Using IPv6 with a Tunnel Broker
- 1 Introduction
- 2 Pitfalls
- 3 Sync IPv6 Code
- 4 Building a Tunnel
- 5 Assign GIF Interface
- 6 Configure OPT Interface
- 7 Set Gateway
- 8 Set Up LAN for IPv6
- 9 Set Up DHCPv6
- 10 Add a rule to let IPv6 out
- 11 Try it out!
- 12 Keep the Tunnel Endpoint Up-To-Date
- 13 More information
These instructions are adapted from the original document, http://iserv.nl/files/pfsense/ipv6/
Hello, welcome to the page detailing the process of getting IPv6 support with a Tunnel Broker in pfSense 2.1 working.
If the installation of pfSense was upgraded from 2.0.x or before to 2.1, IPv6 support must be enabled by navigating to System > Advanced on the Networking tab, and checking Allow IPv6. New 2.1 installs have this option enabled by default.
ICMP is required for IPv6 to work. If a firewall is in place on clients, make sure that ICMP over IPv6 is allowed.
If using a tunnel broker account, be sure to pick a provider as close to the pfSense firewall as possible. Latency can be a killer and will creep up in strange ways.
Sync IPv6 Code
Be sure to upgrade to the latest pfSense release before attempting this configuration.
Building a Tunnel
This article assumes that an account has already been registered with Hurricane Electric or Sixxs. After registering an account and getting the first /64 IPv6 block assigned, the gif tunnel may be configured on pfSense.
Don't forget to enable ICMP on the WAN interface, if ICMP is blocked the tunnelbroker will not allow a tunnel to be configured. The source IP address on this rule should be the remote endpoint IP of the gif tunnel, or any.
Create GIF Interface
Now navigate to the assign gif interfaces screen on pfSense where the address information from Hurricane Electric or Sixxs may be entered. Navigate to Interfaces > (assign), GIF tab.
- The HE or Sixxs Server IPv4 address goes into the gif remote address
- The HE or Sixxs Client IPv6 address goes into the gif tunnel local address
- The HE or Sixxs Server IPv6 address goes into the gif tunnel remote address
The prefix length should be set to 128. After pfSense 2.1.1, the prefix length choosen for the IPv6 tunnel will be ignored and set to a prefix length of 128 since it is the only valid option for a point-to-point IPv6 tunnel configuration.
Enter a Description and click Save.
Note: If a tunnel is being attached to a dynamic WAN IP, look at Keep the Tunnel Endpoint Up-To-Date later in this document.
Assign GIF Interface
Configure OPT Interface
With the OPT interface assigned, the OPT interface may be enabled from the Interfaces menu. Keep IPv6 Configuration Type set to None.
If the base interface for this IPv6 connection is a DSL line or other line with a lower MTU, the MTU may need adjusted here and on the other end to accommodate the lower value. On tunnelbroker.net, login to the account and edit the tunnel. In the Advanced options, move the MTU slider (1) until the MTU reads 1452 (2).
A dynamic gateway entry will be automatically created for the tunnel. Now edit it and set the Default Gateway option, keeping the gateway field set to dynamic.
If all of the settings were entered correctly and the tunnel broker is working, the gateway will now be listed as online
Set Up LAN for IPv6
The LAN interface may be configured for a combined static IPv4 and IPv6 network. The network used for IPv6 addressing on the LAN Interface is an address in the Routed /64 subnet assigned by the tunnel broker. HE.net gives one automatically. Another /64 must be requested from Sixxs after getting the tunnel working. It is important to note that the Routed /64 range is different from the Tunnel /64!
The example below uses ::1 as that is the easiest by far. Anything in the routed subnet works.
- The HE or Sixxs Routed /64 is the basis for the IPv6 Address field
Set Up DHCPv6
Most configurations will want the computers on the LAN to automatically pick up the IPv6 Address instead of assiging it manually. To set this up, navigate to Services > DHCPv6 Server/RA.
On the Router Advertisements tab, there is a mode option where different types of router advertisement behavior may be chosen. Either unmanaged (advertise only), managed (dhcp6 only) or assisted (use stateless address with dhcp for the dns). See Router Advertisements and DHCPv6 Server for more details.
Add a rule to let IPv6 out
Now navigate to Firewall > Rules, LAN tab, and add a rule to pass IPv6 traffic out from LAN to any, just like the rule for IPv4.
Without an IPv6 allow rule, no traffic will get out.
Try it out!
At this point a LAN client should be able to pick up an IPv6 Address and find the pfSense firewall as it is now advertising itself on the LAN. This can be checked with http://test-ipv6.com if the IPv6 connection is succesfully detected.
Keep the Tunnel Endpoint Up-To-Date
If the WAN connecting the tunnel has a dynamic IP address, the HE.net Tunnelbroker DynDNS type may be used to update it when the WAN IP address changes.
To set that up:
- Navigate to Services > DynDNS
- Set the Type to HE.net Tunnelbroker
- Select the proper Interface
- For Hostname enter the numeric Tunnel ID from he.net
- Enter the Username
- Enter Password OR Update Key from the Advanced tab of the tunnel's settings on tunnelbroker.net. Older accounts may not have an Update Key and may use only the password.
- Enter a Description if desides
- Click Save
More information about IPv6 support may be found here on the wiki] in the pfSense forum at http://forum.pfsense.org/index.php/board,52.0.html
World IPv6 Day may have passed, but now every day can be IPv6 day.
Adapted from http://iserv.nl/files/pfsense/ipv6/