IPv6 configuration Help using HE Tunnel Broker (Resolved )

netmax2k

I have configured ipv6 tunnel broker configuration using Hurricane electric (pfsense 2.1). Tunnel is up and I can ping the far end IPv4 and IPv6 endpoints from the firewall. But from an IPv6 host on the LAN I can only ping the local IPv6 tunnel endpoint and can not ping the far  end IPv6 tunnel endpoint.I followed the instructions mentioned here exactly to configure the tunnel broker:http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker

When I browse IPv6 websites, they only see my IPv4 address and not my Ipv6 address. Any help in resolving the problem is highly appreciated.

Update: from the firewall I can only ping far end ipv6 endpoint and can not ping any other remote ipv6 hosts. I have the correct default  route and not sure what was wrong. Here is my routing table of the firewall:

netstat -rn -f inet6 | grep gif0

default                                    2001:470:7:xxb::1             UGS        gif0
2001:470:7:xxb::/64                  link#15                             U          gif0
fe80::%gif0/64                          link#15                             U          gif0
fe80::2d0:68ff:fe02:e8fb%gif0     link#15                             UHS         lo0
ff01::%gif0/32                    fe80::2d0:68ff:fe02:e8fb%gif0    U          gif0
ff02::%gif0/32                    fe80::2d0:68ff:fe02:e8fb%gif0     U          gif0

bardelot

You have to provide more information.
e.g. Have you configured any IPv6 firewall rules?

Your posted output seems ok to me.

netmax2k

Bardelot, thanks for the quick response and here is the additional information:

• I have placed a widely open allow ipv6 rule on the LAN interface

• I also configured my lan with provided subnet (2001:470:81/64)

• Attaching screen shots for showing the status of my setup

databeestje

maybe you had a bad snapshot where radvd was not working too.

I fixed that just a day or so ago. The radvd.conf was bungled so it never started.
Newer snapshots should show it under services status too.

netmax2k

databeestje, i am using the latest snapshot from Saturday evening but luck. Wireshark  capture on win7 client shows me the RA traffic coming from the firewall and it seems OK. I have configured DHCPv6 scope on the LAN interface as well as enabled the RA as "unmanaged". Thanks for your thoughts.

databeestje

Are you missing the IPv6 default route? You should have the HE.gw selected as being the default route.

Diag routes should tell you this.

netmax2k

I see a correct ipv6 default gateway in the route table on pfsence (screenshot attached).

databeestje

anything in the system logs throwing a warning?

Set the log checkbox on the firewall rule on the LAN and see if it sees traffic. Try the same with a block rule on the v6 wan to see if traffic from the internet comes back.

Last resort, remove the tunnel on the HE.net and create a new one. There have been sporadic cases in the past when you couldn't get out to the internet.

netmax2k

Finally, the problem was resolved by deleting the HE tunnel and creating a new tunnel as suggested by databeestje (thanks).