Hurricane Electric Tunnel with Pfsense?

Question

How would I setup a HE net Tunnel to route through PFsense so I can have v6 addresses on my servers? I already have the tunnel setup on their end, but there is no instructions for PFsense.

Answer 1

Note: These instructions appear to be incomplete. Read the full post before trying to follow this.

---

For over a year i have been using m0n0wall for its IPv6 connectivity. It isn't perfect, as m0n0wall still has a lot of IPv6 functionality missing (e.g. traffic shaping). But it does have extraordinarily simple IPv6 Tunnel Broker setup.

Now pfSense 2.1 has been released, with (hopefully) more IPv6 support than m0n0wall. On the other hand, the setup of an IPv6 tunnel is extraordinarily complicated. Now that i've spent three hours trying to make it work, i can finally document my results. It is filled with a lot out confusing, non-obvious, out-of-order, duplicated setup. Furthermore, there are still bugs that can cause your configuration to become invalid; requiring you to delete everything and start over.

Having said all that, here's how you configure IPv6 Hurricane Electric Tunnel Broker in pfSense.

But first the confusing background

But before we can setup anything, we have to take a moment to realize something utterly confusing, non-obvious, non-intuitive:

You do not send IPv6 traffic out your WAN connection

i have two network cards in my router:

• WAN: (xl0, 3Com), connected to modem
• LAN: (rl0, RealTek), connected to internal LAN hub

But IP (Internet Protocol) traffic does not go out my WAN 3Com interface. My connection to the Internet is through DSL, which means my router uses PPPoE to connect to my ISP.

This means that pfSense creates another interface:

• WAN: (PPPoE), connects through PPPoE tunnel to Internet
• OPT1: (xl0, 3Com) connected to modem
• LAN: (rl0, RealTek) connected to internal LAN hub

So my connection to the internet actually goes out this virtual interface. This becomes important, because only IPv4 goes out this "PPPoE" interface.

In order to have IPv6 support, we will actually be creating a 4th interface; one that is dedicated to only IPv6 traffic:

• WAN: (PPPoE), connects through PPPoE tunnel to Internet
• WANv6: (HE_GW), connects through HE.net tunnel
• OPT1: (xl0, 3Com) connected to modem
• LAN: (rl0, RealTek) connected to internal LAN hub

Your Tunnel info

First we need your tunnel information from your TunnelBroker page:

IPv6 Tunnel Endpoints

• Server IPv4 Address: 209.51.181.2
• Server IPv6 Address: 2001:470:3c10:1178::1 /64
• Client IPv6 Address: 2001:470:3c10:1178::2 /64

Routed IPv6 Prefixes

• Routed /64: 2001:470:3c11:1178:: /64

This first section are addresses related to your tunnel connection to Hurricane Electric (addresses that will be assocated with your WAN interface and gateways). The second section is your "LAN" addresses.

Configuring pfSense 2.1 with a Hurricane Electric Tunnel Broker tunnel

Create A New Tunnel Interface

1. Under Interfaces -> (assign), select the GIF tab, and click the + to add a new tunnel:

   

2. Next configure the new GIF options:

   • Parent interface: WAN
   • gif remote address: 209.51.181.2 (Server IPv4 Address from HE tunnel details page)
   • gif tunnel local address: 2001:470:3c10:1178::2 (Client IPv6 Address from HE tunnel details page)
   • gif remote tunnel address: 2001:470:3c10:1178::1 64 (Server IPv6 Address from HE tunnel details page)
   • Description: HE.net IPv6 tunnel

   

   and click Save.

   Now your new GIF (Generic Interface) tunnel is configured:

   

Create a new IPv6 interface

Now that we've created a tunnel, we are going to create a separate IPv6-only interface that will send traffic out that tunnel.

1. Under Interfaces -> (assign), select the Interface assignments tab, and click the + to add a new interface:

   

   Note: i happen to have an Atheros WiFi adapter, listed as OPT1. Don't let that confuse you.

2. In the drop-down for the newly added interface, select the previously created `GIF 209.51.181.2 (HE.net IPv6 tunnel):

   

   and click Save.

3. After the interface OPT2 has been created, click it (either in the above list, or in the left menu under Interfaces -> OPT2.

4. Check Enable interface to reveal the configuration options:

   • Description: WANv6 (this is to differentiate it from your IPv4 WAN)
   • IPv6 Configuration Type: Static IPv6
   • IPv6 address: 2001:470:3c10:1178::2 64 (Client IPv6 Address from HE tunnel details page)

   

   and click Save.

5. Click Apply Changes to make the new interface active.

Allow ICMP messages

In order to use IPv6 (and also IPv4) you need to ensure that your router does not attempt to block any ICMP packets. If some security expert tries to tell you that responding to ICMP packets is a security risk and they should be blocked, gently pat them on the head and tell them *"of course it is". To allow incoming ICMP packets:

1. Click Firewall -> Rules

2. On the WAN tab, click +

   

3. Create the rule for IPv4 ICMP packets on the WAN interface:

   • Action: Pass
   • Interface: WAN
   • TCP/IP Version: IPv4
   • Protocol: ICMP
   • Description: Allow all IPv4 ICMP packets
   • Click Save

   

4. Click + to add another rule, this time to allow all IPv6 ICMP traffic on the WANv6 interface:

   • Action: Pass
   • Interface: WANv6
   • TCP/IP Version: IPv6
   • Protocol: ICMP
   • Description: Allow all IPv6 ICMP packets
   • Click Save

   

5. Click Apply Changes to apply your changes

Enable IPv6 on the pfSense LAN

Now you have to give the pfSense box an IPv6 address on your LAN interface. Just like it has a 192.168.1.1 IPv4 address on the LAN, now you need an IPv6 address. Except this address comes from Hurricane Electric; it is the Routed /64 address they give you.

1. Click Interfaces -> LAN

2. Change IPv6 Configuration Type to Static IPv6

3. Under the Static IPv6 configuration section, enter the routed /64 address provided by tunnelbroker:

   

4. Click Save

5. Click Apply Changes

Enable DHCPv6 Server

In order for clients to get IPv6 addresses, you have to enable the DHCPv6 server, and give it an address range it can assign addresses from.

1. Click Services -> DHCPv6 Server/RA

2. Check the Enable DHCPv6 server on LAN interface checkbox to reveal configuration options

3. In the Range from and to boxes, enter some range of addresses that are inside your Available Range, e.g.

   Range: 2001:470:1f:b34::100:0 to 2001:470:1f:b34::100:fff