dunno what to do for windows).And use a config like.
interface eth0 { AdvSendAdvert on; prefix 2001:db8:ff:ff::/64 { AdvOnLink on; AdvAutonomous on; }; };
http://tunnelbroker.net/ Are good.
Any any questions. I know this tutorial is shit but for those who already know the basics it is easy to work out.
-
could you use placeholders in there, like [Your IPv6 Endpoint]? Tried following this and everything works on that machine but I can't ping6 anything from any other machines even with radvd running. I am using tunnelbroker.net but I'm using the linux-net-tools configuration since the other version doesn't work at all for me.
So I have a linux machine behind pfsense (I have pfsense forwarding ipv6 encapsulated traffic to the box) and I have it setup like so:
ifconfig sit0 up ifconfig sit0 inet6 tunnel ::[server ipv4 endpoint] ifconfig sit1 up ifconfig sit1 inet6 add [client ipv6 endpoint] route -A inet6 add ::/0 dev sit1
From this point I can ping6 the server ipv6 endpoint, ipv6.google.com, etc. I install radvd and /etc/radvd looks like so:
interface eth0 { AdvSendAdvert on; prefix [routed /64 network] { AdvOnLink on; AdvAutonomous on; }; };
i then do an ifdown/ifup on another linux machine, gets an ip with that prefix but when I try to ping anything, it doesn't work.
(edit)
Forgot to mention that after this is all setup if I run tcpdump on the computer that has the tunnel, I can see ping packets coming from the second computer and I see a response coming in. On the client machine I just see packets going out but none coming in. Like the computer the tunnel is on doesn't know how to forward ports? It is running debian 4.0
(/edit) -
Assign yourself a /48 from tunnel broker and try using that. I'm not pro at this BTW. I just use it for fun.
Assign an IP to your eth0 (or LAN adaptor).ifconfig eth0 inet6 add [client ipv6 endpoint] route -A inet6 add ::/0 dev eth0
OR
route -A inet6 add ::/0 dev sit0
Does that change anything?
Is there anything stopping you from copying the code i posted for linux?
apt-get install iproute
ip tunnel add henet mode sit remote [server ipv4 endpoint] local [local ipv4 address] ttl 64 ip link set henet up ip link set mtu 1280 dev henet ip -6 addr add [client ipv6 endpoint]/64 dev eth0 ip -6 route add 2000::/3 dev henet
Picked a good time to reply. I not active on these forums and just happened to be browsing.
-
Before when I did all the iproute stuff it just didn't work period. My guess was it was just messed up from me playing with it. so I restarted the computer, used the ip commands and I'm in the same situation. Access from that computer is fine but when any of the other computers on the local network try to ping I can see the ping and response on the server but it never reaches the end computer. I've tried your version and the one that tunnelbroker suggests in the Linux-route2 setup. Both give the same results. I've since tried this on a mac and windows xp computer and all exhibit the same thing. I'll keep looking to see if there's anything else I may need to set on the server so it knows to forward packets along.
-
Found the error. Looked through and forgot to set an ipv6 address in the routed /64 range for the server… woops. I set that to an ip in the public range and it works. And actually I have mine running completely through /etc/network/interfaces (debian/ubuntu variants only). Here is what I have in /etc/network/interfaces on the server running debian etch (4.0):
# The primary network interface auto eth0 iface eth0 inet static address [server's lan ipv4 address] netmask [...] network [...] broadcast [...] gateway [pfsense ipv4 address] iface eth0 inet6 static address [your ipv6 routed /64 prefix (usually your endpoint with the 3rd part being one higher]::1 netmask 64 pre-up modprobe ipv6 # IPv6 tunnel by hurricane electric auto henet iface henet inet6 v4tunnel address [Client IPv6 address] netmask 64 endpoint [Server IPv4 address] ttl 255 pre-up modprobe ipv6 up ip link set mtu 1280 dev henet up ip route add default via [Server IPv6 addres] dev henet
and that's all you need to get routing working. For everything else like radvd and setting up pfsense to forward traffic the instructions above still apply.
One last thing that was really messing with me. In firefox 3, go to about:config and search for network.dns.disableIPv6 and make sure it is set to false (just double click on it). Without that firefox won't make AAAA lookups and thus won't load any ipv6 sites.
-
Well, it works, but it seems the firewall blocks the incoming ping6s from my tunnel provider, so the provider flags my tunnel as down. Any workaround for this?
-
Well, it works, but it seems the firewall blocks the incoming ping6s from my tunnel provider, so the provider flags my tunnel as down. Any workaround for this?
create a rule in your firewall to allow icmp echo requests from anywhere to your wan.
-
Hi I'm having some issues setting this up
ifconfig gif0 create ifconfig gif0 tunnel lan.ip.1.1 broker.ip.here.142 up ifconfig interface0 inet6 IPv6:Prefix:here::1 prefixlen 64 alias route add -inet6 default fe80::%gif0
where lan.ip.1.1 is that my lan interfaces ip(192.168.0.1) or the computers ip(192.168.0.5)?
where interface0 is that my lan interface or my wan interface?
where IPv6:Prefix:here:: do i set that too the Client IPv6 address i got from tunnelbroker.net?
does anything need to be changed in the last line?and…
netsh interface ipv6 6to4 set state disabled netsh interface ipv6 set privacy disabled netsh interface ipv6 add v6v4tunnel mytbs 192.168.1.1 202.157.186.227 netsh interface ipv6 add address "Local Area Connection" 2001:db8:ff:ff::1 netsh interface ipv6 add route 2000::/3 mytbs publish=yes
where 192.168.1.1 do i put my computers ip or my lan interface ip?
do i use 2001:db8:ff:ff::1 or do i replace that with my Client IPv6 address i got from tunnelbroker.net?