IPv6 with Hurricane Electric Tunnel Broker - Documentation out of date



  • Hi,
    I am using 2.3.3-RELEASE-p1 (amd64)  and have been trying to follow the documentation pointed to by Hurricane Electric but it is not appropriate to my release as there are some major differences. This has left me with a half configured HE tunnel as I am not sure exactly what to do.
    Is there anyone who is running 2.3.3-RELEASE-p1 (amd64) and a Hurricane Electric Tunnel that can walk me through the steps I need?
    Apart from being disabled I am also partially sighted and need good, easy documentation to follow, rather than having to try and pull ideas from numerous sources.

    Thank you to any kind soul, prepared to help.
    Kind regards,
    jB


  • Rebel Alliance Global Moderator

    I can take a look at the docs and update anything on the pfsense wiki sure.

    Please point out the doc HE is pointing too or your looking at.  Have not looked at it in a while but its pretty basic.. prob could just use a bit of refresh on some screenshots, etc.  The basics would still be the same..

    Your talking about this right?
    https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker

    Yeah just read through it and all the basics are still the same just some outdated images is all..

    Have to run some errands but when I get back I will update the images and doublecheck all the wording.



  • Hi johnpoz,
    Thank you very much..
    Regards,
    jB


  • Rebel Alliance Global Moderator

    Ok I updated it.. But there really was nothing changed other than how it looks.. I mean really - that was still valid on how its done.. If you could not figure it out from those instructions??

    What exactly is not working??



  • Thank you for the update.
    As I am partially sighted I was relying on the pictures rather than words which I also tend to forget easily.
    With a picture I can do a comparison to see what needs to be done.
    Also if really stuck, my wife can help me, she too needs pictures as she is still trying to come to terms with why windows 3.1 was scrapped and especially word 2!!!

    I will start from the beginning again and if I get stuck will post my progress here…

    Appreciate your support.
    Kind regards and thanks,
    jB  8)


  • Rebel Alliance Global Moderator

    Ah – that makes more sense now..  Thanks for killing my curiosity cat..

    Yeah if you run into any issues - just let me know.. Happy to post BIGGER pictures if that helps, etc.



  • Haven't done it yet so was going to say thanks then but will says many thanks now so I don't appear rude.
    Thank you



  • @johnpoz

    Quick question:
    I have the following setup:

    • WAN over PPPoE that offers both IPv4 and IPv6 (::/64)
    • LAN (IPV4 DHCP, IPv6 using track WAN)
    • LAN2 (different VLAN) - IPv4 DHCP

    I tried to setup an HE.NET IPv6 TunnelBroker, and when setting up the IPv6 static IP on LAN2 (following the article: https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker, I get IP address overlapping - a bit normal since both IP addresses in the guide are in the same /64 if I read correctly).
    Any idea ? Is my scenario even supported ?

    Thanks,
    Andy.



  • Instead of this :
    @pbnet:

    • WAN over PPPoE that offers both IPv4 and IPv6 (::/64)
    • LAN (IPV4 DHCP, IPv6 using track WAN)

    make your scenario look like this :

    • WAN over PPPoE that offers IPv4 only.
    • LAN (static IPV4 Ip - having the DHCP server dealing out the IPv4 on LAN).

    Now, apply the  https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker

    Your case is : dealing with a /64 from he.net and a /64 from your ISP. Probably possible (but why ?).



  • Thanks Gertjan.

    Well, if I get a /48 or /56 from HE.NET it will probably work.
    Why: because I have 2 VLANs and would like to have IPv6 on both VLANs, which I can't do with a /64 from my ISP.
    I'm open to any suggestions.

    Thanks,
    Andy.



  • Ah, ok. I understand now.

    When my ISP becomes IPv6-minded they will probably also pass along just a /64 - just for one LAN segment. I'm using my second LAN == OPT1 only for captive portal access, and the captive portal isn't IPv6 ready yet.

    I'll be having the same question a you do now in the future.
    I'd be glad to help, but : impossible to activate 2 he.net accounts on a same (WAN) IPv4 so I can add one /64 (first /64) to LAN and the second account to OPT1 (second interface).

    You could do this :
    Use the /56 from he.net.
    From this /56, use the first /64 for LAN, teh second /64 for your next interface.
    This means not using the IPv6 facilities from your ISP.

    Btw : still, I guess it' possible to assign the /64 from your ISP to LAN, and a /64 from he.net to your second interface.


  • Rebel Alliance Global Moderator

    That ISPs would give out only 1 /64 is asinine… They should at min give out a /60, but you know you could make an argument that any site should get a /48.  According to Arin policy a site is a building - so your home should get a /48..

    https://www.arin.net/policy/nrpm.html
    ARIN Number Resource Policy Manual

    6.5.8.2.1. Standard sites
    A site is a discrete location that is part of an organization’s network.

    An organization may request up to a /48 for each site in its network

    Its not like there is an issue with available space...

    To be honest I would forget your ISP even supports ipv6 if they are not going to do it correctly.  Can you not request a different prefix size? /56 or /60?  If not then forget them and just use HE..  Little reason to use /64 and /48 from Arin unless you wanted to use the HE /64 for your guest segment and all your others out of your /48...

    So a /24 prefix is the min isp allocation.. Your talking 16,777,216 /48's why are thy giving you 1 /64??  Not like they can not get bigger than /24  If they gave you /56 that is more than 4G sites... Come on - why are they making it difficult by giving you 1 /64.. Just plain moronic!!!



  • @johnpoz:

    That ISPs would give out only 1 /64 is asinine… ...
    .... Come on - why are they making it difficult by giving you 1 /64.. Just plain moronic!!!

    Oh, man, I understand that so well.
    I just forwarded your message to the main support forum of Orange, the biggest ISP in France and Europe (120 million ++ clients).
    They just started to implement IPv6 a couple of month ago …
    At least 30 million boxes have hardware that can't operate with IPv6 (chips are IP4v hard wired).
    10 $ for each new box  - 20 $ for shipping and handling (can't outsource that one to a low salary country ^^).

    I guess I will be using he.net for a long time  :)



  • @Gertjan

    I know how it is…
    I have a /64 for about 3 years now, since Digi (the main ISP in Romania) provides it.
    Sadly, the move to /56 will come sometimes this year (no timeline defined).

    Now back to our sheep (revenons a nos moutons :) )...
    I can't seem to find a way to assign the /64 from Hurricane Electric to the second VLAN I have.
    I only have a LAN tab, that points to VLAN1 and I need to et HE's V6 to VLAN2 (that is on a different NIC Card).

    If I can't figure it out, I'll probably send them an e-mail.

    @Community: any ideas on how to assign a specific NIC to HE V6 ?

    Thanks,
    Andy



  • @Community: any ideas on how to assign a specific NIC to HE V6 ?

    Assign interfaces to your liking from the console menu (option 1) or do it from the webgui (Interfaces->Assignments). Then make sure the interface where you want to use the /64 prefix is enabled (Interfaces-><name>->"Enable". Then set the IPv6 configuration type for the interface to "Static IPv6" and assing an address from the /64 prefix to it, any address is fine but people usually use the ::1 address from the prefix for the interface on the router.</name>



  • @kpa

    Here comes the issue… I cannot have 2 default gateways.
    If I follow the article https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker and put interface OPT as default gateway, the clients from VLAN1 won't be able to use my ISP's IPv6.

     OPT2_TUNNELV6  OPT2  2001:470:1f1a:699::1  2001:470:1f1a:699::1  Interface OPT2_TUNNELV6 Gateway      
     WAN_DHCP6 (default) WAN  fe80::1  fe80::1  Interface WAN_DHCP6 Gateway      
      WAN_PPPOE (default) WAN  10.0.0.1  10.0.0.1  Interface WAN_PPPOE Gateway

    Thanks,
    Andy



  • @pbnet:

    Here comes the issue… I cannot have 2 default gateways.

    That's not an issue, that is normal. If you have more than one gateway for an address family you need to do policy based routing.

    https://doc.pfsense.org/index.php/What_is_policy_routing



  • @Grimson:

    @pbnet:

    Here comes the issue… I cannot have 2 default gateways.

    That's not an issue, that is normal. If you have more than one gateway for an address family you need to do policy based routing.

    Would static routing work ?

    Thanks,
    Andy



  • @pbnet:

    @Grimson:

    @pbnet:

    Here comes the issue… I cannot have 2 default gateways.

    That's not an issue, that is normal. If you have more than one gateway for an address family you need to do policy based routing.

    Would static routing work ?

    Thanks,
    Andy

    It would but it's very difficult to configure properly because the only way to differentiate the routes is the destination address. Policy routing is much more flexible.

    On top of that if you have only your normal IPv4 WAN connection and an IPv6 tunnel from HE (why would you even consider using another IPv6 connection in addition to your HE tunnel?) there is no overlap between the connections and there is no need to do neither static routing nor policy routing.


  • Rebel Alliance Global Moderator

    I know who Orange is ;)  I have done quite bit of networking back in the day in France..  Oh those were fun projects!!!  Had one in Monaco during Grand Prix - I could hear the cars going by.  But was on such a short schedule didn't even get to see them.. Arrggh ;)

    Anyhoo.. So simple AAAA query to www.orange.fr to find a small chunk of their ipv6 space… I am sure they have multiple prefixes, prob even larger ones..

    They own a /19 for sure... They prob have multiple other blocks..

    net6num:      2a01:c000::/19
    netname:        FR-TELECOM-20051230
    country:        FR
    org:            ORG-FT2-RIPE

    So a /19 equates to 536,870,912 /48's....  WTF why would they only give out /64 to their users even if they 500 Million of them..

    If they wanted to be stingy ok.. That 1 /19 they own has 137,438,953,472 /56's in it..  Yes that is 137 Billion!!!  So more than number of 17x people on the planet...  That an ISP would not allow a customer to request a prefix of the atleast /56 is just plain stupid.. And whoever is designing their ipv6 space doesn't have a freaking clue!!

    They clearly do not understand the size of ipv6.. With the current very very small portion of the total IPv6 that has been allocated for use.. You could give out 4000 some /48's to every person on the planet... An ISP should give you a /48 and let you slice that up how you want.. There is zero reason to limit a customer to 1 /64..  Which makes it impossible for the customer to segment their network..



  • @kpa:

    On top of that if you have only your normal IPv4 WAN connection and an IPv6 tunnel from HE (why would you even consider using another IPv6 connection in addition to your HE tunnel?)

    I'm not the person you were replying to, but speaking for myself, I see things like this on my HE tunnel all the time:

    Feb 12 14:00:45 	dpinger 		OPT3V6_TUNNELV6 2001:470:7:117e::1: Alarm latency 33734us stddev 19534us loss 21%
    Feb 12 14:00:58 	dpinger 		OPT3V6_TUNNELV6 2001:470:7:117e::1: Clear latency 33166us stddev 19392us loss 20%
    Feb 13 10:51:11 	dpinger 		OPT3V6_TUNNELV6 2001:470:7:117e::1: Alarm latency 28309us stddev 9549us loss 22%
    Feb 13 10:51:12 	dpinger 		OPT3V6_TUNNELV6 2001:470:7:117e::1: Alarm latency 605795us stddev 2656495us loss 19%
    Feb 13 10:52:07 	dpinger 		OPT3V6_TUNNELV6 2001:470:7:117e::1: Alarm latency 137034us stddev 756717us loss 12%
    Feb 13 10:52:11 	dpinger 		OPT3V6_TUNNELV6 2001:470:7:117e::1: Clear latency 33363us stddev 17753us loss 7%
    

    My homelab setup is much simpler than pbnet's, in that right now it's just one IPv4 through my ISP, and one IPv6 tunnel via HE.  But due to the regular latency spikes, I'm considering trying to figure out how to set up some kind of multi-WAN thing, using my ISP's own IPv6 as the other uplink.  The issue is that my ISP's IPv6 is hilariously terrible, so I need to keep HE's tunnel as an option.  I think multi-WAN connections like this should be able to either failover or load-balance when the latency gets high enough to set off alarms, it's just I haven't had the time and energy to make the attempt.

    So anyhow, that's just one example of why somebody might need a connection in addition to the tunnel.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy