Hurricane Electric's IPv6 Tunnel Broker Forums

Hi :)

I'm thinking about getting the clients around here an IPv6 connection. Already done some reading about it and read about creating a tunnel. From what I've read my pfSense router supports passing protocol 41, this setting is present: "NAT encapsulated IPv6 packets (IP protocol 41/RFC2893) to:", I can enable/disable this but I must enter an IP-address.

Does this mean I can only create a tunnel to one client at a time and not simultaneous to multiple clients?

Here's some info about the clients/devices:
* Cablemodem: Arris TM702B, EuroDOCSIS 3. (ISP is not offering IPv6 to there customers, however there are rumors they are testing it...)
* Router: MSI IM-945GSE-A motherboard with 1GB RAM, a MiniBox M300LCD case and pfSense 1.2.3 nanoBSD/embedded as OS.
* One 3COM OfficeConnect® Gigabit Switch 8 and a HP ProCurve 1400-8G switch.
* Clients: Several operating systems: XP Pro SP2 & 3, 7, Kubuntu 10.04, Windows Mobile 6 (might soon be replaced by an Android phone) and a Noxon 2 Audio which just like it's predecessor will not get a firmware update I suspect.
* AP: Senao/EnGenius ECB/SCB-3220 (getting repaired atm....).

Hope anyone can shed some light on this ;)

With regards,

Bart Grefte

You only need one tunnel; your router takes care of handing out addresses to your clients and sending traffic back through the tunnel to HE.

You can use Router Advertisements and DHCPv6 to assign addresses

Uhm, (gonna Google later ;), half a sleep... ) but how do you want the router to do that, since pfSense does not get support for IPv6 until after 2.0 is released? (Whenever that will be.)

Well that I didn't know, sorry.

Then you'll need a host behind it (BSD, linux, windows, ect) that you can use to terminate your tunnel and also use to hand out addresses; Looks like your Ubuntu host should be able to do it

If you are comfortable with the nitty gritty of Linux it looks like Gentoo can do this: http://www.gentoo.org/doc/en/ipv6.xml (http://www.gentoo.org/doc/en/ipv6.xml)

Quote from: cholzhauer on September 07, 2010, 11:56:38 AM
Well that I didn't know, sorry.

Then you'll need a host behind it (BSD, linux, windows, ect) that you can use to terminate your tunnel and also use to hand out addresses; Looks like your Ubuntu host should be able to do it

Hmm, the only host that is running 24/7 (next to the pfSense router) has XP as OS.
(K)Ubuntu is the OS of my laptop, that one is not gonna run 24/7 ;)

Quote from: antillie on September 09, 2010, 12:59:28 PM
If you are comfortable with the nitty gritty of Linux it looks like Gentoo can do this: http://www.gentoo.org/doc/en/ipv6.xml (http://www.gentoo.org/doc/en/ipv6.xml)

Well, I was hoping I wouldn't need another host that runs 24/7. Isn't there anyway FreeBSD (7.2 if I'm correct) can do this? Since pfSense is based on it.

Yes, you can use FreeBSD to host your tunnel...you could also use XP.

If pfSense is based on FreeBSD, why not go to the tunnel page, pick the drop down for FreeBSD, and use those commands to start your tunnel?

I've been busy, but hope I can check that out this weekend :)

Are all commands necessary there? I mean, including the onces that make pfSense/FreeBSD give the clients an IPv6 address through DHCP?
Or I can just look at that page and find out :)

edit: I'm already running into a little problem, the "Setup Regular IPv6 Tunnel"-form does not accept a DynDNS domainname as endpoint, wanted to enter it because my ISP does not offer static IP-addresses and I use DynDNS because of that.
So I'm guessing only an IPv4 address is accepted? Why not a DynDNS domainname, would make things a whole lot easier when someones IP changes, it would get automatically updated when running the DynDNS updater-client in the background.

I am using pfSense as well. I ended up setting up a Vyatta box and having pfSense forward protocol 41 to it. I had debated about replacing the pfSense box with Vyatta, but didn't want to incur the downtime. Not to mention the RRD graphs built into pfSense are nice.

If you want more details have a read through Configuring Vyatta with an IPv6 Tunnel Broker (http://www.excaliburtech.net/archives/198). It was fairly straight forward except for on pfSense you also need to create a firewall rule to allow the he.net endpoint to access the IP you forwarded protocol 41 to.

I've never heard of a Vyatta box ???

Did ran into this: http://www.xaero.org/index.php/archive/configuring-a-6to4-tunnel-on-the-pfsense-firewall/ (Google cache link (http://webcache.googleusercontent.com/search?q=cache:tuGJD92FeLEJ:www.xaero.org/index.php/archive/tag/pfsense/+http://www.xaero.org/index.php/archive/tag/pfsense/&cd=1&hl=nl&ct=clnk&gl=nl) if site is down again)
Haven't tried it yet, but if I understand everything correctly, every client that supports IPv6 should be able to use the tunnel.

Quote from: bartgrefte on October 17, 2010, 09:10:09 AM
I've never heard of a Vyatta box ???

Have a look at the Vyatta community edition website. Configuration is done through the CLI like Cisco. The command syantax is different, but easy to pick up with the auto complete.

http://www.vyatta.org/

Hi,

I've been working on ipv6 support for pfSense on the 2.0 BETA branch last week and it's now possible to succesfully configure a he.net ipv6 tunnel via the web interface, assign the public /64 to the lan and have your lan host autoconfigure a public address.

The firewall rules on the wan and lan interface work for ipv6 so you can easily deny and allow traffic from the internet to the routed subnet.

You can find the relevant information to get your 2.0 install working with my forum post on http://forum.pfsense.org/index.php/topic,26469.0.html

Regards

How about 1.2.3 branch ;)

Tried http://www.xaero.org/index.php/archive/configuring-a-6to4-tunnel-on-the-pfsense-firewall , getting:
[admin@bocadelinfierno.local]/root(1): ping6 -c 4 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:1f14:e04::2 --> 2a00:1450:8001::93
ping6: sendmsg: Operation not permitted
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
ping6: sendmsg: Operation not permitted
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
ping6: sendmsg: Operation not permitted
ping6: wrote ipv6.l.google.com 16 chars, ret=-1
ping6: sendmsg: Operation not permitted
ping6: wrote ipv6.l.google.com 16 chars, ret=-1

--- ipv6.l.google.com ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
at pfSense box, logged on with Putty on console.
My test-client (with XP Pro) does not have IPv6 access either.

Ping6 results to ::1 same results as above...

edit: Never mind... Anyone know this setting? pfSense -> System -> Advanced -> "Allow IPv6 traffic" ::)
Later this week I'm gonna try the clients again....

Quoteping6: sendmsg: Operation not permitted

Suggests a local firewall issue on the host
rgds

Here is a link to the howto I made for the experimental pfSense 2.0 code branch.
http://iserv.nl/files/pfsense/ipv6/

That setting I mentioned solved it, pfSense can now ping6 IPv6 sites.
My test-client however, still cannot visit or ping6 IPv6 sites, "target host not reachable" (roughly translated).

pfSense's firewall log mentions ICMP6 packets being blocked even though they should be passing through.
Never mind that, firewall always seem to mention they are blocked, even successfull ping6's from the router.

Plus this error is still there:
rtadvd[843]: <getconfig> em0 isn't defined in the configuration file or the configuration file doesn't exist. Treat it as default[/]

The message from rtadvd can safely be ignored, it should be enough to let rtadvd get the settings and prefix from the ipv6 address on the LAN interface. The message is superficial

Hmm, okay.

ps. Ik ben Raven @ GoT ;)

Got it working :D
One wrong number in /etc/rtadvd.conf .... ::)