How would I setup a HE net Tunnel to route through PFsense so I can have v6 addresses on my servers? I already have the tunnel setup on their end, but there is no instructions for PFsense.
Note: These instructions appear to be incomplete. Read the full post before trying to follow this.
For over a year i have been using m0n0wall for its IPv6 connectivity. It isn't perfect, as m0n0wall still has a lot of IPv6 functionality missing (e.g. traffic shaping). But it does have extraordinarily simple IPv6 Tunnel Broker setup.
Now pfSense 2.1 has been released, with (hopefully) more IPv6 support than m0n0wall. On the other hand, the setup of an IPv6 tunnel is extraordinarily complicated. Now that i've spent three hours trying to make it work, i can finally document my results. It is filled with a lot out confusing, non-obvious, out-of-order, duplicated setup. Furthermore, there are still bugs that can cause your configuration to become invalid; requiring you to delete everything and start over.
Having said all that, here's how you configure IPv6 Hurricane Electric Tunnel Broker in pfSense.
But first the confusing background
But before we can setup anything, we have to take a moment to realize something utterly confusing, non-obvious, non-intuitive:
You do not send IPv6 traffic out your WAN connection
i have two network cards in my router:
WAN: (xl0, 3Com), connected to modem
LAN: (rl0, RealTek), connected to internal LAN hub
But IP (Internet Protocol) traffic does not go out my WAN3Com interface. My connection to the Internet is through DSL, which means my router uses PPPoE to connect to my ISP.
This means that pfSense creates another interface:
WAN: (PPPoE), connects through PPPoE tunnel to Internet
OPT1: (xl0, 3Com) connected to modem
LAN: (rl0, RealTek) connected to internal LAN hub
So my connection to the internet actually goes out this virtual interface. This becomes important, because only IPv4 goes out this "PPPoE" interface.
In order to have IPv6 support, we will actually be creating a 4th interface; one that is dedicated to only IPv6 traffic:
WAN: (PPPoE), connects through PPPoE tunnel to Internet
WANv6: (HE_GW), connects through HE.net tunnel
OPT1: (xl0, 3Com) connected to modem
LAN: (rl0, RealTek) connected to internal LAN hub
Your Tunnel info
First we need your tunnel information from your TunnelBroker page:
IPv6 Tunnel Endpoints
Server IPv4 Address: 209.51.181.2
Server IPv6 Address: 2001:470:3c10:1178::1 /64
Client IPv6 Address: 2001:470:3c10:1178::2 /64
Routed IPv6 Prefixes
Routed /64: 2001:470:3c11:1178:: /64
This first section are addresses related to your tunnel connection to Hurricane Electric (addresses that will be assocated with your WAN interface and gateways). The second section is your "LAN" addresses.
Configuring pfSense 2.1 with a Hurricane Electric Tunnel Broker tunnel
Create A New Tunnel Interface
Under Interfaces -> (assign), select the GIF tab, and click the + to add a new tunnel:
Next configure the new GIF options:
Parent interface: WAN
gif remote address: 209.51.181.2(Server IPv4 Address from HE tunnel details page)
gif tunnel local address: 2001:470:3c10:1178::2(Client IPv6 Address from HE tunnel details page)
gif remote tunnel address: 2001:470:3c10:1178::164(Server IPv6 Address from HE tunnel details page)
Description: HE.net IPv6 tunnel
and click Save.
Now your new GIF (Generic Interface) tunnel is configured:
Create a new IPv6 interface
Now that we've created a tunnel, we are going to create a separate IPv6-only interface that will send traffic out that tunnel.
Under Interfaces -> (assign), select the Interface assignments tab, and click the + to add a new interface:
Note: i happen to have an Atheros WiFi adapter, listed as OPT1. Don't let that confuse you.
In the drop-down for the newly added interface, select the previously created `GIF 209.51.181.2 (HE.net IPv6 tunnel):
and click Save.
After the interface OPT2 has been created, click it (either in the above list, or in the left menu under Interfaces -> OPT2.
Check Enable interface to reveal the configuration options:
Description: WANv6(this is to differentiate it from your IPv4 WAN)
IPv6 Configuration Type: Static IPv6
IPv6 address: 2001:470:3c10:1178::264(Client IPv6 Address from HE tunnel details page)
and click Save.
Click Apply Changes to make the new interface active.
Allow ICMP messages
In order to use IPv6 (and also IPv4) you need to ensure that your router does not attempt to block any ICMP packets. If some security expert tries to tell you that responding to ICMP packets is a security risk and they should be blocked, gently pat them on the head and tell them *"of course it is". To allow incoming ICMP packets:
Click Firewall -> Rules
On the WAN tab, click +
Create the rule for IPv4 ICMP packets on the WAN interface:
Action: Pass
Interface: WAN
TCP/IP Version: IPv4
Protocol: ICMP
Description: Allow all IPv4 ICMP packets
Click Save
Click + to add another rule, this time to allow all IPv6 ICMP traffic on the WANv6 interface:
Action: Pass
Interface: WANv6
TCP/IP Version: IPv6
Protocol: ICMP
Description: Allow all IPv6 ICMP packets
Click Save
Click Apply Changes to apply your changes
Enable IPv6 on the pfSense LAN
Now you have to give the pfSense box an IPv6 address on your LAN interface. Just like it has a 192.168.1.1 IPv4 address on the LAN, now you need an IPv6 address. Except this address comes from Hurricane Electric; it is the Routed /64 address they give you.
Click Interfaces -> LAN
Change IPv6 Configuration Type to Static IPv6
Under the Static IPv6 configuration section, enter the routed /64 address provided by tunnelbroker:
Click Save
Click Apply Changes
Enable DHCPv6 Server
In order for clients to get IPv6 addresses, you have to enable the DHCPv6 server, and give it an address range it can assign addresses from.
Click Services -> DHCPv6 Server/RA
Check the Enable DHCPv6 server on LAN interface checkbox to reveal configuration options
In the Range from and to boxes, enter some range of addresses that are inside your Available Range, e.g.
Range: 2001:470:1f:b34::100:0 to 2001:470:1f:b34::100:fff
Note: These instructions appear to be incomplete. Read the full post before trying to follow this.
For over a year i have been using m0n0wall for its IPv6 connectivity. It isn't perfect, as m0n0wall still has a lot of IPv6 functionality missing (e.g. traffic shaping). But it does have extraordinarily simple IPv6 Tunnel Broker setup.
Now pfSense 2.1 has been released, with (hopefully) more IPv6 support than m0n0wall. On the other hand, the setup of an IPv6 tunnel is extraordinarily complicated. Now that i've spent three hours trying to make it work, i can finally document my results. It is filled with a lot out confusing, non-obvious, out-of-order, duplicated setup. Furthermore, there are still bugs that can cause your configuration to become invalid; requiring you to delete everything and start over.
Having said all that, here's how you configure IPv6 Hurricane Electric Tunnel Broker in pfSense.
But first the confusing background
But before we can setup anything, we have to take a moment to realize something utterly confusing, non-obvious, non-intuitive:
i have two network cards in my router:
But IP (Internet Protocol) traffic does not go out my WAN
3Cominterface. My connection to the Internet is through DSL, which means my router uses PPPoE to connect to my ISP.This means that pfSense creates another interface:
So my connection to the internet actually goes out this virtual interface. This becomes important, because only
IPv4goes out this "PPPoE" interface.In order to have IPv6 support, we will actually be creating a 4th interface; one that is dedicated to only IPv6 traffic:
Your Tunnel info
First we need your tunnel information from your TunnelBroker page:
This first section are addresses related to your tunnel connection to Hurricane Electric (addresses that will be assocated with your WAN interface and gateways). The second section is your "LAN" addresses.
Configuring pfSense 2.1 with a Hurricane Electric Tunnel Broker tunnel
Create A New Tunnel Interface
Under Interfaces -> (assign), select the GIF tab, and click the
+to add a new tunnel:Next configure the new GIF options:
WAN209.51.181.2(Server IPv4 Address from HE tunnel details page)2001:470:3c10:1178::2(Client IPv6 Address from HE tunnel details page)2001:470:3c10:1178::164(Server IPv6 Address from HE tunnel details page)HE.net IPv6 tunneland click Save.
Now your new GIF (Generic Interface) tunnel is configured:
Create a new IPv6 interface
Now that we've created a tunnel, we are going to create a separate IPv6-only interface that will send traffic out that tunnel.
Under Interfaces -> (assign), select the Interface assignments tab, and click the
+to add a new interface:Note: i happen to have an Atheros WiFi adapter, listed as
OPT1. Don't let that confuse you.In the drop-down for the newly added interface, select the previously created `GIF 209.51.181.2 (HE.net IPv6 tunnel):
and click Save.
After the interface
OPT2has been created, click it (either in the above list, or in the left menu under Interfaces -> OPT2.Check Enable interface to reveal the configuration options:
WANv6(this is to differentiate it from your IPv4 WAN)Static IPv62001:470:3c10:1178::264(Client IPv6 Address from HE tunnel details page)and click Save.
Click Apply Changes to make the new interface active.
Allow ICMP messages
In order to use IPv6 (and also IPv4) you need to ensure that your router does not attempt to block any ICMP packets. If some security expert tries to tell you that responding to ICMP packets is a security risk and they should be blocked, gently pat them on the head and tell them *"of course it is". To allow incoming ICMP packets:
Click Firewall -> Rules
On the WAN tab, click +
Create the rule for IPv4 ICMP packets on the WAN interface:
Click
+to add another rule, this time to allow all IPv6 ICMP traffic on the WANv6 interface:Click Apply Changes to apply your changes
Enable IPv6 on the pfSense LAN
Now you have to give the pfSense box an IPv6 address on your LAN interface. Just like it has a
192.168.1.1IPv4 address on the LAN, now you need an IPv6 address. Except this address comes from Hurricane Electric; it is the Routed /64 address they give you.Click Interfaces -> LAN
Change IPv6 Configuration Type to Static IPv6
Under the Static IPv6 configuration section, enter the routed /64 address provided by tunnelbroker:
Click Save
Click Apply Changes
Enable DHCPv6 Server
In order for clients to get IPv6 addresses, you have to enable the DHCPv6 server, and give it an address range it can assign addresses from.
Click Services -> DHCPv6 Server/RA
Check the Enable DHCPv6 server on LAN interface checkbox to reveal configuration options
In the Range from and to boxes, enter some range of addresses that are inside your Available Range, e.g.