Hurricane Electric Tunnel question



  • Okay, so I followed the instructions on the doc.pfsense.org wiki.  I have a tunnel according to the HE account (I even tried deleting and creating a new one, since I had created the original months ago and never used it.)  I did everything according to the HOWTO, but the tunnel shows as offline, and I can't even ping6 the other end.  If I sniff the wan interface, I see a lot of this:

    209.51.182.2 > MY_WAN_IP: ICMP 209.51.181.2 protocol 97 unreachable,

    Looking at states, I see one for the HE server, it is protocol type etherip, from my WAN to their server, as SINGLE::NO_TRAFFIC.

    Obviously, I have something missing, but darned if I can see what - I double and tripled checked what I did per that HOWTO.  Any help appreciated, thanks!



  • Hi danswartz,

    Did you make a rule so HE can ping you? The tunnel won't come up until they can.

    -Will



  • I've always had a icmp any rule on the WAN.  When I sniff the WAN, I don't see anything from their gateway except the unreachables :(  The one thing I had to change was that the howto says to use the "CABLE" interface for the local end.  I don't have cable (verizon fios), so I used WAN instead - I assume that was right?



  • I'm running firmware from 8/12 - do I maybe need to upgrade and/or do another gitsync?



  • I thought maybe the chicago POP was having issues, so I tried the one in ashburn - same exact issue.  Am I really the only one who can't get this working using the instructions on the wiki?  Pending any reply to this, I have requested a static tunnel from sixxs (I already had an ayiya tunnel), just to try to eliminate HE as an issue.



  • Now, I'm really in WTF territory.  SIXXS approved my new static tunnel, so I add it.  I go to the dashboard, and…  Both tunnels are now live.  So, I then delete the SIXXS tunnel, and...  The HE.net tunnel is now offline and I can't ping the other side.  Something is badly broken here :(



  • not sure what you did and the symptoms really don't ring a bell. Only thing I can think of is that FreeBSD reacts a bit wonky on the configuration of the gif interface.

    I have mine set to 128 bits on the gif interface and 126 on the OPT2 interface. Some people have more or less success with the subnet mask on the gif. Some with 64, others with 126 or 128.



  • Wonky for sure.  I deleted everything, and re-did the exact same sequence I did before (as listed in the HOWTO), only this time I went with /128 for the GIF and /126 for the OPT1, and now it works :)  Thanks :)



  • Kinda curious about the dhcp6 stuff.  I have a routed /64 from HE.  What do folks generally use for the IPv6 router advertisement mode?  What are the pros and cons?



  • we use rtadvd, you can select this on the dhcp6 server page. unmanaged works fine if you don't need dns and can use v4 dns from dhcp.



  • Okay, thanks.  I gave it a try using managed, just so dns would work right.  So far, so good - I pass the test-ipv6 site :)  Great work on this!


Log in to reply