[ER] IPv4 DHCP WAN interface and Tunnelbroker IPv6 tunnel

rcfa · Jun 7, 2012, 8:21 AM

When getting a tunnel from HE's free tunnelbroker service, one has to give the public IPv4 address of the end point.
My WAN interface, however, is DHCP, and thus bound to change. HE also seems to have some sort of mechanism that allows to automatically change the IP address for the endpoint, when it changes, by going to some sort of URL with the credentials, etc. as part of the URL.

Does pfSense support that function? I bet there would be more people who'd like that.

Right now my workaround is to tunnel the tunnel through my IPv4 IPSec link, so I can give it my public IPv4 address, which is fixed, but the ping times through that detour are of course rather abysmal… (almost 100ms, compared to around 10ms when I ping the IPv6 tunnel server directly from my WAN interface).

It would be awesome if I could tunnel directly, without going through the already retarded IPv4 setup I have to use.

rcfa · Jun 7, 2012, 8:20 AM

Here just a quote of what i'm referring to: http://ipv6.he.net/certification/faq.php

My IPv4 endpoint address is dynamic. Can I still create a tunnel? If yes, what do I need to do when my IP address changes?

Yes, you can still create a tunnel even if you are using a dynamic IPv4 endpoint address. If your IPv4 endpoint address changes, you can either login to the tunnelbroker.net page and update your IPv4 endpoint address or use http://ipv4.tunnelbroker.net/ipv4_end.php which is designed to be used to update your IPv4 endpoint address.

jimp · Jun 7, 2012, 3:14 PM

It's in dyndns, and works great. Add the he.net tunnelbroker dyndns entry, feed it your tunnel id and such, and it keeps it updated.

Sure it's not DynDNS per se, but the functionality is identical to one so that was the best fit.

I have a PPPoE WAN and a DHCP WAN and it keeps both my tunnels up fine.

allpoints · Jun 7, 2012, 4:53 PM

My ISP's DHCP hands out IPs based on mac addresses, so my dynamic IPs have remained unchanged for years because it's trivial to spoof the mac addresses of WAN nics in pfSense. ;D

rcfa · Jun 8, 2012, 12:43 AM

@allpoints:

My ISP's DHCP hands out IPs based on mac addresses, so my dynamic IPs have remained unchanged for years because it's trivial to spoof the mac addresses of WAN nics in pfSense. ;D

Well, I'm on FiOS, and the DCHP address tends to remain the same until the ONT is power-cycled, so it's rather long lived. But that's nothing I can rely on, because we do get power outages occasionally, and usually when I'm not present… (Murphy & Co.)

rcfa · Jun 8, 2012, 12:55 AM

@jimp:

It's in dyndns, and works great. Add the he.net tunnelbroker dyndns entry, feed it your tunnel id and such, and it keeps it updated.

Sure it's not DynDNS per se, but the functionality is identical to one so that was the best fit.

I have a PPPoE WAN and a DHCP WAN and it keeps both my tunnels up fine.

Indeed it works great, and since I now can use the WAN instead of the LAN as local end-point address, and hence have totally different packet routing, the latency went down to 30-40ms rather than the 80-100ms I had before. So that's awesome!

While the location for that setting may make sense in some ways, it so far divorced from the set up of the tunnel itself, that I'd never would have thought of looking there.

I would think it would be much better an advanced option on the GIF interface setup itself. At the very least, there should be a little hint on the GIF editing page that says where it can be found.
I mean to me, the current setup is a bit like setting up my e-mail client on the PPP settings page, because both use CHAP authentication or something like that ;)

I mean I'm super glad to have all you knowledgeable people here on the forum, but otherwise I'd just have thought it's not possible, and in the long term it wastes a lot of people's time when people like me keep asking the same questions over and over….

jimp · Jun 8, 2012, 12:38 PM

I'll look into adding a note on the gif page, but gif tunnels can be used for so many things besides he.net that (though useful) it may be somewhat out of place there, but a note probably wouldn't hurt anything.

I did just add it to the tunnel setup doc here though:
http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker

rcfa · Jun 8, 2012, 8:00 PM

@jimp:

I'll look into adding a note on the gif page, but gif tunnels can be used for so many things besides he.net that (though useful) it may be somewhat out of place there, but a note probably wouldn't hurt anything.

Cool. I'm aware that GIF does a bit more than just that. On the other hand, there might be other tunnels that at some point required dynamic endpoints, so then dynamic endpoint management would be a section, with one option being the he.net thing.
But a note would certainly be useful, because particularly once 2.1 gets released, I bet lots of people will want to experiment with IPv6 who have as little experience with it as I do, and they are likely to sign up with he.net to do so.

@jimp:

I did just add it to the tunnel setup doc here though:
http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker

Great! Thanks!

jimp · Jun 13, 2012, 6:47 PM

Added a note

https://github.com/bsdperimeter/pfsense/commit/b835b1faffe90b7dcb2e6ef9ce846998074d696a