• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Tunnel with a SonicWall NSA 240

Started by charleslacour, September 18, 2011, 07:15:34 PM

Previous topic - Next topic

charleslacour

I have a SonicWall NSA 240 and SonicWall finally has come out with a firmware that supports IPv6.  I initially set my HE IPv6 tunnel on a Ubuntu server and it worked great.  But with the new SonicWall firmware I an attempting to us my Firewall.

THe Tunnel will not come up.  There are two selections for creating a IPv6 Tunnel.  There is a "IPv6 Manual Tunnel Interface" and "GRE Tunnel Interface".  On both of these tunnel types the "Remote IPv4 Address" and "Remote IPv6 Network".  I have put the HE Server IPv4 Address listed on my tunnel details page in the  "Remote IPv4 Address" and tried both the "Routed /64" and "Routed /48" in the "Remote IPv6 Network".

The "IPv6 Manual Tunnel Interface" on one page it labeled "GIF Tunnel" and the auto created FW rule rule allowing access shows the protocol as "6over4".

Any suggestion on how to get this working?

cholzhauer

If what the firewall says is correct, "6over4" isn't what you want and won't work.

I unfortunately own a sonicwall and the firmware does support IPv6, but I never saw a mention of hosting a tunnel.  Do you know what firmware you're running?

charleslacour

The firmware version I am now running is SonicOS Enhanced 5.8.0.3-40o--ipv6-14o (It's a beta firmware) so there is little documentation on it at this point.

I figured that a 6over4 wouldn't work but I wanted to list the options I have.  I assume that I want the GRE tunnel since that is the protocol I had to allow to be allowed and NATed to the Ubuntu server I had the tunnel on before. 

broquea

GRE is Protocol47, 6in4 is Protocol41

charleslacour

Re-enabled the tunnel on the Ubuntu server and did a packet capture and the SonicWall is labeling protocol 41 as 6over4 for some reason. 

I have also posted a question on the SonicWall support forums about this as well.  If I get anywhere I will update this thread.

charleslacour

I was able to get it working!

I was given a link by one of the SonicWall forum moderators: https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8882

The instructions need to be modified so that the Address Objects for the HE network should be assigned to the WAN zone not LAN.

Then you need to add a route to make the tunnel the default for non-local IPv6 traffic. 

medve125

I'm looking for a Sonic OS Enhanced firmware with IPV6 support. Anybody can share a link or send a direct firmware with IPV6 support?

I tried on mySonicWALL.com but I didn't see the Beta firmwares. :(

cholzhauer

I ended up bugging support and they were able to direct me to one; I'd do that if I were you.

charleslacour

If you go into My Sonicwall and open the "My Account" and make sure that "I am interested in being a Beta Tester" is selected under preferences. 

Then go into "My Products" and click on the firewall you want the beta firmware for.

Scroll down the list of Applicable Services and find the Beta section and activate IPv6 beta firmware. 

At this point you should find the beta tab under downloads and it should have the IPv6 beta firmware available for download.

I know that this is convoluted but it should work. 

kd4yal

charleslacour

Could you give a little more detail on your working setup?

Did you end up using the manual tunnel or the GRE?
How were you able to set your ip6 end point address?  ???

Any help would be appreciated!



Jerry




charleslacour

It works but I had to downgrade my NSA-240 firmware to the 5.5.6 version with IPv6 support because of extreme slowness when on 5.8 Beta with IPv6.  This may have been because of a bad routing statement since I was trying to use the HE /64 address space across all of my VLANs, have not had a change to test this again with the 5.8 Beta with IPv6.

I created an IPv4 Address Object for a single host address with the HE Server IPv4 Address.
I also created an IPv6 Address object for a network with the /64 HE Server IPv6 Address range.
The I created an "IPv6 Manual Tunnel interface" on the WAN Zone using the IPv4 host object I created for the "Remote IPv4 Address" and the IPv6 network object I created for the "Remote IPv6 Network"

This should get the tunnel interface up and you will be able to ping from the NSA-240 but you may not be able to ping from a system on your LAN without a routing rule.

In my set-up I use the /48 network assigned by HE for my internal network since I have multiple VLANs.  So for the route I created an IPv6 Address Object of the /48 HE address space that I am using internally.  The route I created is basically a Source of the /48 HE IPv6 Address and a destination of Everything_External on the Tunnel interface you created.

shortcircuitaz1

I'm a technician at Dell/Sonicwall, and living in phoenix, every internet provider that's worth anything is extremely closed lip about IPV6. Due to my frustration, I took it uppon myself to setup an account and get it working with HE/Tunnelbroker. My configuration IS currently working on the latest 5.9 beta with my NSA240.

Once I'm able to fully test, and get a couple of the other technicians to test here. I'll post the process document on the sonicwall KB for the world to see.

you should be able to check out my work within the next couple of weeks.  ;D

shortcircuitaz1


doughecka

Quote from: shortcircuitaz1 on November 21, 2012, 10:27:28 AM
Here is the KB article I promised... it's based on the 5.9 Beta firmware

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=10214

2 things:
It says I do not have access to view this item, although I AM running the latest 5.9 beta firmware (and am accessing the KB article via my beta-enabled mswl account)
Can we get 6rd support on the Sonicwall? U-Verse has IPv6 available via 6rd, and it would be swell to use that instead of using a tunnel. It's much faster.