IPv6 behind pfsense.

deags

Okay this is what i did to get an ipv6 tunnel to work behind pfsense. This should answer some questions for anyone else searching(i couldn't find much).

You can setup the tunnel on the pfsense box if you want(i didn't do this). Signup for a broker(/64) and do something like this.

ifconfig gif0 create
ifconfig gif0 tunnel lan.ip.1.1 broker.ip.here.142 up
ifconfig interface0 inet6 IPv6:Prefix:here::1 prefixlen 64 alias
route add -inet6 default fe80::%gif0

So an example (don't actually use this).

ifconfig gif0 create
ifconfig gif0 tunnel 192.168.1.1 202.157.186.227 up
ifconfig fxp0 inet6 2001:db8:ff:ff::1 prefixlen 64 alias
route add -inet6 default fe80::%gif0

Now if your setting this up behind your pfsense box signup for a broker(/64):
Linux:
So an example (don't actually use this).

ip tunnel add mytbs mode sit remote 202.157.186.227 local 192.168.1.1 ttl 64
ip link set mytbs up
ip link set mtu 1280 dev mytbs
ip -6 addr add 2001:db8:ff:ff::1/64 dev eth0
ip -6 route add 2000::/3 dev mytbs

Windows:
firstly run

ipv6 install

So an example (don't actually use this).

netsh interface ipv6 6to4 set state disabled
netsh interface ipv6 set privacy disabled
netsh interface ipv6 add v6v4tunnel mytbs 192.168.1.1 202.157.186.227
netsh interface ipv6 add address "Local Area Connection" 2001:db8:ff:ff::1
netsh interface ipv6 add route 2000::/3 mytbs publish=yes

Use the very first example of what values need to be changed.

So you have your tunnel setup. Now lets allow traffic to flow(if you block outbound too you will need to add a rule for that).
Add a Firewall rule for the WAN interface the ipv6 data is being sent to.
Action: Pass
Interface: WAN
Protocol: any
Source: Specify Address in the examples this would be 202.157.186.227
Destination: any
Port Range: any
What this does is allow 202.157.186.227 to access the machine running the tunnel. so you need to trust your tunnel broker. Most of them are fine.

IPV6 traffic should now be flowing to your tunnel :D

Now to automatically give all the computers on the lan addresses.
Install radvd(linux and bsd i dunno what to do for windows).

And use a config like.

interface eth0
{
  AdvSendAdvert on;
  prefix  2001:db8:ff:ff::/64
  {
    AdvOnLink on;
    AdvAutonomous on;
  };
};

http://tunnelbroker.net/ Are good.

Any any questions. I know this tutorial is shit but for those who already know the basics it is easy to work out.

vrillusions

could you use placeholders in there, like [Your IPv6 Endpoint]? Tried following this and everything works on that machine but I can't ping6 anything from any other machines even with radvd running. I am using tunnelbroker.net but I'm using the linux-net-tools configuration since the other version doesn't work at all for me.

So I have a linux machine behind pfsense (I have pfsense forwarding ipv6 encapsulated traffic to the box) and I have it setup like so:

ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::[server ipv4 endpoint]
ifconfig sit1 up
ifconfig sit1 inet6 add [client ipv6 endpoint]
route -A inet6 add ::/0 dev sit1

From this point I can ping6 the server ipv6 endpoint, ipv6.google.com, etc. I install radvd and /etc/radvd looks like so:

interface eth0
{
   AdvSendAdvert on;
   prefix [routed /64 network]
   {
        AdvOnLink on;
        AdvAutonomous on;
   };
};

i then do an ifdown/ifup on another linux machine, gets an ip with that prefix but when I try to ping anything, it doesn't work.

(edit)
Forgot to mention that after this is all setup if I run tcpdump on the computer that has the tunnel, I can see ping packets coming from the second computer and I see a response coming in. On the client machine I just see packets going out but none coming in. Like the computer the tunnel is on doesn't know how to forward ports? It is running debian 4.0
(/edit)

deags

Assign yourself a /48 from tunnel broker and try using that. I'm not pro at this BTW. I just use it for fun.
Assign an IP to your eth0 (or LAN adaptor).

ifconfig eth0 inet6 add [client ipv6 endpoint]
route -A inet6 add ::/0 dev eth0

OR

route -A inet6 add ::/0 dev sit0

Does that change anything?

Is there anything stopping you from copying the code i posted for linux?

apt-get install iproute

ip tunnel add henet mode sit remote [server ipv4 endpoint] local [local ipv4 address] ttl 64
ip link set henet up
ip link set mtu 1280 dev henet
ip -6 addr add [client ipv6 endpoint]/64 dev eth0
ip -6 route add 2000::/3 dev henet

Picked a good time to reply. I not active on these forums and just happened to be browsing.

vrillusions

Before when I did all the iproute stuff it just didn't work period. My guess was it was just messed up from me playing with it. so I restarted the computer, used the ip commands and I'm in the same situation. Access from that computer is fine but when any of the other computers on the local network try to ping I can see the ping and response on the server but it never reaches the end computer. I've tried your version and the one that tunnelbroker suggests in the Linux-route2 setup. Both give the same results. I've since tried this on a mac and windows xp computer and all exhibit the same thing. I'll keep looking to see if there's anything else I may need to set on the server so it knows to forward packets along.

vrillusions

Found the error. Looked through and forgot to set an ipv6 address in the routed /64 range for the server… woops. I set that to an ip in the public range and it works. And actually I have mine running completely through /etc/network/interfaces (debian/ubuntu variants only). Here is what I have in /etc/network/interfaces on the server running debian etch (4.0):

# The primary network interface
auto eth0
iface eth0 inet static
	address [server's lan ipv4 address]
	netmask [...]
	network [...]
	broadcast [...]
	gateway [pfsense ipv4 address]

iface eth0 inet6 static
	address [your ipv6 routed /64 prefix (usually your endpoint with the 3rd part being one higher]::1
	netmask 64
	pre-up modprobe ipv6

# IPv6 tunnel by hurricane electric
auto henet
iface henet inet6 v4tunnel
	address [Client IPv6 address]
	netmask 64
	endpoint [Server IPv4 address]
	ttl 255
	pre-up modprobe ipv6
	up ip link set mtu 1280 dev henet
	up ip route add default via [Server IPv6 addres] dev henet

and that's all you need to get routing working. For everything else like radvd and setting up pfsense to forward traffic the instructions above still apply.

One last thing that was really messing with me. In firefox 3, go to about:config and search for network.dns.disableIPv6 and make sure it is set to false (just double click on it). Without that firefox won't make AAAA lookups and thus won't load any ipv6 sites.

danne

Well, it works, but it seems the firewall blocks the incoming ping6s from my tunnel provider, so the provider flags my tunnel as down. Any workaround for this?

planetmac

@danne:

Well, it works, but it seems the firewall blocks the incoming ping6s from my tunnel provider, so the provider flags my tunnel as down. Any workaround for this?

create a rule in your firewall to allow icmp echo requests from anywhere to your wan.

duffy

Hi I'm having some issues setting this up

ifconfig gif0 create
ifconfig gif0 tunnel lan.ip.1.1 broker.ip.here.142 up
ifconfig interface0 inet6 IPv6:Prefix:here::1 prefixlen 64 alias
route add -inet6 default fe80::%gif0

where lan.ip.1.1 is that my lan interfaces ip(192.168.0.1) or the computers ip(192.168.0.5)?
where interface0 is that my lan interface or my wan interface?
where IPv6:Prefix:here:: do i set that too the Client IPv6 address i got from tunnelbroker.net?
does anything need to be changed in the last line?

and…

netsh interface ipv6 6to4 set state disabled
netsh interface ipv6 set privacy disabled
netsh interface ipv6 add v6v4tunnel mytbs 192.168.1.1 202.157.186.227
netsh interface ipv6 add address "Local Area Connection" 2001:db8:ff:ff::1
netsh interface ipv6 add route 2000::/3 mytbs publish=yes

where 192.168.1.1 do i put my computers ip or my lan interface ip?
do i use 2001:db8:ff:ff::1 or do i replace that with my Client IPv6 address i got from tunnelbroker.net?