• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.


Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

6in4 tunnel with ns25

Started by crobin, December 31, 2011, 02:30:53 AM

Previous topic - Next topic


Hi Folks,

Need some help getting this one working again, I had it working earlier, but now cannot reproduce.

ns25 on 5.4.0r19.0 in NAT/route mode

ethernet1 is the 'trust' interface -- lan switches
ethernet3 is the 'Untrust' interface -- cable modem

set interface "ethernet1" ipv6 mode "host"
set interface "ethernet1" ipv6 ip 2001:X:X:X::2/64
set interface "ethernet1" ipv6 enable
unset interface ethernet1 ipv6 nd nud
set interface ethernet1 ipv6 nd dad-count 0

set interface "tunnel.1" zone "Untrust"
set interface tunnel.1 ip unnumbered interface ethernet3
set interface "tunnel.1" ipv6 mode "host"
set interface "tunnel.1" ipv6 enable
set interface tunnel.1 tunnel encap ip6in4 manual
set interface tunnel.1 tunnel local-if ethernet3 dst-ip X.X.X.X
set interface tunnel.1 mtu 1480
unset interface tunnel.1 ipv6 nd nud
set interface tunnel.1 ipv6 nd dad-count 0

set policy id 13 from "Untrust" to "Trust"  "Any-IPv6" "Any-IPv6" "ANY" permit
set policy id 12 from "Trust" to "Untrust"  "Any-IPv6" "Any-IPv6" "ANY" permit traffic priority 0

set route ::/0 interface tunnel.1 gateway 2001:X:X:X::1

The 'automatic' ipv6 configuration for OSX used to work on the lan, now nothing.


Removing the X's in your ip addresses will help us help you


set interface "ethernet1" ipv6 ip 2001:470:1f04:87::2/64

set interface tunnel.1 tunnel local-if ethernet3 dst-ip

set route ::/0 interface tunnel.1 gateway 2001:470:1f04:87::1

I vaguely remember the ipv6 address was on the LAN interface, so client can talk directly through the tunnel, but I can't remember what the unnumbered config was set to.

I also remember the Untrust interface, ethernet3, had an MTU of 1498, which had adverse affects on ipv4 traffic, it would stall, however the ipv6 tunnel was working.


My ScreenOS is rusty, but IIRC, it's easier to use the /64 tunnel network on the tunnel, and the /64 assigned network on ethernet1.

Also, I don't think that 'set ipv6 mode host' is correct on the tunnel interface; Ithink that needs to be set on a routed port.

My old 5GT (5XT) is in a box somewhere and had a working config on it.  I can dig it out if needed.

Also IIRC, the IPv6 guide for ScreenOS was pretty good.  After setting a variable, rebooting, and a few cryptic commands, everything else was just like IPv4 in ScreenOS: address book entries, policies written from zone to zone, etc.