Using IPv6 on 2.1 with a Tunnel Broker

This article is part of the HOWTO series.

Contents 1 Introduction 2 Pitfalls 3 Sync IPv6 Code 4 Building a Tunnel 4.1 Sign Up 4.2 Enable ICMP 4.3 Create GIF Interface 5 Assign GIF Interface 6 Configure OPT Interface 7 Set Gateway 8 Set Up LAN for IPv6 9 Set Up DHCPv6 10 Add a rule to let IPv6 out 11 Try it out! 12 Keep your Tunnel Endpoint Up-To-Date 13 More information

Introduction

These instructions are adapted from the original document, http://iserv.nl/files/pfsense/ipv6/

Hello, welcome to the page detailing the process of getting experimental IPv6 support in pfSense 2.0 working.

IPv6 support is currently not available in pfSense 2.0, The code detailed below is RELEASE CANDIDATE quality software, it mostly complete but is still a work in progress.

There are some IPv6-ready 2.1-RC images with IPv6 support at http://snapshots.pfsense.org

Pitfalls

If you upgraded your installation from 2.0.x or before to 2.1, you must enable IPv6 support by navigating to System > Advanced on the Networking tab, and checking "Allow IPv6". New 2.1 installs have this option enabled by default.

ICMP is required for IPv6 to work. If you have a firewall in place on your clients, make sure that ICMP over IPv6 is allowed.

If using a tunnel broker account, be sure to pick a provider as close to you as possible. Latency can be a killer and will creep up in strange ways.

Sync IPv6 Code

[removed a bunch of gitsync bits]

Since recent changes in 2.1 make gitsync harmful to come from 2.0.x (binary changes are required), download a new snapshot/upgrade file from http://snapshots.pfsense.org/

Building a Tunnel

Sign Up

I am assuming here that you have already registered for an account with Hurricane Electric or Sixxs on http://www.tunnelbroker.net or www.sixxs.net. After registering an account and getting your first /64 IPv6 assigned you can set up the gif tunnel on the pfSense side.

Enable ICMP

Don't forget that you will need to enable ICMP on the WAN interface, if you block ICMP the tunnelbroker will not allow you to set up a tunnel. The source IP on this rule should be the remote endpoint IP of your gif tunnel, or 'any'.

Create GIF Interface

Now you can navigate to the assign gif interfaces screen on pfSense where you can enter the address information from Hurricane Electric. In some themes, go to Interfaces > (assign) and then click the GIF tab.

• The HE or Sixxs "Server IPv4 address" goes into the "gif remote address"
• The HE or Sixxs "Client IPv6 address" goes into the "gif tunnel local address"
• The HE or Sixxs "Server IPv6 address" goes into the "gif tunnel remote address"

Note that you can use either 128 or 64 for the prefix lengh. Some people have had issues with /64, some have issues with /128, but in most cases, either should work. If you have trouble with one, try the other, but be sure to match it up with the config you use below.

Enter a description and save

Note: If you are attaching a tunnel to a dynamic WAN IP, look at "Keep your Tunnel Endpoint Up-To-Date" later in this document.

Assign GIF Interface

You can the press + on the interfaces assign screen where it will be shown as a OPT interface. In this example, the OPT interface is named HeNetV6.

Configure OPT Interface

With the OPT interface now assigned you can enable the OPT interface from the Interfaces menu and assign the IPv6 bits.

Here you should use the HE "Client IPv6 address" as the interface IPv6 address. You can use a subnet mask of /64 here. You can also use /128 if you chose that on the GIF interface. Some people have had problems using /128, others have had problems using /64. If one doesn't work for you, try the other, but be sure to adjust the mask on the GIF cofiguration as well. Typically one would want 128 bits as it is a tunnel link. This prevents fe80:: link local addresses from appearing on the link.

• The HE or Sixxs "Client IPv6 address" goes into the "IPv6 address" field
• The HE or Sixxs "Server IPv6 address" goes into the "Gateway IPv6" field

The screenshot below shows the already assigned the gateway. You can add a gateway by clicking the "add a new one" link.

Set Gateway

Now you need to edit the IPv6 gateway created in the last step, and select the default gateway bit since this will most likely be your IPv6 default gateway.

• The HE or Sixxs "Server IPv6 address" goes into the "Gateway" field

It should now be listed as online

Set Up LAN for IPv6

You can set up the LAN interface for a combined static ipv4 and ipv6 network. What you need to enter on the LAN IPv6 address is a address in the "Routed /64" subnet that you got from HE. You will need to request another /64 from Sixxs after getting your tunnel working. It is important to note that the routed /64 range is different from the tunnel /64!

The example below uses ::1 as that is the easiest by far. Anything in the routed subnet works.

• The HE or Sixxs "Routed /64" is the basis for the "IPv6 Address" field

Set Up DHCPv6

Of course you want the computers on the LAN to automatically pick up the IPv6 Address instead of assiging it manually. Go to the DHCPv6 Service page. (Services > DHCPv6)

It has a mode option where you can select what sort of router advertisements should be sent. Either unmanaged (advertise only), managed (dhcp6 only) or assisted (use stateless address with dhcp for the dns)

Add a rule to let IPv6 out

Now go to Firewall > Rules on the LAN tab, and add a rule to pass IPv6 traffic out from LAN to any, just like the rule you have for IPv4.

Without an IPv6 allow rule, no traffic will get out.

Try it out!

At this point your LAN client should now pick up a IPv6 Address and find the pfSense router as it is now advertising itself on the LAN. You can check with http://test-ipv6.com if your connection is succesfully detected.

Keep your Tunnel Endpoint Up-To-Date

If you have a dynamic IP on the WAN connecting the tunnel, you can use the "HE.net Tunnelbroker" DynDNS type to update it when your IP changes.

To set that up:

• Go to Services > DynDNS
• Click +
• Set the type to "HE.net Tunnelbroker"
• Select the proper interface
• For "hostname" enter your numeric Tunnel ID from he.net
• Enter your username and password
• Enter a description if you want one
• Save

More information

You can find more information about the IPv6 support in the pfSense forum at http://forum.pfsense.org/index.php/board,52.0.html

World IPv6 Day may have passed, but now you can make every day IPv6 day.

Adapted from http://iserv.nl/files/pfsense/ipv6/