HE tunnel broker on ZTE MF286D

swechencheng · July 18, 2025, 5:44am

My ISP does not have IPv6 at all. So I am adding a HE tunnel broker to OpenWRT 24.10.0 on ZTE MF286D.
The router sits under a company network, and I don't have control over the public IPv4 address or the company's IT infrastructure.

I created a new HE tunnel broker. It does not give me route /48, and I don't know how to enable it.

Server IPv4 Address:216.66.80.90
Server IPv6 Address:2001:470:27:3c1::1/64
Client IPv4 Address:77.91.218.123
Client IPv6 Address:2001:470:27:3c1::2/64
Routed /64:2001:470:28:3b7::/64
Anycast IPv6 Caching Nameserver:2001:470:20::2
Anycast IPv4 Caching Nameserver:74.82.42.42
DNS over HTTPS / DNS over TLS:ordns.he.net

I am following these guides:

Since I want to prioritize IPv4 WAN, I use a high metric 2048 to the wan6.
Basically I add these to network config:

config interface 'wan6'
        option proto '6in4'
        option mtu '1480'
        option ipaddr '192.168.80.55'
        option peeraddr '216.66.80.90'
        option ip6addr '2001:470:27:3c1::2/64'
        option ip6prefix '2001:470:28:3b7::/64'
        option tunnelid '984056'
        option username 'USERNAME'
        option password 'PASSWORD'
        option metric '2048'

config route6
        option interface 'wan6'
        option target '::/0'

And I add these to firewall config:

config rule
        option name '6to4'
        option target 'ACCEPT'
        option src 'wan'
        option proto '41'

I have the following full active config:


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9e:fe62:a252::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option metric '10'

config interface 'wan6'
        option proto '6in4'
        option mtu '1480'
        option ipaddr '192.168.80.55'
        option peeraddr '216.66.80.90'
        option ip6addr '2001:470:27:3c1::2/64'
        option ip6prefix '2001:470:28:3b7::/64'
        option tunnelid '984056'
        option username 'USERNAME'
        option password 'PASSWORD'
        option metric '2048'

config route6
        option interface 'wan6'
        option target '::/0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name '6to4'
        option target 'ACCEPT'
        option src 'wan'
        option proto '41'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

And my network status:

root@OpenWrt:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:60 brd ff:ff:ff:ff:ff:ff
3: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:60 brd ff:ff:ff:ff:ff:ff
4: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:60 brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:60 brd ff:ff:ff:ff:ff:ff
6: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:61 brd ff:ff:ff:ff:ff:ff
7: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
8: wwan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether d6:b9:06:01:b3:c9 brd ff:ff:ff:ff:ff:ff
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:60 brd ff:ff:ff:ff:ff:ff
10: 6in4-wan6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/sit 192.168.80.55 peer 216.66.80.90
root@OpenWrt:~# ip route show
default via 192.168.80.1 dev wan proto static src 192.168.80.55 metric 10
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.80.0/24 dev wan proto static scope link metric 10
216.66.80.90 via 192.168.80.1 dev wan proto static metric 10
root@OpenWrt:~# ip -6 route show
default from 2001:470:27:3c1::/64 dev 6in4-wan6 proto static metric 2048 pref medium
default from 2001:470:28:3b7::/64 dev 6in4-wan6 proto static metric 2048 pref medium
2001:470:27:3c1::/64 dev 6in4-wan6 proto static metric 2048 pref medium
2001:470:28:3b7::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2001:470:28:3b7::/64 dev lo proto static metric 2147483647 pref medium
fd9e:fe62:a252::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd9e:fe62:a252::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
default dev 6in4-wan6 proto static metric 2048 pref medium

It works with ping6:

root@OpenWrt:~# ping6 -c2 www.google.com
PING www.google.com (2a00:1450:4002:410::2004): 56 data bytes
64 bytes from 2a00:1450:4002:410::2004: seq=0 ttl=117 time=33.929 ms
64 bytes from 2a00:1450:4002:410::2004: seq=1 ttl=117 time=34.117 ms

--- www.google.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 33.929/34.023/34.117 ms

However, running "opkg update" just time out.
I also tried:

root@OpenWrt:~# curl -v https://downloads.openwrt.org/releases/24.10.0/targets/ipq40xx/generic/packages/Packages.gz
* Connection timed out after 300196 milliseconds
curl: (28) Connection timed out after 300196 milliseconds

I try to turn down the problematic wan6 interface by ipdown wan6, then the router can reach the Internet and opkg update works again.
But then I lost the IPv6 access to HE, this is not what I want.
Could someone help to check what I am missing? Thanks in advance!

lleachii · July 18, 2025, 8:20am

In addition to accepting ping (ICMP Echo-Request) at the public IP, you also need IP Protocol No. 41 forwarded to your device.

This statement is unclear.

Were you issued a /48 in TunnelBroker?
Is it assigned to your tunnel (appearing on the list)?

Edit:

You seem to imply it's impossible.
I though to be issued a /48 these days, you had to be a certain certificate level. The tunnel setup is covered, unless you used some native IPv6 to complete the exams (or pay).

swechencheng · July 18, 2025, 8:48am

Thanks for the help. You made the point on route /48 so I should put it aside for now.

ping 77.91.218.123 is possible from outside the company.

I think I have been able to ping6 www.google.com (see the logs in the original post):

root@OpenWrt:~# ping6 -c2 www.google.com
PING www.google.com (2a00:1450:4002:410::2004): 56 data bytes
64 bytes from 2a00:1450:4002:410::2004: seq=0 ttl=117 time=33.929 ms
64 bytes from 2a00:1450:4002:410::2004: seq=1 ttl=117 time=34.117 ms

Does this imply that the company's network forwards the IP proto 41?
I have also tried from outside the company:

$ sudo nmap -sO -P0 -p41 77.91.218.123
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-18 10:45 +0200
Nmap scan report for static123-218.cust.gastabud.com (77.91.218.123)
Host is up.

PROTOCOL STATE         SERVICE
41       open|filtered ipv6

Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds

So I suppose it is blocked? Is it possible to workaround it?

lleachii · July 18, 2025, 9:01am

No. Have you requested they forward this traffic to you?

Your ISP might A.) allow ping and B.) allow responses to your IP Protocol No. 41 traffic thru their NAT. But this endeavor will fail as soon as someone else attempts this with the same HE IPv4 broker endpoint.

Ummmm...interesting test. Interesting conclusion.

Yes:

BTW, I think the route6 is not needed since you never explicitly disabled it in your wan6 config.

Edit:

To be clear, to use a 6to4 tunnel, the requirements include needing a Public IP. Hence your desire is impossible unless you have company cooperation and allows ping on the Public IPv4 address (HE requirement) and forwards IP Protocol No. 41 to you (technical requirement).

swechencheng · July 18, 2025, 9:17am

Great, thanks!
Let me try to come back and verify once my request ticket to open 41 to the IT team gets resolved.

lleachii · July 18, 2025, 9:20am

this opens a permanent, unencrypted tunnel only to you - I hope you can at least explain the basics in certification (because they may be totally unaware given they don't provide IPv6 in 2025, and you're making such a big ask)
provide the source of the HE tunnel's IPv4 address to they can restrict Protocol 41 to it

swechencheng · July 18, 2025, 9:37am

Oh, thanks a lot! This is a security concern.

BTW, I still have one question:
If 6in4 is not working on my router, and I have put metric 2048 on wan6 meanwhile put metric 10 on wan (which I suppose IPv4 is always working),
why the router still gets timeout when making Internet requests unless I specifically turn down wan6?

lleachii · July 18, 2025, 12:19pm

Delete your route6 configuration and retest.

swechencheng · July 18, 2025, 2:06pm

Removed but no luck. ping6 works, but opkg update times out.
I also started over. Since the company public IP seems to be static, so I skipped the dynamic address part of HE config.
Here is the new status:

root@OpenWrt:~# uci show firewall.@defaults[0]
firewall.cfg01e63d=defaults
firewall.cfg01e63d.syn_flood='1'
firewall.cfg01e63d.input='REJECT'
firewall.cfg01e63d.output='ACCEPT'
firewall.cfg01e63d.forward='REJECT'

root@OpenWrt:~# uci show firewall.@zone[0]
firewall.cfg02dc81=zone
firewall.cfg02dc81.name='lan'
firewall.cfg02dc81.network='lan'
firewall.cfg02dc81.input='ACCEPT'
firewall.cfg02dc81.output='ACCEPT'
firewall.cfg02dc81.forward='ACCEPT'

root@OpenWrt:~# uci show firewall.@zone[1]
firewall.cfg03dc81=zone
firewall.cfg03dc81.name='wan'
firewall.cfg03dc81.network='wan' 'wan6'
firewall.cfg03dc81.input='REJECT'
firewall.cfg03dc81.output='ACCEPT'
firewall.cfg03dc81.forward='REJECT'
firewall.cfg03dc81.masq='1'
firewall.cfg03dc81.mtu_fix='1'

root@OpenWrt:~# uci show firewall.allow_proto_41
firewall.allow_proto_41=rule
firewall.allow_proto_41.name='Allow-protocol-41'
firewall.allow_proto_41.src='wan'
firewall.allow_proto_41.proto='41'
firewall.allow_proto_41.target='ACCEPT'

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd9d:9cd0:4f89::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.proto='6in4'
network.wan6.ipaddr='192.168.80.55'
network.wan6.peeraddr='216.66.80.90'
network.wan6.ip6addr='2001:470:27:3c1::1/64'
network.wan6.ip6prefix='2001:470:28:3b7::/64' '2001:470:de07::/48'
network.wan6.metric='2048'

root@OpenWrt:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:60 brd ff:ff:ff:ff:ff:ff
3: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:60 brd ff:ff:ff:ff:ff:ff
4: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:60 brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:60 brd ff:ff:ff:ff:ff:ff
6: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:61 brd ff:ff:ff:ff:ff:ff
7: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
8: wwan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether d2:05:f0:f1:a8:3d brd ff:ff:ff:ff:ff:ff
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether c8:ea:f8:de:38:60 brd ff:ff:ff:ff:ff:ff
10: 6in4-wan6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/sit 192.168.80.55 peer 216.66.80.90

root@OpenWrt:~# ip route
default via 192.168.80.1 dev wan proto static src 192.168.80.55
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.80.0/24 dev wan proto kernel scope link src 192.168.80.55
216.66.80.90 via 192.168.80.1 dev wan proto static
root@OpenWrt:~#
root@OpenWrt:~# ip -6 route
default from 2001:470:27:3c1::/64 dev 6in4-wan6 proto static metric 2048 pref medium
default from 2001:470:28:3b7::/64 dev 6in4-wan6 proto static metric 2048 pref medium
default from 2001:470:de07::/48 dev 6in4-wan6 proto static metric 2048 pref medium
2001:470:27:3c1::/64 dev 6in4-wan6 proto static metric 2048 pref medium
2001:470:28:3b7::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2001:470:28:3b7::/64 dev lo proto static metric 2147483647 pref medium
2001:470:de07::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2001:470:de07::/48 dev lo proto static metric 2147483647 pref medium
fd9d:9cd0:4f89::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd9d:9cd0:4f89::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
root@OpenWrt:~#