IPv6 over IPv4 Tunneling
-
https://docs.netgate.com/pfsense/en/latest/interfaces/using-ipv6-with-a-tunnel-broker.html
did you follow this doc?
-
@kiokoman said in IPv6 over IPv4 Tunneling:
https://docs.netgate.com/pfsense/en/latest/interfaces/using-ipv6-with-a-tunnel-broker.html
did you follow this doc?
No because I'm not trying to terminate the tunnel at pfsense I am trying to pass the tunnel onto a VM behind pfsense.
-
then i think there is nothing to do in the pfsense except open the traffic to and from the gif remote address
-
@kiokoman said in IPv6 over IPv4 Tunneling:
then i think there is nothing to do in the pfsense except open the traffic to and from the gif remote address
There is the IPv6 over IPv4 Tunneling option that I linked to the documentation about in the first post. But the documentation is unclear about how this is supposed to work and now I am running into these php errors.
I have tried manually setting up a NAT rule and firewall rule for protocol 41 but I get the same result. I can only use the tunnel if I ping out from it first.
-
it's not your case, pfsense will not see IPv6 traffic if you end the tunnel in a diferent machine. you need to nat everything (ICMP as first , the tunnel will not activate if there is no response to icmp as per he.net instruction) from the gif remote address to the vm after that you need to configure ipv6 rules in a firewall in the vm
-
@kiokoman said in IPv6 over IPv4 Tunneling:
it's not your case, pfsense will not see IPv6 traffic if you end the tunnel in a diferent machine. you need to nat everything (ICMP as first , the tunnel will not activate if there is no response to icmp as per he.net instruction) from the gif remote address to the vm after that you need to configure ipv6 rules in a firewall in the vm
Yes it is my case. As per the pfsense documentation that I linked
"The Enable IPv4 NAT encapsulation of IPv6 packets option enables IP protocol 41/RFC 2893 forwarding to an IPv4 address specified in the IP address field.
When configured, this forwards all incoming protocol 41/IPv6 traffic to a host behind this firewall instead of handling it locally."
Which agrees with what HE says about being behind a router/firewall that correctly passes protocol 41. This is the option I want but the documentation doesn't explain how to configure it fully.
My firewall responds to pings, I had no issue getting the tunnel created and I have no issue talking across it from my side. Something is not working right in my pfsense with those errors I am getting.
-
maybe i remember wrong couse i had done something similar long time ago, now i configure a new vm and check for you.
-
@kiokoman said in IPv6 over IPv4 Tunneling:
maybe i remember wrong couse i had done something similar long time ago, now i configure a new vm and check for you.
And I have tried making my own NAT rules to forward the IPV6 protocol from HE endpoint to my WAN redirect to internal IP but it does nothing. But I don't know what is broken with my pfsense from these errors I am getting and I do not want to reboot it right now.
-
here it is
you need to put the vm ip inside
sorry for the late reply, i had to do it in my office because at home i have only a notebook with virtualbox that does not do bridge with my wireless card -
@kiokoman said in IPv6 over IPv4 Tunneling:
here it is
you need to put the vm ip inside
sorry for the late reply, i had to do it in my office because at home i have only a notebook with virtualbox that does not do bridge with my wireless cardThanks for the confirmation. That's how I originally had it configured.
What firewall rules did you add?
This still doesn't help me as any config changes on that Advanced - Networking page result in the error I posted above. Something is broken in pfsense. How do I report this?
I worked around the issue by creating a cron job to ping out the tunnel every 5 minutes. This keeps the NAT/Firewall states alive.
-
Hi,
So I saw your thread and let me say pfSense TunnelBroker configuration is pretty straightforward had it working in 10 minutes. - https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker
Secondly you don't need to select the option "Enable IPv6 over IPv4 tunnelling" - that is wrong, that IP there (on the screenshot) is wrong.Stick to the documentation. Follow the steps and you'll have it working pronto. If you are configuring things out of your hat because you "feel it" ... that's how it breaks, you have a bunch of settings that have no place here, thus doesn't work.
- Create a GIF Interface, parent interface WAN, configure with the information provided by HE.
- Assign the GIF interface and enable it, set as default.
- Configure LAN and DHCPv6 / RA
- Add traffic rules
BTW it doesn't say so in the docs, but pfSense created the GATEWAY automatically for WAN IPv6, so just confirm you're all set.
Instead of Manual NAT, select HYBRID, and its easy as eating cake. Have fun.
EDIT (after reading other replies more carefully): if you are trying to configure the IPv6 termination on your VM, then you have no business to configure anything on the pfSense but the IPv6 tunnelling AND firewall rules for IPv6 protocol, and then just configure everything else on the VM.
-
@maverickws
that was my first suggestion.
you need to read the conversation, that is a valid tutorial if you end the tunnel to the pfsense machine, he need to transport it out of the pfsense and inside a virtual machine. he does not want ipv6 to be managed by pfsense.@Bun-Bun
i had opened all the port for the test
If you have php errors, that is not normal. I suggest you start over with a clean pfsense installation -
@kiokoman yes you are right I did not read it through and after I did more carefully I added an edit for it.
Anyway in that regard the IPv6 over IPv4 tunnelling is OK, but still firewall rules to allow protocol 41 traffic must be added, otherwise won't work.
It's not enough to just select that option (the enable tunnelling). -
@maverickws said in IPv6 over IPv4 Tunneling:
@kiokoman yes you are right I did not read it through and after I did more carefully I added an edit for it.
Anyway in that regard the IPv6 over IPv4 tunnelling is OK, but still firewall rules to allow protocol 41 traffic must be added, otherwise won't work.
It's not enough to just select that option (the enable tunnelling).I've enabled the option and added all the firewall rules that I can think of as I explained in my first post. And the one rule I made does match the state that gets created but after it times out I lose connectivity until I start communicating from my end again. Telling me the inbound NAT isn't working.
And see the error I am getting in the first post.
As long as I ping out from my end, the states get configured and stay alive and it works. It's just frustrating that the documented feature isn't working.
-
You don't need to configure NAT for this.
The rule you need is a Pass on the WAN interface (Firewall > Rules > WAN), I believe allow any to any or any to host and on protocol (not address family) you select IPv6 I think that's it.
-
@maverickws said in IPv6 over IPv4 Tunneling:
You don't need to configure NAT for this.
The rule you need is a Pass on the WAN interface (Firewall > Rules > WAN), I believe allow any to any or any to host and on protocol (not address family) you select IPv6 I think that's it.
Yes, I did that. Protocol IPv4 IPV6 Source any Destination (tried any or my VM IP) and this rule does match the state that is created when I ping out. But still after it times out incoming connections are dropped and don't show up in firewall logs. So it's inbound NAT that isn't working and I suspect it has to do with that error I'm getting in the original post.