• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Tunnel on Centos7 behind pfSense NAT

Started by bunxbun, June 28, 2019, 10:16:29 AM

Previous topic - Next topic

bunxbun

I am at my wits end on this. I tried all day yesterday to get this to work.

I have the tunnel setup on a Centos VM and I can ping out from it, great.

I enabled this https://docs.netgate.com/pfsense/en/latest/book/config/advanced-networking.html#ipv6-over-ipv4-tunneling but no where does it say what IP goes in the "IPv4 address of Tunnel Peer" field. Is it HE's endpoint? or the local behind NAT IP? either way, I tried both and it doesn't seem to matter. Also it says firewall rules need to be made but no where does it indicate what those rules look like.

So I checked that, and made firewall rules where protocol is IPv4 IPV6, source is HE endpoint, destination is my local VM ip and any port. Which pfsense does seem to match a state to the traffic of this rule. But if I stop traffic for 15 minutes or so I can't access the VM from the other side of the tunnel until I start pinging from my side of it.

I even tried making a NAT rule on IPV6 protocol source HE endpoint destination my WAN redirect to my internal VM and any port. nothing.

I deleted all that and unchecked the ipv6 over ipv4 stuff and it still works if I ping from my side first. So what was any of the above doing? Seems nothing.

Anyone have any idea how this is supposed to be configured? My google fu finds people who say they couldn't do this with a consumer router but got it working with pfsense but don't say how...

snarked


bunxbun

Quote from: snarked on June 28, 2019, 10:21:56 AM
Your public address.

Thanks for the reply!

I went to re-enable the "IPv6 over IPv4 Tunneling" and set the tunnel peer to my public IP, however the setting doesn't take. Anytime I enable that box and hit save, leave and come back to that page it's unchecked again.

Maybe I have found a bug.

snarked

The public address must be pingable (ICMP echo request and reply) even if limited to just HE's tunnel server as the source.

bunxbun

Quote from: snarked on June 28, 2019, 06:58:23 PM
The public address must be pingable (ICMP echo request and reply) even if limited to just HE's tunnel server as the source.

Yeah my public IP is pingable. I had no issues creating the tunnel and I have no issues talking over it from my VM, but unless my VM is communicatin over the link (that is I let no traffic go over it for 15 minutes or so) I can no longer access from the other side of the tunnel until I start communicating from my end again.

So when I start a ping from my end my NAT/Firewall is creating the appropriate states and allowing traffic through. After those time out then access from outside is dropped because I can't get pfsense configured right.

broquea

Its a conntrack issue with your NAT. Either increase/disable the conntrack timer/settings if you can, or you'll need to set up a keepalive like NTP queries over IPv6.