IPv6 configuration Help using HE Tunnel Broker (Resolved )

netmax2k · Jun 9, 2012, 9:20 PM

I have configured ipv6 tunnel broker configuration using Hurricane electric (pfsense 2.1). Tunnel is up and I can ping the far end IPv4 and IPv6 endpoints from the firewall. But from an IPv6 host on the LAN I can only ping the local IPv6 tunnel endpoint and can not ping the far end IPv6 tunnel endpoint.I followed the instructions mentioned here exactly to configure the tunnel broker:http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker

When I browse IPv6 websites, they only see my IPv4 address and not my Ipv6 address. Any help in resolving the problem is highly appreciated.

Update: from the firewall I can only ping far end ipv6 endpoint and can not ping any other remote ipv6 hosts. I have the correct default route and not sure what was wrong. Here is my routing table of the firewall:

netstat -rn -f inet6 | grep gif0

default 2001:470:7:xxb::1 UGS gif0
2001:470:7:xxb::/64 link#15 U gif0
fe80::%gif0/64 link#15 U gif0
fe80::2d0:68ff:fe02:e8fb%gif0 link#15 UHS lo0
ff01::%gif0/32 fe80::2d0:68ff:fe02:e8fb%gif0 U gif0
ff02::%gif0/32 fe80::2d0:68ff:fe02:e8fb%gif0 U gif0

bardelot · Jun 9, 2012, 9:58 PM

You have to provide more information.
e.g. Have you configured any IPv6 firewall rules?

Your posted output seems ok to me.

netmax2k · Jun 10, 2012, 1:13 AM

Bardelot, thanks for the quick response and here is the additional information:

I have placed a widely open allow ipv6 rule on the LAN interface
I also configured my lan with provided subnet (2001:470:81/64)
Attaching screen shots for showing the status of my setup

databeestje · Jun 10, 2012, 10:25 AM

maybe you had a bad snapshot where radvd was not working too.

I fixed that just a day or so ago. The radvd.conf was bungled so it never started.
Newer snapshots should show it under services status too.

netmax2k · Jun 10, 2012, 11:39 AM

databeestje, i am using the latest snapshot from Saturday evening but luck. Wireshark capture on win7 client shows me the RA traffic coming from the firewall and it seems OK. I have configured DHCPv6 scope on the LAN interface as well as enabled the RA as "unmanaged". Thanks for your thoughts.

databeestje · Jun 10, 2012, 11:55 AM

Are you missing the IPv6 default route? You should have the HE.gw selected as being the default route.

Diag routes should tell you this.

netmax2k · Jun 10, 2012, 12:37 PM

I see a correct ipv6 default gateway in the route table on pfsence (screenshot attached).

databeestje · Jun 10, 2012, 2:10 PM

anything in the system logs throwing a warning?

Set the log checkbox on the firewall rule on the LAN and see if it sees traffic. Try the same with a block rule on the v6 wan to see if traffic from the internet comes back.

Last resort, remove the tunnel on the HE.net and create a new one. There have been sporadic cases in the past when you couldn't get out to the internet.

netmax2k · Jun 10, 2012, 4:12 PM

Finally, the problem was resolved by deleting the HE tunnel and creating a new tunnel as suggested by databeestje (thanks).