First off I am assuming you have all of the initial configuration done, pfsense is installed, you have changed to HTTPS, changed your password, you have WAN connectivity, etc. You have to get the right version of pfsense, which is actually a beta since revamping pfsense for IPv6 apparently turned out to be more of a task than the team anticipated. Change these settings then go back to the "Manual Update" tab, enable it and begin the update. The firewall will reboot.
18.104.22.168 is the address you need to create a rule for. If you do nslookup or dig you will see it resolves to arc.he.net. Moving on, let us create a generic interface for our Tunnel between pfsense and the tunnelbroker. We do this just like we are adding any other physical, GRE or VLAN interface to pfsense:
Now we can go ahead and add the newly created GIF interface so pfsense can use it. I already have mine added, but I am showing it being added here:
Next go under "System" and "Routing" to configure our Tunnel as a Gateway for IP traffic to use.
My gateway is already there but I will show how I set it up.
Now we can go to our interface list, and enable the GIF interface we created before (I named mine HETUNNEL) and tell it to use the gateway we just created. If you are doing this in order just choose the gateway you just created. It isn't in the screenshot below, but it should be in a drop-down box. Mine would be HEipv6GW as that is what I named it above.
Now we should have a working tunnel. You can check under status > gateways. Should say online. Possible problems would be you input the wrong IPv6 addresses when setting things up, you forgot the firewall rule to allow the tunnelbroker to ping pfsense on the WAN side, or you forgot to put in your public IPv4 address into the tunnel details on the HE.net site. Now all we have to do it set up things on the LAN side.
Don't forget a default IPv6 Firewall rule!
Should be good to go then. I do not use DHCPv6 since I have maybe 3 hosts that need to use IPv6 for testing BIND and APACHE with IPv6 so I am not going to write about that here.
If you have a dynamic IP on the WAN connecting the tunnel, you can use the "HE.net Tunnelbroker" DynDNS type to update it when your IP changes.
To set that up:
- Go to Services > DynDNS
- Click +
- Set the type to "HE.net Tunnelbroker"
- Select the proper interface
- For "hostname" enter your numeric Tunnel ID from he.net
- Enter your username and password
- Enter a description if you want one