He.net IPv6 tunnel behind IPv4 NAT



  • Hi,

    I tried to setup IPv6 with this howto:
    https://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker
    on a kvm virtual guest with 2.1.5 and I'm having issues with IPv6 which are somewhat annoying, because network hosts seem to grasp that they may use IPv6 and they start trying, but then timing out trying.

    For once I'm confused about what the howto says about pings should be allowed. It doesn't say from where to where.
    Secondly under "status" - "gateways" I keep getting my v6 1sthop not reachable from time to time.
    Hence no host actually can use v6 to go online any more. When I restart my router, I can use IPv6 once again.

    I need to tell, that the given pfsense router that is my networks default gateway actually doesn't have an IPv4 public address on its own, but get's only via another (under my control) Masquerading gateway (double NAT).

    Could somone help me out, please!
    Jochen



  • Pings (ICMP packets) should be allowed from he.net (66.220.2.74) or from anywhere if you wish your box to be pingable from any machine on the internet. To where: simply choose "WAN address" in the dropdown menu (depends on how you actually named your WAN interface, i.e. for me it was "WAN_01 address").



  • Well yeah, I could let anyone ping me, why not.
    BUT as I tried to explain. The pfsense router cannot be pinged directly, because it doesn't have the public IP.
    The device that has the public IP through which the pfsense router and any other host in the LAN goes online is pingable by anybody.

    So if I get this right this should be the problem after all, right?
    Or does the ping packets HAVE TO get through to the pfsense device necessarily?

    I hope this clears things up
    |INTERNET|firsthop<–->mypublicIP|first router Fritzbox|10.0.103.100<----->10.0.103.101|secondrouter_pfsensebox|10.0.104.100<----|localnet 10.0.104.100/24
    There's no one else in 10.0.103.0/24 beside the routers. All clients are in 10.0.104.0/24



  • It would need to pass protocol 41 to your pfsense.
    I've been able to set up hurricane electric on a second pfsense behind another pfsense but didn't work with a pfsense behind a cheap consumer router.
    I've also been able to do it with a pfsense in asia as openvpn client to a vpn in the usa using the usa IP as the one I gave to Hurricane Electric.
    I think the trick is in the 1st router.  Using pfsense there is best probably.



  • I agree with kejianshi to use pfsense as your internet facing firewall/nat device.

    If you wish to keep your current setup you will need to forward from whatever device is facing the web, the ICMP request and the IPv6 tunnel towards your pfsense box and then configure pfsense accordingly to accept those (that last part is explained in the howto).

    But like kejianshi mention, a cheap router can cause you many problems, especially in a double NAT environment. Would it be an option to disable NAT on the internet facing router and let pfsense handle that part? Or could you instead setup the tunnel directly on that device (some do support tunnel brokers setup)?



  • The thing is that my upfront router is a FritzBox which I don't consider to be cheat but it's more of a consumer device of course.
    The only reason I'm using double NAT is because my ISP is offering my telefophony via NGN (next generation network) and it's somhow bound to the Router that has the ADSL2+ Modem integrated.

    This is really nasty stuffe.
    Ok, let's check this idea out.

    Internet<–->|myDSLModem|<--->|MyPfsenseRouterWithPublicIP|<--->|FritzBoxAsDHCPClient|

    This way my Fritzbox would get online via Masqueraded IP and since it's doing IP telephony for me I expect this to fail - because of NAT.
    Maybe the best way to get this going is to let my Fritzbox handle the IPv6 Tunnel and then delgate prefixes out of my 48 prefix to the downstream router, the pfsense box, right?



  • Yes that setup would likely work better assuming you know what to forward to your FritzBox to allow VoIP to work (unless its IPv6 enabled). Then your devices, using DHCPv6 provided by pfsense will get internet connectivity. Or like you mention, let the FritzBox handle the tunnel and likely the DHCPv6 as well.

    I'd personally go with the first option as I got VoIP working that way. I'm pretty sure you could get it working as well but you'd have to check with your ISP what needs to be forwarded from pfsense to your FritzBox to allow VoIP to reach it. I'm sure it can be done. :)



  • I wouldn't automatically expect any telephony issues as long is the fritzbox is not a sip server but rather a client that provides telephone to your house.

    You can actually have lots and lots of NAT on the client end usually so long as the server does not.  Usually.



  • I'm really freaking out here.
    This Fritzbox doesn't do PPPoE Passthrough with current firmware 6.something.
    My other modem doesn't sync and now I'm pissed with this crappy software / hardware.

    Seems like I need even another Modem.