Share IPv6 over OpenVPN using Tunnelbroker



  • Hello,

    I have a Pfsense box and an OpenVPN server outside (which I own, on a Linux server). Pfsense is connected on the VPN and all the IPv4 traffic is NATed over. The server has a /64 ipv6 prefix given by TunnelBroker.

    Now, everything works from several months, but I tried to add IPv6 connectivity and I'm stuck on a simple problem : Pfsense has its IPv6 delivered by Openvpn, I can ping this IP from internet and reciprocally do a traceroute locally to an IPV6 host. DNS can also resolve ipv6 AAAA domains. So I think the RADVD configuration should be ok on the Linux server

    The problem is I can't share the subnet allocated to the client with my LAN.

    I split the network /65 into four subnets /67 for some NICs of Pfsense (differents physical networks) but still no internet IPv6 on PCs. However I can ping in ipv6 my pfsense box and the Ipv6 address of the Openvpn client. Curiously not the IPv6 of the server…

    I kept free the /67 corresponding to the Openvpn's client and server to nothing and assigned some others /67. To summarise, all the sub-subnet are on the same /65. But still nothing works in IPv6.

    Can you help me?

    Thanks!


  • LAYER 8 Global Moderator

    What you need it get /48 from your tunnelbroker - if he this is real easy.  Then you can use a ipv6 /64 for your openvpn connection and another /64 on your lan that all fall under your /48

    Here you can see my openvpn connection getting a ipv6 which is from a /64 that is part of my /48, and it sends traffic down my vpn tunnel, then up through the tunnel on pfsense to my tunnel broker HE..

    The latency is a bit high currently since I am in chicagoland, but the proxy I have to to bounce my openvpn connection off of is TX from work, then back to chicago to my home where the pfsense and vpnserver is running.




  • I did the same configuration you described, although instead  of /48 there is smaller subnet, /65 and /67; and it works but only for the client with /65. In a traceroute from my computer there is no more step, as you can see below:

    The problem is to route a second time a sub subnet for the LAN.

    For the IPv6 i've got smaller ping response, generally around 50-100ms. He's 6in4 server is located in London (closest ping from my server) and I need to add the latency of my internet connection.

    Basically, this is my actual addresses :

    Server side

    he-ipv6          2001:470:xxxx:yyyy::/65
    tun0              2001:470:xxxx:yyyy:8000::1/65
                                    |
    LAN side                  VPN 
                                    |
    pfsense client          2001:470:xxxx:yyyy:8000::100/65
                                              |
    unused                                2001:470:xxxx:yyy:8000::/67
    LAN                                      2001:470:xxxx:yyy:a000::/67
    DMZ                                    2001:470:xxxx:yyy:c000::/67
    and so one…

    If I replace the subnets by a /48 and /64 the problem will stay...
    Can we do a 1:1 NAT on IPv6, for the entire range ?

    ![cmd test traceroute.jpg](/public/imported_attachments/1/cmd test traceroute.jpg)
    ![cmd test traceroute.jpg_thumb](/public/imported_attachments/1/cmd test traceroute.jpg_thumb)


  • Banned

    Stop using /67 or similar nonsense. The smallest usable subnet without breaking tons of IPv6 functionality is /64. Period.



  • @flgk:

    Can we do a 1:1 NAT on IPv6, for the entire range ?

    Afaik there is no "NAT" with IPv6. Your internal ipv6 address should be a public one, and its just routed.

    Not sure if its meant to be that way, but anywhere you see, the usual ipv6 subnet IS /64.

    C



  • I do it exactly the way johnpoz says - Has been perfectly reliable for a very long time.  About a couple of years.


  • LAYER 8 Global Moderator

    As dok mentions, trying to use anything other then /64 is going to have flaky results..  while it seems odd the smallest segment in ipv6 is really meant to be /64 – even in a simple transit network /64 is what is suppose to be used.  Yeah Yeah they let you do /128

    I think part of the problem is isp only giving users 1 /64 or not a decent /56 that they could then use how they want so users try to break up the /64 they get into smaller chunks...

    Get yourself a /48 or /56 and then use /64s for your multiple segments and vpn connections and you should be golden.



  • I tried your recommendations : asked a /48 to Tunnelbroker. I don't see why we need to waste so much addresses, a single /64 is already huge, but let's go anyway!

    On my new /48 subnet I advertised a /56 on radvd. Then I use a /64 for OpenVPN and another /64 for my LAN. Those /64s are obviously inside the /56. Finally it has the same configuration than before, therefore with a larger space of IPv6. Again, it doesn't work : pfsense reach IPv6 internet but not the rest  :(

    I'm starting to think it could be a routing problem. Indeed, to let Pfsense reach IPv6 Internet I'm forced to add manually 2000::/3 in Pfsense's routes. if Pfsense can reach IPv6 servers, that means the LAN should too ?



  • Meh…, you peel off type /64 subnet(s) from the /48 (65535 LAN's, OPT's possible), you advertize (RA) /64 LAN || OPT types. THAT's a first ! Understand subnetting <http: www.tcpipguide.com="" free="" t_ipv6globalunicastaddressformat-2.htm="">.</http:>


  • LAYER 8 Global Moderator

    why would you need to add that to pfsense routes?  If you want your vpn client to use the ipv6 tunnel to get to other ipv6 networks other than the ones you list then yeah you prob want to push that route to your vpn client

    In the advanced box
    push "route-ipv6 2000::/3"


Log in to reply