Sunday, July 1, 2012

pfsense with Hurricane Electric IPv6 Tunnel

Most of the guides that I followed to set up pfsense with a tunnelbroker left me feeling a little confused so I am going to attempt to write a comprehensive guide here that avoids confusion.
First off I am assuming you have all of the initial configuration done, pfsense is installed, you have changed to HTTPS, changed your password, you have WAN connectivity, etc. You have to get the right version of pfsense, which is actually a beta since revamping pfsense for IPv6 apparently turned out to be more of a task than the team anticipated. Change these settings then go back to the "Manual Update" tab, enable it and begin the update. The firewall will reboot.
The following version worked for me. Note that it says that there is an update available, but when I updated it further it broke everything. I didn't even have normal IPv4 connectivity to my ISP anymore.
Now let us go ahead and make sure Hurricane Electric can ping us. If they can't the tunnel will not work:


66.220.2.74 is the address you need to create a rule for. If you do nslookup or dig you will see it resolves to arc.he.net. Moving on, let us create a generic interface for our Tunnel between pfsense and the tunnelbroker. We do this just like we are adding any other physical, GRE or VLAN interface to pfsense:
At this point you might want to bring up your HE.net Tunnel Details and go from there:


Please note: If you lose power, unplug your modem, or change your public IPv4 address, you WILL have to go into the HE.net page shown above and change the "Client IPv4" address to reflect your new public IPv4 address.
Now we can go ahead and add the newly created GIF interface so pfsense can use it. I already have mine added, but I am showing it being added here:

Next go under "System" and "Routing" to configure our Tunnel as a Gateway for IP traffic to use.
My gateway is already there but I will show how I set it up.







Now we can go to our interface list, and enable the GIF interface we created before (I named mine HETUNNEL) and tell it to use the gateway we just created. If you are doing this in order just choose the gateway you just created. It isn't in the screenshot below, but it should be in a drop-down box. Mine would be HEipv6GW as that is what I named it above.





Now we should have a working tunnel. You can check under status > gateways. Should say online. Possible problems would be you input the wrong IPv6 addresses when setting things up, you forgot the firewall rule to allow the tunnelbroker to ping pfsense on the WAN side, or you forgot to put in your public IPv4 address into the tunnel details on the HE.net site. Now all we have to do it set up things on the LAN side.

Don't forget a default IPv6 Firewall rule!

Should be good to go then. I do not use DHCPv6 since I have maybe 3 hosts that need to use IPv6 for testing BIND and APACHE with IPv6 so I am not going to write about that here. 

If you have a dynamic IP on the WAN connecting the tunnel, you can use the "HE.net Tunnelbroker" DynDNS type to update it when your IP changes.
To set that up:
  • Go to Services > DynDNS
  • Click +
  • Set the type to "HE.net Tunnelbroker"
  • Select the proper interface
  • For "hostname" enter your numeric Tunnel ID from he.net
  • Enter your username and password
  • Enter a description if you want one
  • Save
Enjoy browsing and testing with IPv6!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)