Using IPv6 with a Tunnel Broker

From PFSenseDocs
Jump to: navigation, search
This article is part of the How-To series.


These instructions are adapted from the original document,

Hello, welcome to the page detailing the process of getting IPv6 support with a Tunnel Broker in pfSense 2.1 working.


If the installation of pfSense was upgraded from 2.0.x or before to 2.1, IPv6 support must be enabled by navigating to System > Advanced on the Networking tab, and checking Allow IPv6. New 2.1 installs have this option enabled by default.

ICMP is required for IPv6 to work. If a firewall is in place on clients, make sure that ICMP over IPv6 is allowed.

If using a tunnel broker account, be sure to pick a provider as close to the pfSense firewall as possible. Latency can be a killer and will creep up in strange ways.

Sync IPv6 Code

Be sure to upgrade to the latest pfSense release before attempting this configuration.

Building a Tunnel

Sign Up

This article assumes that an account has already been registered with Hurricane Electric or Sixxs. After registering an account and getting the first /64 IPv6 block assigned, the gif tunnel may be configured on pfSense.

Enable ICMP

Don't forget to enable ICMP on the WAN interface, if ICMP is blocked the tunnelbroker will not allow a tunnel to be configured. The source IP address on this rule should be the remote endpoint IP of the gif tunnel, or any. Ipv6 howto wan icmp.png

Create GIF Interface

Now navigate to the assign gif interfaces screen on pfSense where the address information from Hurricane Electric or Sixxs may be entered. Navigate to Interfaces > (assign), GIF tab.

  • The HE or Sixxs Server IPv4 address goes into the gif remote address
  • The HE or Sixxs Client IPv6 address goes into the gif tunnel local address
  • The HE or Sixxs Server IPv6 address goes into the gif tunnel remote address

The prefix length should be set to 128. After pfSense 2.1.1, the prefix length choosen for the IPv6 tunnel will be ignored and set to a prefix length of 128 since it is the only valid option for a point-to-point IPv6 tunnel configuration.

Enter a Description and click Save.

Note: If a tunnel is being attached to a dynamic WAN IP, look at Keep the Tunnel Endpoint Up-To-Date later in this document.

Ipv6 howto gif config.png

Assign GIF Interface

Click "+" on Interfaces > (assign) and choose the GIF interface to be used for an OPT interface. In this example, the OPT interface is named HeNetV6. Click Save and Apply Changes if they appear.

Ipv6 howto gif assign.png

Configure OPT Interface

With the OPT interface assigned, the OPT interface may be enabled from the Interfaces menu. Keep IPv6 Configuration Type set to None.

Ipv6 howto gif interface.png

MTU Values

If the base interface for this IPv6 connection is a DSL line or other line with a lower MTU, the MTU may need adjusted here and on the other end to accommodate the lower value. On, login to the account and edit the tunnel. In the Advanced options, move the MTU slider (1) until the MTU reads 1452 (2).

Ipv6 howto mtu.png

Set Gateway

A dynamic gateway entry will be automatically created for the tunnel. Now edit it and set the Default Gateway option, keeping the gateway field set to dynamic.

Ipv6 howto gateway settings.png

If all of the settings were entered correctly and the tunnel broker is working, the gateway will now be listed as online

Ipv6 howto gateway status.png

Set Up LAN for IPv6

The LAN interface may be configured for a combined static IPv4 and IPv6 network. The network used for IPv6 addressing on the LAN Interface is an address in the Routed /64 subnet assigned by the tunnel broker. gives one automatically. Another /64 must be requested from Sixxs after getting the tunnel working. It is important to note that the Routed /64 range is different from the Tunnel /64!

The example below uses ::1 as that is the easiest by far. Anything in the routed subnet works.

  • The HE or Sixxs Routed /64 is the basis for the IPv6 Address field

Ipv6 howto lan.png

Set Up DHCPv6

Most configurations will want the computers on the LAN to automatically pick up the IPv6 Address instead of assiging it manually. To set this up, navigate to Services > DHCPv6 Server/RA.

On the Router Advertisements tab, there is a mode option where different types of router advertisement behavior may be chosen. Either unmanaged (advertise only), managed (dhcp6 only) or assisted (use stateless address with dhcp for the dns). See Router Advertisements and DHCPv6 Server for more details.

Ipv6 howto lan dhcpv6.png

Add a rule to let IPv6 out

Now navigate to Firewall > Rules, LAN tab, and add a rule to pass IPv6 traffic out from LAN to any, just like the rule for IPv4.

Without an IPv6 allow rule, no traffic will get out.

Try it out!

At this point a LAN client should be able to pick up an IPv6 Address and find the pfSense firewall as it is now advertising itself on the LAN. This can be checked with if the IPv6 connection is succesfully detected.

Sample page from

Keep the Tunnel Endpoint Up-To-Date

If the WAN connecting the tunnel has a dynamic IP address, the Tunnelbroker DynDNS type may be used to update it when the WAN IP address changes.

To set that up:

  • Navigate to Services > DynDNS
  • Click "+"
  • Set the Type to Tunnelbroker
  • Select the proper Interface
  • For Hostname enter the numeric Tunnel ID from
  • Enter the Username
  • Enter Password OR Update Key from the Advanced tab of the tunnel's settings on Older accounts may not have an Update Key and may use only the password.
  • Enter a Description if desides
  • Click Save

More information

More information about IPv6 support may be found here on the wiki] in the pfSense forum at,52.0.html

World IPv6 Day may have passed, but now every day can be IPv6 day.

Adapted from