Reply
Highlighted
Emerging Member
Posts: 64
Registered: ‎08-11-2015
Accepted Solution

ipv6 tunnel - help pls to configure

Hi everyone. Last week I try to configure ipv6 tunnel and why that at me nothing turns out. Can you help me set it up?

 

Edgerouter pro, WAN ETH 7 and Local ETH1

My ip:176.101.100.221

 

The tunnel broker gave me the following data:

Network IPv6: 2a03:e2 c0:23f:5555::/64
Client IPv6: 2a03:e2 c0:23 f::2/64
IPv6 Gateway: 2a03:e2c0:23f:: 1/64
A server to connect to: 193.0.203.203
IPv6 DNS:
2001:4860:4860:: 8888
2001:4860:4860:: 8844

 

I did according to the this instructions and did the following:

 

Configure
edit interfaces tunnel tun0
set encapsulation sit
set local-ip 176.101.100.221 
set remote-ip 193.0.203.203  
set address 2a03:e2c0:23f::2/64 
set description “IPv6 Tunnel”
exit
set protocols static interface-route6 ::/0 next-hop-interface tun0
commit
save

ping6 www.google.com

New router settings in the dashboard section tx rx values were zero.

Other actions not accounted for.
Himself in settings through the CLI the full zero. Made purely according to the instructions)

As I understand, I to the settings, above, you also need to configure the firewall and dhcp?


Accepted Solutions
Senior Member
Posts: 3,091
Registered: ‎08-06-2015
Kudos: 1305
Solutions: 176

Re: ipv6 tunnel - help pls to configure

You appear to have IPv6 connectivity from your router, so that's good.

 

After setting the IPv6 address on your LAN interface devices should be able to start using IPv6, but may need router advertisements.  That is included below.

 

You'll need to use the CLI or the 'config tree' in the GUI to configure IPv6.  The config-tree matches the CLI heirarchy so you should be able to follow:

 

This should configure your LAN interface sufficiently assuming 'eth1' is your LAN (change that if yours is different):

set interfaces ethernet eth1 address '2a03:e2c0:23f:5555::1/64'
set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1 
set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth1 ipv6 router-advert link-mtu 0      
set interfaces ethernet eth1 ipv6 router-advert max-interval 600 
set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888'
set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8844'
set interfaces ethernet eth1 ipv6 router-advert reachable-time 0 
set interfaces ethernet eth1 ipv6 router-advert retrans-timer 0 
set interfaces ethernet eth1 ipv6 router-advert send-advert true

 

Note the name-server entries are those you listed, which are Google DNS.  You may change those if desired, or even leave them off since not all devices will use those entries anyway.  Your existing IPv4 DNS server addresses should be more than sufficient.

 

Note that above will provide full open IPv6 access to/from the internet to/from your devices so you will want a firewall.  You may want to configure a firewall for your router first and ensure that works before moving on to adding IPv6 to your LAN.

 

There are some posts with IPv6 firewall configurations that should be helpful and you may find those via some searching here.  You would essentially do the same for IPv6 that you have for IPv4 but with slightly different names.

 

For instance for an ipv4 address group you would use 'set firewall group address-group ...' while you would instead use 'set firewall group ipv6-address-group ...' for IPv6.  For an IPv4 policy you would use 'set firewall name ...' while you would instead use 'set firewall ipv6-name ...' for IPv6.

 

I'll try to find or otherwise post an example to help you get started but I don't have that handy at the moment.  If you are using the GUI, digging down through the config-tree may be helpful too.  IPv6 does have some additional requires to allow certain traffic, but once a basic configuration is set those can be added easily.

 

View solution in original post

Senior Member
Posts: 3,091
Registered: ‎08-06-2015
Kudos: 1305
Solutions: 176

Re: ipv6 tunnel - help pls to configure

You want to use 'ipv6-name' instead of 'name'.

 

This might work better:

 

ipv6-name WAN6_IN {
        default-action drop
        description "WAN to internal"
        rule 20 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 40 {                   
            action accept      
            description "Allow ICMPv6"
            log disable               
            protocol icmpv6           
        }                             
}
ipv6-name WAN6_LOCAL {
        default-action accept
        description "WAN to router"
        rule 10 {
            action drop
            destination {
                port 22
            }
            log disable
            protocol tcp
        }
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 40 {                   
            action accept      
            description "Allow ICMPv6"
            log disable               
            protocol icmpv6           
        }                             
}

Note that I added a rule 40 to both - IPv6 requires at least some ICMP traffic to pass both to the router and to individual hosts.  Your default action on your WAN6_LOCAL is to 'accept' but I wasn't sure if that was intentional - if so then you don't need the rule 40 there since the default will suffice.

 

Once you have that firewall configuration applied you'll want to verify that your IPv6 connectivity still works from your router using the same pings as before.  Then you can add the IPv6 configuration to your eth1.

 

Keep taking it one step at a time and you'll get there.  Once you have the ipv6 configuration on your eth1 you may find one ormore devices automatically get a globally-routable IPv6 address in your allocated block or you may need to reboot/restart your devices.  Pick one first and get that working, then the rest should follow.

 

Most devices are configured to autoconfigure IPv6 by default and the router advertisements may trigger that.  You can use a site such as http://ipv6-test.com or https://test-ipv6.com to help confirm IPv6 connectivity from your devices.

 

 

View solution in original post

Senior Member
Posts: 3,091
Registered: ‎08-06-2015
Kudos: 1305
Solutions: 176

Re: ipv6 tunnel - help pls to configure

Do any other devices configure an IPv6 address?

 

Is the AP a UniFi or a different brand?

 

You may need to add a prefix option to your router-advert section.  A prefix should already be configured by default but perhaps these are still needed (I usually include them anyway):

set interfaces ethernet eth1 ipv6 router-advert prefix '::/64' autonomous-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix '::/64' on-link-flag true

Many devices do not need DHCPv6 and will use autoconfiguration.  If you do need to enable and configure DHCPv6 you may want to change the managed-flag to true:

 

set interfaces ethernet eth1 ipv6 router-advert managed-flag true

This indicates devices should configure using DHCPv6 in addition to autoconf, but as with much else with IPv6 not all devices will use this flag.

 

View solution in original post


All Replies
Senior Member
Posts: 3,091
Registered: ‎08-06-2015
Kudos: 1305
Solutions: 176

Re: ipv6 tunnel - help pls to configure

There are a few steps.  yes you will need to configure a firewall - ipv6 and ip are completely separate and independent sets of firewall policies.

 

Are you using HE (tunnelbroker.net)?

 

The first step is to confirm your router itself has connectivity.  What does the 'ping6 www.google.com' show from your router CLI?  If that succeeds then your router has IPv6 connectivity.  If not then you'll want to work backwards:

  1. Can you ping the IPv6 address on the other side of your tunnel from your router?  (IE: ping6 2a03:e2c0:23f::1)
  2. Can you ping the IPv4 address on the other side of your tunnel from your router?  (IE: ping 193.0.203.203)

If your ER has IPv6 connectivity, then you would work forward.  The next step would be to configure IPv6 on your other network interfaces using the ipv6 netblock that you've been assigned.  You have a /64 so you would assign that directly to one interface (IE: your LAN).  You can pick any host address but to stick with loose convention you can just keep that at '1':

 

Assuming 'eth1' is your LAN:  "set interfaces ethernet eth1 address '2a03:e2c0:23f:5555::1/64'"

 

Then the last step would be to configure router advertisements (RAs).

 

Before progressing further, if your router has IPv6 connectivity itself you may want to post a sanitized config so everyone is on the same page for the rest.

 

Emerging Member
Posts: 64
Registered: ‎08-11-2015

Re: ipv6 tunnel - help pls to configure

[ Edited ]

Hi waterside


Are you using HE (tunnelbroker.net)?


No, another in Russian

 


The first step is to confirm your router itself has connectivity.  What does the 'ping6 www.google.com' show from your router CLI?  If that succeeds then your router has IPv6 connectivity.

I think it connected, saw

ubnt@ubnt:~$ ping6 www.google.com
PING www.google.com(arn09s20-in-x04.1e100.net) 56 data bytes
64 bytes from arn09s20-in-x04.1e100.net: icmp_seq=1 ttl=56 time=53.2 ms
64 bytes from arn09s20-in-x04.1e100.net: icmp_seq=2 ttl=56 time=53.1 ms
64 bytes from arn09s20-in-x04.1e100.net: icmp_seq=3 ttl=56 time=53.0 ms
64 bytes from arn09s20-in-x04.1e100.net: icmp_seq=4 ttl=56 time=53.0 ms
64 bytes from arn09s20-in-x04.1e100.net: icmp_seq=5 ttl=56 time=53.3 ms
64 bytes from arn09s20-in-x04.1e100.net: icmp_seq=6 ttl=56 time=52.9 ms
64 bytes from arn09s20-in-x04.1e100.net: icmp_seq=7 ttl=56 time=53.1 ms
64 bytes from arn09s20-in-x04.1e100.net: icmp_seq=8 ttl=56 time=53.1 ms
64 bytes from arn09s20-in-x04.1e100.net: icmp_seq=9 ttl=56 time=53.1 ms         
64 bytes from arn09s20-in-x04.1e100.net: icmp_seq=10 ttl=56 time=53.4 ms        

@waterside wrote:Can you ping the IPv6 address on the other side of your tunnel from your router?  (IE: ping6 2a03:e2c0:23f::1)
  1. Can you ping the IPv4 address on the other side of your tunnel from your router?  (IE: ping 193.0.203.203)

Yes both ping

PING 2a03:e2c0:23f::1(2a03:e2c0:23f::1) 56 data bytes                           
64 bytes from 2a03:e2c0:23f::1: icmp_seq=1 ttl=64 time=32.3 ms                  
64 bytes from 2a03:e2c0:23f::1: icmp_seq=2 ttl=64 time=32.7 ms                  
64 bytes from 2a03:e2c0:23f::1: icmp_seq=3 ttl=64 time=32.5 ms                  

PING 193.0.203.203 (193.0.203.203) 56(84) bytes of data.                        
64 bytes from 193.0.203.203: icmp_req=1 ttl=56 time=32.6 ms                     
64 bytes from 193.0.203.203: icmp_req=2 ttl=56 time=32.4 ms                     
64 bytes from 193.0.203.203: icmp_req=3 ttl=56 time=32.8 ms                     

@waterside wrote:

There are a few steps.  yes you will need to configure a firewall - ipv6 and ip are completely separate and independent sets of firewall policies.

 

Assuming 'eth1' is your LAN:  "set interfaces ethernet eth1 address '2a03:e2c0:23f:5555::1/64'"

 

Then the last step would be to configure router advertisements (RAs).

 


1. What should be prescribed for firewall settings?
2. set interfaces ethernet eth1 address '2a03:e2c0:23f:5555::1/64 - And then I go to the dashboard of the router using 192.168.1.1? or i can add second? ex: 192.168.1.1/24 and 2a03:e2c0:23f:5555::1/64?

3. Then the last step would be to configure router advertisements (RAs). - What is it?

 

Can you explain what to do next? Thx)

Senior Member
Posts: 3,091
Registered: ‎08-06-2015
Kudos: 1305
Solutions: 176

Re: ipv6 tunnel - help pls to configure

You appear to have IPv6 connectivity from your router, so that's good.

 

After setting the IPv6 address on your LAN interface devices should be able to start using IPv6, but may need router advertisements.  That is included below.

 

You'll need to use the CLI or the 'config tree' in the GUI to configure IPv6.  The config-tree matches the CLI heirarchy so you should be able to follow:

 

This should configure your LAN interface sufficiently assuming 'eth1' is your LAN (change that if yours is different):

set interfaces ethernet eth1 address '2a03:e2c0:23f:5555::1/64'
set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1 
set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth1 ipv6 router-advert link-mtu 0      
set interfaces ethernet eth1 ipv6 router-advert max-interval 600 
set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888'
set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8844'
set interfaces ethernet eth1 ipv6 router-advert reachable-time 0 
set interfaces ethernet eth1 ipv6 router-advert retrans-timer 0 
set interfaces ethernet eth1 ipv6 router-advert send-advert true

 

Note the name-server entries are those you listed, which are Google DNS.  You may change those if desired, or even leave them off since not all devices will use those entries anyway.  Your existing IPv4 DNS server addresses should be more than sufficient.

 

Note that above will provide full open IPv6 access to/from the internet to/from your devices so you will want a firewall.  You may want to configure a firewall for your router first and ensure that works before moving on to adding IPv6 to your LAN.

 

There are some posts with IPv6 firewall configurations that should be helpful and you may find those via some searching here.  You would essentially do the same for IPv6 that you have for IPv4 but with slightly different names.

 

For instance for an ipv4 address group you would use 'set firewall group address-group ...' while you would instead use 'set firewall group ipv6-address-group ...' for IPv6.  For an IPv4 policy you would use 'set firewall name ...' while you would instead use 'set firewall ipv6-name ...' for IPv6.

 

I'll try to find or otherwise post an example to help you get started but I don't have that handy at the moment.  If you are using the GUI, digging down through the config-tree may be helpful too.  IPv6 does have some additional requires to allow certain traffic, but once a basic configuration is set those can be added easily.

 

Veteran Member
Posts: 7,239
Registered: ‎03-24-2016
Kudos: 1862
Solutions: 822

Re: ipv6 tunnel - help pls to configure

As you only have a single /64 network.....assign the tunnel interface only a fe80::.... link local address, use default interface-route pointing to tunnel,

 

and assign the 2a03:e2 c0:23 f::2/64 address on LAN interface.

 

 

Senior Member
Posts: 3,091
Registered: ‎08-06-2015
Kudos: 1305
Solutions: 176

Re: ipv6 tunnel - help pls to configure

[ Edited ]

You missed that he was provided both a /64 for his network and a separate address for his tunnel.  His configuration is correct.

 

The tunnel broker gave me the following data:

Network IPv6: 2a03:e2 c0:23f:5555::/64
Client IPv6: 2a03:e2 c0:23 f::2/64
IPv6 Gateway: 2a03:e2c0:23f:: 1/64
A server to connect to: 193.0.203.203

Emerging Member
Posts: 64
Registered: ‎08-11-2015

Re: ipv6 tunnel - help pls to configure

[ Edited ]

Lke this firewall config will be good?

 

name WAN6_IN {
        default-action drop
        description "WAN to internal"
        rule 20 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN6_LOCAL {
        default-action accept
        description "WAN to router"
        rule 10 {
            action drop
            destination {
                port 22
            }
            log disable
            protocol tcp
        }
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
set interfaces tunnel tun0 firewall in ipv6-name WAN6_IN

and the next step if i understand right its will be

 

set interfaces ethernet eth1 address '2a03:e2c0:23f:5555::1/64'
set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits 1 
set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit 64
set interfaces ethernet eth1 ipv6 router-advert link-mtu 0      
set interfaces ethernet eth1 ipv6 router-advert max-interval 600 
set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8888'
set interfaces ethernet eth1 ipv6 router-advert name-server '2001:4860:4860::8844'
set interfaces ethernet eth1 ipv6 router-advert reachable-time 0 
set interfaces ethernet eth1 ipv6 router-advert retrans-timer 0 
set interfaces ethernet eth1 ipv6 router-advert send-advert true

Am i right? And DHCP should be configured?

 

P.S. My router settings file in the app.

Emerging Member
Posts: 64
Registered: ‎08-11-2015

Re: ipv6 tunnel - help pls to configure

Configure firewall WAN6_IN and WAN6_LOCAL and the next step

set interfaces tunnel tun0 firewall in ipv6-name WAN6_IN

gave Error message

 

ubnt@ubnt# set interfaces tunnel tun0 firewall in ipv6-name WAN6_IN             
[edit]                                                                          
ubnt@ubnt# commit                                                               
[ interfaces tunnel tun0 firewall in ipv6-name WAN6_IN ]                        
Firewall config error: Rule set WAN6_IN is not configured
Veteran Member
Posts: 7,239
Registered: ‎03-24-2016
Kudos: 1862
Solutions: 822

Re: ipv6 tunnel - help pls to configure

Is firewall ruleset WAN6_IN defined as ipv6 type?

 

Indeed I missed the extra network specification.  Maybe ISP did miss it to, and doesn't route it back to you.

Run tcpdump on WAN interface, and from external IPv6 host ping an ipv6 address in the extra network....and see if it arrives on your tun interface

Emerging Member
Posts: 64
Registered: ‎08-11-2015

Re: ipv6 tunnel - help pls to configure

Can't say for sure. I did as written here.

Senior Member
Posts: 3,091
Registered: ‎08-06-2015
Kudos: 1305
Solutions: 176

Re: ipv6 tunnel - help pls to configure

You want to use 'ipv6-name' instead of 'name'.

 

This might work better:

 

ipv6-name WAN6_IN {
        default-action drop
        description "WAN to internal"
        rule 20 {
            action accept
            description "Allow established/related"
            log disable
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 40 {                   
            action accept      
            description "Allow ICMPv6"
            log disable               
            protocol icmpv6           
        }                             
}
ipv6-name WAN6_LOCAL {
        default-action accept
        description "WAN to router"
        rule 10 {
            action drop
            destination {
                port 22
            }
            log disable
            protocol tcp
        }
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 40 {                   
            action accept      
            description "Allow ICMPv6"
            log disable               
            protocol icmpv6           
        }                             
}

Note that I added a rule 40 to both - IPv6 requires at least some ICMP traffic to pass both to the router and to individual hosts.  Your default action on your WAN6_LOCAL is to 'accept' but I wasn't sure if that was intentional - if so then you don't need the rule 40 there since the default will suffice.

 

Once you have that firewall configuration applied you'll want to verify that your IPv6 connectivity still works from your router using the same pings as before.  Then you can add the IPv6 configuration to your eth1.

 

Keep taking it one step at a time and you'll get there.  Once you have the ipv6 configuration on your eth1 you may find one ormore devices automatically get a globally-routable IPv6 address in your allocated block or you may need to reboot/restart your devices.  Pick one first and get that working, then the rest should follow.

 

Most devices are configured to autoconfigure IPv6 by default and the router advertisements may trigger that.  You can use a site such as http://ipv6-test.com or https://test-ipv6.com to help confirm IPv6 connectivity from your devices.

 

 

Emerging Member
Posts: 64
Registered: ‎08-11-2015

Re: ipv6 tunnel - help pls to configure

[ Edited ]

I did as you wrote, the ping is.
The only probably I had to configure another dhcpv6 server? as AP not getting IP

 

something I did wrong, I do not get ipv6, can you see where I was wrong? settings file in the application (ui router screen)

Senior Member
Posts: 3,091
Registered: ‎08-06-2015
Kudos: 1305
Solutions: 176

Re: ipv6 tunnel - help pls to configure

Do any other devices configure an IPv6 address?

 

Is the AP a UniFi or a different brand?

 

You may need to add a prefix option to your router-advert section.  A prefix should already be configured by default but perhaps these are still needed (I usually include them anyway):

set interfaces ethernet eth1 ipv6 router-advert prefix '::/64' autonomous-flag true
set interfaces ethernet eth1 ipv6 router-advert prefix '::/64' on-link-flag true

Many devices do not need DHCPv6 and will use autoconfiguration.  If you do need to enable and configure DHCPv6 you may want to change the managed-flag to true:

 

set interfaces ethernet eth1 ipv6 router-advert managed-flag true

This indicates devices should configure using DHCPv6 in addition to autoconf, but as with much else with IPv6 not all devices will use this flag.

 

Emerging Member
Posts: 64
Registered: ‎08-11-2015

Re: ipv6 tunnel - help pls to configure

[ Edited ]

And so and should be, that on Local ETH1 two IP address?
192.168.1.1 / 24 and 2a03:e2 c0:23f:5555::/64

index.png

Emerging Member
Posts: 64
Registered: ‎08-11-2015

Re: ipv6 tunnel - help pls to configure


@waterside wrote:

Do any other devices configure an IPv6 address?

 

Is the AP a UniFi or a different brand?

 


two UniFi AP outdoor+ and UniFi AP AC LR

Senior Member
Posts: 3,091
Registered: ‎08-06-2015
Kudos: 1305
Solutions: 176

Re: ipv6 tunnel - help pls to configure

Yes you would (should) see both an IPv4 and IPv6 address on the router interfaces, such as eth1 so your screenshot looks good.

 

I haven't checked the current state of IPv6 for management of UniFi APs, but it would still be new.  With 3.9.x firmware I do see an autoconfigured address on 'br0' on those I have checked (IE: no dhcpv6 required).

 

If you have other devices you may want to use those as tests instead.

Emerging Member
Posts: 64
Registered: ‎08-11-2015

Re: ipv6 tunnel - help pls to configure

It works! Works))) Cheers))) finally the VPN in the furnace
THANKS!
New Member
Posts: 28
Registered: ‎10-10-2017
Kudos: 1

Re: ipv6 tunnel - help pls to configure

I read through this thread as the problems experienced are similar to mines. Only thing is that I'm still trying to grasp the CLI commands and follow through, so I'm getting lost along the way as some parts dont pertain to me.

 

Running an Edgerouter X as a 1 LAN device and the other ports running as a switch. I followed the instructions on the web page  https://help.ubnt.com/hc/en-us/articles/204976104-EdgeRouter-IPv6-Tunnel-Broker and set a rule to allow a ICMP ping from the Ipv6 server.

 

Everything appears correctly configured as per the instructions on the UBNT help page. I can ping out to IPv6 addresses but I can't actually open web pages up. IPv6 tests all fail (other than the ping).

 

Hopefully someone can shed some light on this for me.

Reply