IPv6 configuration Help using HE Tunnel Broker (Resolved )

  • I have configured ipv6 tunnel broker configuration using Hurricane electric (pfsense 2.1). Tunnel is up and I can ping the far end IPv4 and IPv6 endpoints from the firewall. But from an IPv6 host on the LAN I can only ping the local IPv6 tunnel endpoint and can not ping the far  end IPv6 tunnel endpoint.I followed the instructions mentioned here exactly to configure the tunnel broker:http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker

    When I browse IPv6 websites, they only see my IPv4 address and not my Ipv6 address. Any help in resolving the problem is highly appreciated.

    Update: from the firewall I can only ping far end ipv6 endpoint and can not ping any other remote ipv6 hosts. I have the correct default  route and not sure what was wrong. Here is my routing table of the firewall:

    netstat -rn -f inet6 | grep gif0

    default                                    2001:470:7:xxb::1             UGS        gif0
    2001:470:7:xxb::/64                  link#15                             U          gif0
    fe80::%gif0/64                          link#15                             U          gif0
    fe80::2d0:68ff:fe02:e8fb%gif0     link#15                             UHS         lo0
    ff01::%gif0/32                    fe80::2d0:68ff:fe02:e8fb%gif0    U          gif0
    ff02::%gif0/32                    fe80::2d0:68ff:fe02:e8fb%gif0     U          gif0

  • You have to provide more information.
    e.g. Have you configured any IPv6 firewall rules?

    Your posted output seems ok to me.

  • Bardelot, thanks for the quick response and here is the additional information:

    • I have placed a widely open allow ipv6 rule on the LAN interface

    • I also configured my lan with provided subnet (2001:470:8💤1/64)

    • Attaching screen shots for showing the status of my setup

  • maybe you had a bad snapshot where radvd was not working too.

    I fixed that just a day or so ago. The radvd.conf was bungled so it never started.
    Newer snapshots should show it under services status too.

  • databeestje, i am using the latest snapshot from Saturday evening but luck. Wireshark  capture on win7 client shows me the RA traffic coming from the firewall and it seems OK. I have configured DHCPv6 scope on the LAN interface as well as enabled the RA as "unmanaged". Thanks for your thoughts.

  • Are you missing the IPv6 default route? You should have the HE.gw selected as being the default route.

    Diag routes should tell you this.

  • I see a correct ipv6 default gateway in the route table on pfsence (screenshot attached).

  • anything in the system logs throwing a warning?

    Set the log checkbox on the firewall rule on the LAN and see if it sees traffic. Try the same with a block rule on the v6 wan to see if traffic from the internet comes back.

    Last resort, remove the tunnel on the HE.net and create a new one. There have been sporadic cases in the past when you couldn't get out to the internet.

  • Finally, the problem was resolved by deleting the HE tunnel and creating a new tunnel as suggested by databeestje (thanks).

Log in to reply