Reply
New Member
Posts: 20
Registered: ‎06-09-2015
Kudos: 5
Accepted Solution

How to get IPv6 TunnelBroker Working?

How do I get he.net tunnelbroker working? I followed a few different guides (input from tunnelbroker example page, http://wiki.ubnt.com/EdgeOS-IPv6_tunnel, etc.) and can ping my server IPv6 Address while on the router, but cannot ping6 google.com. It appears that my Windows 8.1 PC is getting the address but it gets no internet or able to ping anything. Does windows 8.1 need something else to get going? Can an Android phone work with IPv6? I see it also gets an address.

 

I am using an ERL on the latest 1.7.0 firmware. The majority of the setup was using the Wizard for initial setup, and the GUI.

 

On that note is there a better way for me to get IPv6 working with Charter? I see something about 6RD (http://kdwink.blogspot.com/2013/05/ipv6-with-charter-communications.html), but understand that even less. 

 

Eth0 - Charter Cable Modem

Eth1 - LAN

Eth2 - Guest LAN

 

show interface

Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
eth0         xx.xxx.xx.xx/24                   u/u  Internet
eth1         192.168.2.1/24                    u/u  LAN
             ROUTED /64 ::1/64
eth2         192.168.3.1/24                    u/u  Guest
ifb_eth0     -                                 u/D
lo           127.0.0.1/8                       u/u
             ::1/128
tun0         Client IPv6 Address               u/u  HE.NET IPv6 Tunnel

 

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        address-group ICMP {
            address 52.0.5.182
            address 54.153.0.97
            address 66.220.2.74
            description "Dsl Reports, TunnelBroker ICMP"
        }
    }
    ipv6-name home-ipv6 {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 1 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 4 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 1 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 3 {
            action accept
            description ICMP
            log disable
            protocol icmp
        }
        rule 4 {
            action accept
            description "Protocol 41"
            destination {
                address PUBLIC-CABLE-IP
            }
            log disable
            protocol 41
            source {
                address 66.220.18.42
            }
        }
        rule 5 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.2.1/24
        address ROUTED /64IP::1/64
        description LAN
        duplex auto
        firewall {
            out {
                ipv6-name home-ipv6
            }
        }
        ipv6 {
            dup-addr-detect-transmits 1
            router-advert {
                cur-hop-limit 64
                default-preference high
                link-mtu 0
                managed-flag true
                max-interval 10
                other-config-flag true
                prefix ROUTED /64 ::1/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 2592000
                }
                radvd-options "RDNSS ROUTED /64IP::1 {};"
                reachable-time 0
                retrans-timer 0
                send-advert true
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.3.1/24
        description Guest
        duplex auto
        speed auto
    }
    loopback lo {
    }
    tunnel tun0 {
        address CLIENT IPV6 ADDRESS
        description "HE.NET IPv6 Tunnel"
        encapsulation sit
        local-ip 0.0.0.0
        multicast disable
        remote-ip 66.220.18.42
        ttl 255
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    rule 1 {
        description TS3
        forward-to {
            address 192.168.2.231
            port 10011
        }
        original-port 10011
        protocol tcp
    }
    rule 2 {
        description TS3
        forward-to {
            address 192.168.2.231
            port 30033
        }
        original-port 30033
        protocol tcp
    }
    rule 3 {
        description TS3
        forward-to {
            address 192.168.2.231
            port 9987
        }
        original-port 9987
        protocol udp
    }
    wan-interface eth0
}
protocols {
    static {
        interface-route6 ::/0 {
            next-hop-interface tun0 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative disable
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                dns-server 8.8.8.8
                lease 86400
                start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.3.0/24 {
                default-router 192.168.3.1
                dns-server 192.168.3.1
                lease 86400
                start 192.168.3.38 {
                    stop 192.168.3.243
                }
            }
        }
    }
    dns {
        dynamic {
            interface eth0 {
                service custom-dnsomatic {
                    host-name all.dnsomatic.com
                    login USER_NAME
                    password USER_PASSWORD
                    protocol dyndns2
                    server updates.dnsomatic.com
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
            system
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    host-name ROUTER_NAME
    login {
        user USER_NAME {
            authentication {
                encrypted-password ENCRYPTED_PASSWORD
                plaintext-password ""
            }
            full-name FULL_USER_NAME
            level admin
        }
    }
    name-server 2620:0:ccc::2
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Los_Angeles
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
    smart-queue QOS {
        download {
            ecn enable
            flows 1024
            fq-quantum 1514
            interval 100ms
            limit 10240
            rate 70mbit
            target 5ms
        }
        upload {
            ecn enable
            flows 1024
            fq-quantum 1514
            interval 100ms
            limit 10240
            rate 4.7mbit
            target 5ms
        }
        wan-interface eth0
    }
}

 

 

USG // TOUGH SWITCH // AC-PRO // AC-LITE

Accepted Solutions
Emerging Member
Posts: 96
Registered: ‎09-08-2014
Kudos: 57
Solutions: 6

Re: How to get IPv6 TunnelBroker Working?

it seems your config lacks some settings

this is what i use:

firewall {
    ipv6-name v6_ESTABLISHED {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
    }
    ipv6-name v6_ESTABLISHED_ICMPv6 {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 3 {
            action accept
            protocol icmpv6
            source {
                address fe80::/10
            }
        }
    }
    name ESTABLISHED {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name ESTABLISHED_HETUNNEL {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 3 {
            action accept
            icmp {
                type-name ping
            }
            protocol icmp
            source {
                address 66.220.2.74
            }
        }
        rule 4 {
            action accept
            protocol 41
            source {
                address 1.2.3.4
            }
        }
    }
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        firewall {
            in {
                name ESTABLISHED
            }
            local {
                name ESTABLISHED_HETUNNEL
            }
        }
    }
    ethernet eth1{
        address 2001:470:abcd:bbb1::1/64
        description LAN
        ipv6 {
            router-advert {
                max-interval 30
                name-server 2001:4860:4860::8888
                name-server 2001:4860:4860::8844
                other-config-flag true
                prefix 2001:470:abcd:bbb1::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 90
                }
            }
        }
    }
    tunnel tun0 {
        address 2001:470:abcd:aaa1::2/64
        description "IPv6 Tunnel"
        encapsulation sit
        firewall {
            in {
                ipv6-name v6_ESTABLISHED
            }
            local {
                ipv6-name v6_ESTABLISHED_ICMPv6
            }
        }
        local-ip 0.0.0.0
        remote-ip 1.2.3.4
    }
}
protocols {
    static {
        route6 ::/0 {
            next-hop 2001:470:abcd:aaa1::1 {
            }
        }
    }
}

1.2.3.4 is the tunnel endpoint address

2001:470:abcd:aaa1::1 / 2001:470:abcd:aaa1::2 are tunnel addresses

2001:470:abcd:bbb1::/64 is the routed prefix

also the firewall must include ipv4 rules for protocol 41, icmp and the ipv6 rules

View solution in original post


All Replies
Highlighted
New Member
Posts: 20
Registered: ‎06-09-2015
Kudos: 5

Re: How to get IPv6 TunnelBroker Working?

I give up for now getting tunnelbroker to work. Went back to my original no IPv6 setup to start over. Here is what I got to work through Charter.

 

Used this guide for the setup, http://www.2mbit.com/edgerouter/6rd.

Charter IPv6 details, https://www.myaccount.charter.com/customers/Support.aspx?SupportArticleID=2665#prep4ip6.

 

To get the public IPv6 from Charter go here, http://www.subnetonline.com/pages/subnet-calculators/ipv4-to-ipv6-converter.php

Input your public IP into the IP box. Click ipv6 condensed. Take 2002::xxxx:xxxx and add xxxx:xxxx to Charter's prefix. Your IPv6 address will look like 2602:100:xxxx:xxxx.

 

configure
set interfaces tunnel tun0 6rd-prefix '2602::/24' set interfaces tunnel tun0 address '2602:100:xxxx:xxxx::1/24' set interfaces tunnel tun0 description 'Charter IPv6 6rd tunnel' set interfaces tunnel tun0 encapsulation sit set interfaces tunnel tun0 local-ip $YOUR-PUBLIC-IP-ADDRESS set interfaces tunnel tun0 mtu 1472 set interfaces tunnel tun0 multicast disable set interfaces tunnel tun0 ttl 255 set protocols static route6 '::/0' next-hop '::68.114.165.1' interface tun0
commit
save
configure
set interfaces ethernet eth1 address '2602:100:xxxx:xxxx::1/64' set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1 set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit 64 set interfaces ethernet eth1 ipv6 router-advert link-mtu 1472 set interfaces ethernet eth1 ipv6 router-advert managed-flag false set interfaces ethernet eth1 ipv6 router-advert max-interval 300 set interfaces ethernet eth1 ipv6 router-advert other-config-flag false set interfaces ethernet eth1 ipv6 router-advert prefix '2602:100:xxxx:xxxx::/64' autonomous-flag true set interfaces ethernet eth1 ipv6 router-advert prefix '2602:100:xxxx:xxxx::/64' on-link-flag true set interfaces ethernet eth1 ipv6 router-advert prefix '2602:100:xxxx:xxxx::/64' valid-lifetime 2592000 set interfaces ethernet eth1 ipv6 router-advert reachable-time 0 set interfaces ethernet eth1 ipv6 router-advert retrans-timer 0 set interfaces ethernet eth1 ipv6 router-advert send-advert true
commit
save

My Android (Samsung S5) phone got the new IP immediately. Had to reboot my Kindle to get the IP. And had to reboot Windows 8.1. www.v6.facebook.com is my test and it works.

 

Scores from http://ipv6-test.com/

Samsung S5 - 19/20

Kindle - 19/20

Windows 8.1 - 17/20 What??

 

Is this how I want to set the firewall up? http://www.2mbit.com/edgerouter/ipv6-no-unsolicit

USG // TOUGH SWITCH // AC-PRO // AC-LITE
Emerging Member
Posts: 96
Registered: ‎09-08-2014
Kudos: 57
Solutions: 6

Re: How to get IPv6 TunnelBroker Working?

it seems your config lacks some settings

this is what i use:

firewall {
    ipv6-name v6_ESTABLISHED {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
    }
    ipv6-name v6_ESTABLISHED_ICMPv6 {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 3 {
            action accept
            protocol icmpv6
            source {
                address fe80::/10
            }
        }
    }
    name ESTABLISHED {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name ESTABLISHED_HETUNNEL {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 3 {
            action accept
            icmp {
                type-name ping
            }
            protocol icmp
            source {
                address 66.220.2.74
            }
        }
        rule 4 {
            action accept
            protocol 41
            source {
                address 1.2.3.4
            }
        }
    }
}
interfaces {
    ethernet eth0 {
        address dhcp
        description WAN
        firewall {
            in {
                name ESTABLISHED
            }
            local {
                name ESTABLISHED_HETUNNEL
            }
        }
    }
    ethernet eth1{
        address 2001:470:abcd:bbb1::1/64
        description LAN
        ipv6 {
            router-advert {
                max-interval 30
                name-server 2001:4860:4860::8888
                name-server 2001:4860:4860::8844
                other-config-flag true
                prefix 2001:470:abcd:bbb1::/64 {
                    autonomous-flag true
                    on-link-flag true
                    valid-lifetime 90
                }
            }
        }
    }
    tunnel tun0 {
        address 2001:470:abcd:aaa1::2/64
        description "IPv6 Tunnel"
        encapsulation sit
        firewall {
            in {
                ipv6-name v6_ESTABLISHED
            }
            local {
                ipv6-name v6_ESTABLISHED_ICMPv6
            }
        }
        local-ip 0.0.0.0
        remote-ip 1.2.3.4
    }
}
protocols {
    static {
        route6 ::/0 {
            next-hop 2001:470:abcd:aaa1::1 {
            }
        }
    }
}

1.2.3.4 is the tunnel endpoint address

2001:470:abcd:aaa1::1 / 2001:470:abcd:aaa1::2 are tunnel addresses

2001:470:abcd:bbb1::/64 is the routed prefix

also the firewall must include ipv4 rules for protocol 41, icmp and the ipv6 rules

Reply