IPv6 behind pfsense.



  • Okay this is what i did to get an ipv6 tunnel to work behind pfsense. This should answer some questions for anyone else searching(i couldn't find much).

    You can setup the tunnel on the pfsense box if you want(i didn't do this). Signup for a broker(/64) and do something like this.

    ifconfig gif0 create
    ifconfig gif0 tunnel lan.ip.1.1 broker.ip.here.142 up
    ifconfig interface0 inet6 IPv6:Prefix:here::1 prefixlen 64 alias
    route add -inet6 default fe80::%gif0
    

    So an example (don't actually use this).

    ifconfig gif0 create
    ifconfig gif0 tunnel 192.168.1.1 202.157.186.227 up
    ifconfig fxp0 inet6 2001:db8:ff:ff::1 prefixlen 64 alias
    route add -inet6 default fe80::%gif0
    

    Now if your setting this up behind your pfsense box signup for a broker(/64):
    Linux:
    So an example (don't actually use this).

    ip tunnel add mytbs mode sit remote 202.157.186.227 local 192.168.1.1 ttl 64
    ip link set mytbs up
    ip link set mtu 1280 dev mytbs
    ip -6 addr add 2001:db8:ff:ff::1/64 dev eth0
    ip -6 route add 2000::/3 dev mytbs
    

    Windows:
    firstly run

    ipv6 install
    

    So an example (don't actually use this).

    netsh interface ipv6 6to4 set state disabled
    netsh interface ipv6 set privacy disabled
    netsh interface ipv6 add v6v4tunnel mytbs 192.168.1.1 202.157.186.227
    netsh interface ipv6 add address "Local Area Connection" 2001:db8:ff:ff::1
    netsh interface ipv6 add route 2000::/3 mytbs publish=yes
    

    Use the very first example of what values need to be changed.

    So you have your tunnel setup. Now lets allow traffic to flow(if you block outbound too you will need to add a rule for that).
    Add a Firewall rule for the WAN interface the ipv6 data is being sent to.
    Action: Pass
    Interface: WAN
    Protocol: any
    Source: Specify Address in the examples this would be 202.157.186.227
    Destination: any
    Port Range: any
    What this does is allow 202.157.186.227 to access the machine running the tunnel. so you need to trust your tunnel broker. Most of them are fine.

    IPV6 traffic should now be flowing to your tunnel :D

    Now to automatically give all the computers on the lan addresses.
    Install radvd(linux and bsd i dunno what to do for windows).

    And use a config like.

    interface eth0
    {
      AdvSendAdvert on;
      prefix  2001:db8:ff:ff::/64
      {
        AdvOnLink on;
        AdvAutonomous on;
      };
    };
    

    http://tunnelbroker.net/ Are good.

    Any any questions. I know this tutorial is shit but for those who already know the basics it is easy to work out.



  • could you use placeholders in there, like [Your IPv6 Endpoint]?  Tried following this and everything works on that machine but I can't ping6 anything from any other machines even with radvd running.  I am using tunnelbroker.net but I'm using the linux-net-tools configuration since the other version doesn't work at all for me.

    So I have a linux machine behind pfsense (I have pfsense forwarding ipv6 encapsulated traffic to the box) and I have it setup like so:

    ifconfig sit0 up
    ifconfig sit0 inet6 tunnel ::[server ipv4 endpoint]
    ifconfig sit1 up
    ifconfig sit1 inet6 add [client ipv6 endpoint]
    route -A inet6 add ::/0 dev sit1
    

    From this point I can ping6 the server ipv6 endpoint, ipv6.google.com, etc.  I install radvd and /etc/radvd looks like so:

    interface eth0
    {
       AdvSendAdvert on;
       prefix [routed /64 network]
       {
            AdvOnLink on;
            AdvAutonomous on;
       };
    };
    
    

    i then do an ifdown/ifup on another linux machine, gets an ip with that prefix but when I try to ping anything, it doesn't work.

    (edit)
    Forgot to mention that after this is all setup if I run tcpdump on the computer that has the tunnel, I can see ping packets coming from the second computer and I see a response coming in.  On the client machine I just see packets going out but none coming in.  Like the computer the tunnel is on doesn't know how to forward ports?  It is running debian 4.0
    (/edit)



  • Assign yourself a /48 from tunnel broker and try using that. I'm not pro at this BTW. I just use it for fun.
    Assign an IP to your eth0 (or LAN adaptor).

    ifconfig eth0 inet6 add [client ipv6 endpoint]
    route -A inet6 add ::/0 dev eth0
    

    OR

    route -A inet6 add ::/0 dev sit0
    

    Does that change anything?

    Is there anything stopping you from copying the code i posted for linux?

    apt-get install iproute
    
    ip tunnel add henet mode sit remote [server ipv4 endpoint] local [local ipv4 address] ttl 64
    ip link set henet up
    ip link set mtu 1280 dev henet
    ip -6 addr add [client ipv6 endpoint]/64 dev eth0
    ip -6 route add 2000::/3 dev henet
    

    Picked a good time to reply. I not active on these forums and just happened to be browsing.



  • Before when I did all the iproute stuff it just didn't work period.  My guess was it was just messed up from me playing with it. so I restarted the computer, used the ip commands and I'm in the same situation.  Access from that computer is fine but when any of the other computers on the local network try to ping I can see the ping and response on the server but it never reaches the end computer.  I've tried your version and the one that tunnelbroker suggests in the Linux-route2 setup.  Both give the same results.  I've since tried this on a mac and windows xp computer and all exhibit the same thing.  I'll keep looking to see if there's anything else I may need to set on the server so it knows to forward packets along.



  • Found the error.  Looked through and forgot to set an ipv6 address in the routed /64 range for the server… woops.  I set that to an ip in the public range and it works.  And actually I have mine running completely through /etc/network/interfaces (debian/ubuntu variants only).  Here is what I have in /etc/network/interfaces on the server running debian etch (4.0):

    # The primary network interface
    auto eth0
    iface eth0 inet static
    	address [server's lan ipv4 address]
    	netmask [...]
    	network [...]
    	broadcast [...]
    	gateway [pfsense ipv4 address]
    
    iface eth0 inet6 static
    	address [your ipv6 routed /64 prefix (usually your endpoint with the 3rd part being one higher]::1
    	netmask 64
    	pre-up modprobe ipv6
    
    # IPv6 tunnel by hurricane electric
    auto henet
    iface henet inet6 v4tunnel
    	address [Client IPv6 address]
    	netmask 64
    	endpoint [Server IPv4 address]
    	ttl 255
    	pre-up modprobe ipv6
    	up ip link set mtu 1280 dev henet
    	up ip route add default via [Server IPv6 addres] dev henet
    

    and that's all you need to get routing working.  For everything else like radvd and setting up pfsense to forward traffic the instructions above still apply.

    One last thing that was really messing with me.  In firefox 3, go to about:config and search for network.dns.disableIPv6 and make sure it is set to false (just double click on it).  Without that firefox won't make AAAA lookups and thus won't load any ipv6 sites.



  • Well, it works, but it seems the firewall blocks the incoming ping6s from my tunnel provider, so the provider flags my tunnel as down. Any workaround for this?



  • @danne:

    Well, it works, but it seems the firewall blocks the incoming ping6s from my tunnel provider, so the provider flags my tunnel as down. Any workaround for this?

    create a rule in your firewall to allow icmp echo requests from anywhere to your wan.



  • Hi I'm having some issues setting this up

    ifconfig gif0 create
    ifconfig gif0 tunnel lan.ip.1.1 broker.ip.here.142 up
    ifconfig interface0 inet6 IPv6:Prefix:here::1 prefixlen 64 alias
    route add -inet6 default fe80::%gif0
    

    where lan.ip.1.1 is that my lan interfaces ip(192.168.0.1) or the computers ip(192.168.0.5)?
    where interface0 is that my lan interface or my wan interface?
    where IPv6:Prefix:here:: do i set that too the Client IPv6 address i got from tunnelbroker.net?
    does anything need to be changed in the last line?

    and…

    netsh interface ipv6 6to4 set state disabled
    netsh interface ipv6 set privacy disabled
    netsh interface ipv6 add v6v4tunnel mytbs 192.168.1.1 202.157.186.227
    netsh interface ipv6 add address "Local Area Connection" 2001:db8:ff:ff::1
    netsh interface ipv6 add route 2000::/3 mytbs publish=yes
    

    where  192.168.1.1 do i put my computers ip or my lan interface ip?
    do i use  2001:db8:ff:ff::1 or do i replace that with my Client IPv6 address i got from tunnelbroker.net?


Log in to reply