Setting up an IPv6 using tunnelbroker.ch

patrickdickey52761

Hi, everyone,

I'm trying to configure my tunnel on a pfSense setup. I followed the steps on the pfSense documentation but it didn't seem to work. In the process of setting up my WAN, I set it up as a 6rd tunnel and that successfully got an IPv6 address from my provider. However, the tunnel that I created (and the LAN interface) does not work properly. I'm not able to get an IPv6 address on any of my devices, even though I have Router Advertisement enabled.

Attached is a picture of my Interface status. For WAN, it retrieved the IPv6 Address from my tunnelbroker.ch account (as evidenced by the 2a09 prefix) and the other two are statically assigned by me (the one ending in ::2 is the client-side IPv6 address assigned by my tunnelbroker).

I'm not quite sure where to go from here. My ISP set up their IPv6 through he.net but they don't issue out any to us. So, I'm not sure if I can use the tunnel I created with them. Although I'm willing to try it (it failed on my old Netgear Router).

Thanks for any help. :)
Patrick.

patrickdickey52761

So, I decided to go a different route with this and try my Tunnelbroker.net (HE.NET) tunnel. I got it to where the Gateway is "online" but when I try to assign my LAN interface, it only lets me do a /128 because even though I have the GIF set as a /64, it assigns that as a /128 also. I'm attaching all of the pictures that I can think of here. The main issue that I'm seeing is that the configurations are different in 2.7.2 from what all of the tutorials that I'm finding show (even tutorials from 2023). So, again, I'm at a loss here as to why it's not working or what to do to fix it.

In previous versions, you could set your "Static IPv6 Address on Interfaces WAN_V6(gif0) but you can't do that now. And even though the GIF0 is set up with the /64 prefix, it assigns a /128 to the interface--thus breaking the ability to assign other IPv6 addresses on the LAN.

THanks for any help you can provide with this. It shouldn't be this difficult at all.

Have a great night/day. :)
Patrick.

johnpoz

@patrickdickey52761 huh?

why would you need to change the wan IP.. Yeah it gives it a /128 doesn't matter.. The ip you assign to the lan would be either your routed /64 or a prefix out of your routed /48.. It wouldn't be your tunnel network..

Here - this is my tunnel network, ie gif interface

You then setup on your lan side interface(s) either the routed /64 or a prefix out of your /48

This is a prefix /64 out of the /48 that is routed to me - this is a different prefix than your tunnel network.

patrickdickey52761

@johnpoz The issue that I'm having, and I may be messing it up (or confusing it) is my routed /64 is 11:830::/64, my client side is 10:830::2/64 and my server side is 10:830::1/64. When I assign those to the gif and choose 10:830::3 for my LAN interface, I can't create a pool at all. If I try 10:830:: or anything else, I get an error that it overlaps with the 10:830::2/128 that was created on the TUNNELWAN_V6 interface.

If I'm reading your post correctly, I need to create a second /64 (tunnel) and put that inside of my LAN interface. Using the client-side IPv6 for the LAN interface and then creating a DHCPv6 pool using that tunnel instead of the one I'm currently trying to use?

It's been about three years since I messed with this and about ten years since I put it on anything as complex as a pfsense. So, it's a bit confusing--especially when the tutorial doesn't line up with what I'm seeing, as far as the configuration screens go.

Thank you for your help. :)
Patrick.

johnpoz

@patrickdickey52761 no.. you do not create another tunnel

Your routed network is not going to overlap with your tunnel network its a completely different prefix than your tunnel network.

If your getting an overlap issue then your not setting the prefix correctly.

Here lets use some examples.. I am just going to use some fake numbers for tunnel and lan to not give away my actual IPv6 prefixes.

I would take a look here

https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html#ipv6-subnetting

You will notice a /64 uses the first 4 hexdec places.. so you have a full 128 bit IPv6 address..

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

with a /64 the first 4 would make up the network

xxxx:xxxx:xxxx:xxxx

In a /48 the first 3

xxxx:xxxx:xxxx

so in my tunnel the network is

2001:470:aaaa:bbbb::0/64

Which if you expand the :: shortcut you get

2001:0470:aaaa:bbbb:0000:0000:0000:0000

with the address of your tunnel being the :0001 and :0002 last hexnumber

now for me the /64 they route to me is

2001:0470:aaaB:bbbb:0000:0000:0000:0000

Notice the 3rd hex number incremented by 1.. the 4th hex is the same number.

But since a /64 uses all 4 of the first hex to make up the network, this is a different network.. Changing any of the last4 hex would not be a different network.

they route both the /64 network and the /48 network down your tunnel network. Neither of these 2 networks the /64 or the /48 would overlap with your tunnel network.

I use prefixes out of my /48 which allows me to match up with my normal IPv4 networks..

So for example lets say my routed /48 is 2001:0470:cccc::/48

I use 2001:0470:cccc:0009::1/64 as my lan, which the 9 matches up with my 192.168.9.0/24 network

I use 2001:0470:cccc:0003::0/64 for my dmz network, this matches up with the 192.168.3.0/24 I use on that IPv4 network.

While the principle is the same as IPv4 with network/host that makes up the address, yes it can be confusing with the longer number and the addition of the letters in the HEX numbers..

patrickdickey52761

@johnpoz said in Setting up an IPv6 using tunnelbroker.ch:

@patrickdickey52761 no.. you do not create another tunnel

Your routed network is not going to overlap with your tunnel network its a completely different prefix than your tunnel network.

If your getting an overlap issue then your not setting the prefix correctly.

Here lets use some examples.. I am just going to use some fake numbers for tunnel and lan to not give away my actual IPv6 prefixes.

I would take a look here

https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html#ipv6-subnetting

You will notice a /64 uses the first 4 hexdec places.. so you have a full 128 bit IPv6 address..

xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

with a /64 the first 4 would make up the network

xxxx:xxxx:xxxx:xxxx

In a /48 the first 3

xxxx:xxxx:xxxx

so in my tunnel the network is

2001:470:aaaa:bbbb::0/64

Which if you expand the :: shortcut you get

2001:0470:aaaa:bbbb:0000:0000:0000:0000

with the address of your tunnel being the :0001 and :0002 last hexnumber

now for me the /64 they route to me is

2001:0470:aaaB:bbbb:0000:0000:0000:0000

Notice the 3rd hex number incremented by 1.. the 4th hex is the same number.

But since a /64 uses all 4 of the first hex to make up the network, this is a different network.. Changing any of the last4 hex would not be a different network.

So, if my routed 64 was 11:830::/64, I could do something like 11:830::1 for the LAN interface and it shouldn't have an issue with my tunnel IPv6 addresses?

I think the issue that I had is that I'm trying to use my Tunnel network, instead of my routed network to create the pool.

they route both the /64 network and the /48 network down your tunnel network. Neither of these 2 networks the /64 or the /48 would overlap with your tunnel network.

I use prefixes out of my /48 which allows me to match up with my normal IPv4 networks..

So for example lets say my routed /48 is 2001:0470:cccc::/48

I use 2001:0470:cccc:0009::1/64 as my lan, which the 9 matches up with my 192.168.9.0/24 network

I use 2001:0470:cccc:0003::0/64 for my dmz network, this matches up with the 192.168.3.0/24 I use on that IPv4 network.

While the principle is the same as IPv4 with network/host that makes up the address, yes it can be confusing with the longer number and the addition of the letters in the HEX numbers..

Originally, I didn't have a /48 at all. While it may simplify everything since it's not tied into my /64 tunnel network (meaning the /64 isn't a subnet), I didn't need it either.

This is all food for thought. I'll probably try it out tomorrow morning after work. I had another issue pop up with the pfSense, so I had to pull it out of the network for now anyways.

Thank you again. :)
Patrick.

johnpoz

@patrickdickey52761 said in Setting up an IPv6 using tunnelbroker.ch:

Originally, I didn't have a /48 at all.

well you don't need the /48 if all you want is one lan side network.. But yeah if you want more than just lan, you would need the /48 - which gives you the possibility of 65,536 different /64 networks to use.. So I would think you would be fine ;)

patrickdickey52761

@johnpoz THANK YOU!!!!!! I followed what you said in your longer post and I set up everything using my routed /64. Everything works as it should. I was thinking that the 10:830:: /64 was part of the 11:830::/64 network when it isn't. Your explanation cleared up everything I needed.

Have a great day. :)
Patrick.

johnpoz

@patrickdickey52761 yeah understanding where the split is for prefixes can be tricky.. Glad you got it sorted.. Now what you going to do with IPv6 to be honest? I have yet to find an actual need for it.. There is not 1 single resource on the internet I would want to get to that requires IPv6 ;) Its just a play thing to be honest, I mostly just leave it off. I can turn it on with a click if need to test something..

Yeah sure if you were behind a cgnat or something and you wanted others to be able to get to some resources on your network..

But it is the future and never hurts to learn new things - If you are actually interested in ipv6, I would check out the free cert you can get from HE.. You can get a pretty nice tshirt once you get to sage level.

I still have mine from 2011 when I did it.. You would of thought IPv6 would of actually gotten somewhere by now - sadly nope.. Other than great use for the billions of phones on the planet. My isp doesn't even provide it..