IPv6 over IPv4 Tunneling
-
Trying to get this to work, documentation is super unclear.
Check "IPv6 over IPv4 Tunneling"
Field pops up "IPv4 address of Tunnel Peer" What address goes here? The tunnelbrokers endpoint? My WAN IP? My behind NAT IP?
While testing different IPs here, I got into a situation were that checkbox doesn't take. I click the checkbox and click save and it gives the usual page has been saved prompt but if I leave and come back it is unchecked. And if I uncheck without leaving and coming back I get the following error.
"Fatal error: Uncaught Error: Cannot unset string offsets in /usr/local/www/system_advanced_network.php:112 Stack trace: #0 {main} thrown in /usr/local/www/system_advanced_network.php on line 112 PHP ERROR: Type: 1, File: /usr/local/www/system_advanced_network.php, Line: 112, Message: Uncaught Error: Cannot unset string offsets in /usr/local/www/system_advanced_network.php:112 Stack trace: #0 {main} thrown"
Also the documentation says firewal rules need to be made. What rules? And the GUI says "IPv6 firewall rules are also required, to control and pass encapsulated traffic." but again what do those look like? I can't make IPv6 rules to IPv4 addresses (which is what I have) and I tried setting IPv4 with protocol IPV6 with source as tunnelbroker endpoint and destination my internal IP and it did match a state for traffic while I was pinging but the issue is i'm finding I can't use this tunnel unless I keep pinging from my side. Traffic stops for 15 minutes and everything stops coming through. I don't see any blocks in firewall the packets are just being dropped.
So how do I get past the above error, what IP goes in the tunnel peer field and what firewall rules do I actually need? Or is this setup completely broken and unsupported?
-
@Bun-Bun said in IPv6 over IPv4 Tunneling:
"IPv6 over IPv4 Tunneling"
who is supplying the tunnel to you? Hurricane ?
-
@kiokoman said in IPv6 over IPv4 Tunneling:
@Bun-Bun said in IPv6 over IPv4 Tunneling:
"IPv6 over IPv4 Tunneling"
who is supplying the tunnel to you? Hurricane ?
Yes it is an HE tunnel.
-
https://docs.netgate.com/pfsense/en/latest/interfaces/using-ipv6-with-a-tunnel-broker.html
did you follow this doc?
-
@kiokoman said in IPv6 over IPv4 Tunneling:
https://docs.netgate.com/pfsense/en/latest/interfaces/using-ipv6-with-a-tunnel-broker.html
did you follow this doc?
No because I'm not trying to terminate the tunnel at pfsense I am trying to pass the tunnel onto a VM behind pfsense.
-
then i think there is nothing to do in the pfsense except open the traffic to and from the gif remote address
-
@kiokoman said in IPv6 over IPv4 Tunneling:
then i think there is nothing to do in the pfsense except open the traffic to and from the gif remote address
There is the IPv6 over IPv4 Tunneling option that I linked to the documentation about in the first post. But the documentation is unclear about how this is supposed to work and now I am running into these php errors.
I have tried manually setting up a NAT rule and firewall rule for protocol 41 but I get the same result. I can only use the tunnel if I ping out from it first.
-
it's not your case, pfsense will not see IPv6 traffic if you end the tunnel in a diferent machine. you need to nat everything (ICMP as first , the tunnel will not activate if there is no response to icmp as per he.net instruction) from the gif remote address to the vm after that you need to configure ipv6 rules in a firewall in the vm
-
@kiokoman said in IPv6 over IPv4 Tunneling:
it's not your case, pfsense will not see IPv6 traffic if you end the tunnel in a diferent machine. you need to nat everything (ICMP as first , the tunnel will not activate if there is no response to icmp as per he.net instruction) from the gif remote address to the vm after that you need to configure ipv6 rules in a firewall in the vm
Yes it is my case. As per the pfsense documentation that I linked
"The Enable IPv4 NAT encapsulation of IPv6 packets option enables IP protocol 41/RFC 2893 forwarding to an IPv4 address specified in the IP address field.
When configured, this forwards all incoming protocol 41/IPv6 traffic to a host behind this firewall instead of handling it locally."
Which agrees with what HE says about being behind a router/firewall that correctly passes protocol 41. This is the option I want but the documentation doesn't explain how to configure it fully.
My firewall responds to pings, I had no issue getting the tunnel created and I have no issue talking across it from my side. Something is not working right in my pfsense with those errors I am getting.
-
maybe i remember wrong couse i had done something similar long time ago, now i configure a new vm and check for you.
-
@kiokoman said in IPv6 over IPv4 Tunneling:
maybe i remember wrong couse i had done something similar long time ago, now i configure a new vm and check for you.
And I have tried making my own NAT rules to forward the IPV6 protocol from HE endpoint to my WAN redirect to internal IP but it does nothing. But I don't know what is broken with my pfsense from these errors I am getting and I do not want to reboot it right now.
-
here it is
you need to put the vm ip inside
sorry for the late reply, i had to do it in my office because at home i have only a notebook with virtualbox that does not do bridge with my wireless card -
@kiokoman said in IPv6 over IPv4 Tunneling:
here it is
you need to put the vm ip inside
sorry for the late reply, i had to do it in my office because at home i have only a notebook with virtualbox that does not do bridge with my wireless cardThanks for the confirmation. That's how I originally had it configured.
What firewall rules did you add?
This still doesn't help me as any config changes on that Advanced - Networking page result in the error I posted above. Something is broken in pfsense. How do I report this?
I worked around the issue by creating a cron job to ping out the tunnel every 5 minutes. This keeps the NAT/Firewall states alive.
-
Hi,
So I saw your thread and let me say pfSense TunnelBroker configuration is pretty straightforward had it working in 10 minutes. - https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker
Secondly you don't need to select the option "Enable IPv6 over IPv4 tunnelling" - that is wrong, that IP there (on the screenshot) is wrong.Stick to the documentation. Follow the steps and you'll have it working pronto. If you are configuring things out of your hat because you "feel it" ... that's how it breaks, you have a bunch of settings that have no place here, thus doesn't work.
- Create a GIF Interface, parent interface WAN, configure with the information provided by HE.
- Assign the GIF interface and enable it, set as default.
- Configure LAN and DHCPv6 / RA
- Add traffic rules
BTW it doesn't say so in the docs, but pfSense created the GATEWAY automatically for WAN IPv6, so just confirm you're all set.
Instead of Manual NAT, select HYBRID, and its easy as eating cake. Have fun.
EDIT (after reading other replies more carefully): if you are trying to configure the IPv6 termination on your VM, then you have no business to configure anything on the pfSense but the IPv6 tunnelling AND firewall rules for IPv6 protocol, and then just configure everything else on the VM.
-
@maverickws
that was my first suggestion.
you need to read the conversation, that is a valid tutorial if you end the tunnel to the pfsense machine, he need to transport it out of the pfsense and inside a virtual machine. he does not want ipv6 to be managed by pfsense.@Bun-Bun
i had opened all the port for the test
If you have php errors, that is not normal. I suggest you start over with a clean pfsense installation -
@kiokoman yes you are right I did not read it through and after I did more carefully I added an edit for it.
Anyway in that regard the IPv6 over IPv4 tunnelling is OK, but still firewall rules to allow protocol 41 traffic must be added, otherwise won't work.
It's not enough to just select that option (the enable tunnelling). -
@maverickws said in IPv6 over IPv4 Tunneling:
@kiokoman yes you are right I did not read it through and after I did more carefully I added an edit for it.
Anyway in that regard the IPv6 over IPv4 tunnelling is OK, but still firewall rules to allow protocol 41 traffic must be added, otherwise won't work.
It's not enough to just select that option (the enable tunnelling).I've enabled the option and added all the firewall rules that I can think of as I explained in my first post. And the one rule I made does match the state that gets created but after it times out I lose connectivity until I start communicating from my end again. Telling me the inbound NAT isn't working.
And see the error I am getting in the first post.
As long as I ping out from my end, the states get configured and stay alive and it works. It's just frustrating that the documented feature isn't working.
-
You don't need to configure NAT for this.
The rule you need is a Pass on the WAN interface (Firewall > Rules > WAN), I believe allow any to any or any to host and on protocol (not address family) you select IPv6 I think that's it.
-
@maverickws said in IPv6 over IPv4 Tunneling:
You don't need to configure NAT for this.
The rule you need is a Pass on the WAN interface (Firewall > Rules > WAN), I believe allow any to any or any to host and on protocol (not address family) you select IPv6 I think that's it.
Yes, I did that. Protocol IPv4 IPV6 Source any Destination (tried any or my VM IP) and this rule does match the state that is created when I ping out. But still after it times out incoming connections are dropped and don't show up in firewall logs. So it's inbound NAT that isn't working and I suspect it has to do with that error I'm getting in the original post.