IPv6 (6in4) Tunnelbroker Setup

Hello,

I'm trying to make IPv6 work from my home network using a 6in4 tunnel from Tunnelbroker (HE). So far without success. I cannot even ping ipv6.google.com from the router.

I set it up according to the instructions at tunnelbroker.net and this user guide on OpenWRT.org. I've also tried using the script from here and searched this forum for helpful tips.

I've probably missed something very basic in my setup and would really appreciate your help. Thank you in advance!

Here is my network and firewall config. Please let me know if you need more information.

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd23:3587:3330::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.dns='192.168.1.9' '9.9.9.9'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='9.9.9.9' '1.1.1.1'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.wg01=interface
network.wg01.proto='wireguard'
network.wg01.listen_port='51820'
network.wg01.private_key='XXXXXXXXXXXXXXX'
network.wg01.addresses='10.0.0.1/24'
network.@wireguard_wg01[0]=wireguard_wg01
network.@wireguard_wg01[0].route_allowed_ips='1'
network.@wireguard_wg01[0].public_key='XXXXXXXXXXXXXX'
network.@wireguard_wg01[0].allowed_ips='10.0.0.2/32'
network.@wireguard_wg01[0].description='mobile'
network.henet=interface
network.henet.proto='6in4'
network.henet.peeraddr='216.66.80.30'
network.henet.ip6addr='2001:XXX:XXXX:XX::2/64'
network.henet.tunnelid='TUNNELID'
network.henet.username='USERNAME'
network.henet.password='UPDATEKEY'
network.henet.mtu='1480'
network.henet.ip6prefix='2001:XXX:XXXX::/48'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan wg01'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 henet'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].dest_port='51820'
firewall.@rule[9].src='wan'
firewall.@rule[9].name='Allow-WireGuard'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-protocol-41'
firewall.@rule[10].proto='41'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].src_ip='216.66.80.30'
firewall.@rule[10].enabled='0'
firewall.@rule[11]=rule
firewall.@rule[11].src='wan'
firewall.@rule[11].name='Allow-protocol-51'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].extra='-m length --length 40'
firewall.@rule[11].proto='ipv6-nonxt'
firewall.@rule[11].enabled='0'

Further information:

  • Running OpenWrt 19.07.6 on a TP-Link Archer C6.
  • The router has a public IPv4 address on WAN from the ISP (cable modem). The address is not static, but hardly ever changes. In any case I use DDNS for things such as connecting to my home network via wireguard.
  • The firewall rules 'Allow-protocol-41' and 'Allow-protocol-51' are disabled at the moment. Enabling them did not seem to make a difference.

Thanks for your help!

I remember they have to be enabled.
Also, do you see your public IPv4 populated in the "Client IPv4 address" field of the tunnebroker page?
What is the output of ifup henet; logread -e henet ?

1 Like

Thanks for the quick reply! I have enabled the two firewall rules again and restarted the firewall. Yes, I can see my public IPv4 on the tunnelbroker page.

The output of ifup henet; logread -e henet is:

root@OpenWrt:~# ifup henet; logread -e henet
Sun Jan 31 15:47:03 2021 daemon.notice netifd: Interface 'henet' is now down
Sun Jan 31 15:47:03 2021 daemon.notice netifd: Interface 'henet' is setting up now
Sun Jan 31 15:47:04 2021 daemon.notice netifd: Interface 'henet' is now up
Sun Jan 31 15:47:04 2021 daemon.notice netifd: tunnel '6in4-henet' link is up
Sun Jan 31 15:47:04 2021 user.notice firewall: Reloading firewall due to ifup of henet (6in4-henet)
Sun Jan 31 15:47:08 2021 user.notice 6in4-henet: update 1/3: nochg XX.XX.XXX.XX
Sun Jan 31 15:47:08 2021 user.notice 6in4-henet: updated
Mon Feb  1 19:02:45 2021 daemon.notice netifd: Interface 'henet' is now down
Mon Feb  1 19:02:45 2021 daemon.notice netifd: Interface 'henet' is setting up now

where XX.XX.XXX.XX is my public IP.

Does that help?

1 Like

Yeah, I thought that it should work without the firewall rules but I added them just in case I misunderstood the instructions. Either way they don't seem to make a difference.

I have a public IP address and it is showing correctly on the tunnel details page. There must be something wrong with my config but I can't figure out what that might be. Do you see anything wrong with it? I appreciate your help!

Is your router getting an IPv6 address?

The henet interface has the ...:2/64 from tunnelbroker assigned, if that's what you mean. Sorry, I am not super familiar with IPv6 (yet).

6in4-henet Link encap:IPv6-in-IPv4
          inet6 addr: fe80::4d16:b83f/64 Scope:Link
          inet6 addr: 2001:XXX:XXXX:XX::2/64 Scope:Global
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:363 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:31683 (30.9 KiB)

No, I meant the LAN interface on the router. Has that got an IPv6 address?

Oh, sorry! Yes, there are IPv6 addresses on LAN and one of them is from the tunnelbroker assigned prefix. See here:

Protocol: Static address
Uptime: 0h 14m 27s
MAC: ...
RX: 5.78 MB (45436 Pkts.)
TX: 701.43 MB (472145 Pkts.)
IPv4: 192.168.1.1/24
IPv6: 2001:XXX:XXXX::1/60
IPv6: fd23:3587:3330::1/60

Is that not how it should be?

Here is the output of ifstatus henet; ip route get 1::. I'm not sure what the part at the bottom about RTNETLINK answers: Permission denied means.

root@OpenWrt:~# ifstatus henet; ip route get 1::
{
    "up": true,
    "pending": false,
    "available": true,
    "autostart": true,
    "dynamic": false,
    "uptime": 665,
    "l3_device": "6in4-henet",
    "proto": "6in4",
    "updated": [
        "addresses",
        "routes",
        "prefixes"
    ],
    "metric": 0,
    "dns_metric": 0,
    "delegation": true,
    "ipv4-address": [

    ],
    "ipv6-address": [
        {
            "address": "2001:XXX:XXX:XX::2",
            "mask": 64
        }
    ],
    "ipv6-prefix": [
        {
            "address": "2001:XXX:XXXX::",
            "mask": 48,
            "class": "henet",
            "assigned": {
                "lan": {
                    "address": "2001:XXX:XXXX::",
                    "mask": 60
                }
            }
        }
    ],
    "ipv6-prefix-assignment": [

    ],
    "route": [
        {
            "target": "::",
            "mask": 0,
            "nexthop": "::",
            "source": "2001:XXX:XXXX::/48"
        },
        {
            "target": "::",
            "mask": 0,
            "nexthop": "::",
            "source": "2001:XXX:XXXX:XX::2/64"
        }
    ],
    "dns-server": [

    ],
    "dns-search": [

    ],
    "neighbors": [

    ],
    "inactive": {
        "ipv4-address": [

        ],
        "ipv6-address": [

        ],
        "route": [

        ],
        "dns-server": [

        ],
        "dns-search": [

        ],
        "neighbors": [

        ]
    },
    "data": {

    }
}
RTNETLINK answers: Permission denied
1 Like

The answer is still the same:

root@OpenWrt:~# ip route get 1::
RTNETLINK answers: Permission denied
1 Like

Do you think that there is an issue with the routes?

root@OpenWrt:~# ip -6 route show
default from 2001:470:XXXX:XX::/64 dev 6in4-henet proto static metric 1024 pref medium
default from 2001:470:YYYY::/48 dev 6in4-henet proto static metric 1024 pref medium
2001:470:XXXX:XX::/64 dev 6in4-henet proto kernel metric 256 pref medium
2001:470:YYYY::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2001:470:YYYY::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fd23:3587:3330::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd23:3587:3330::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev 6in4-henet proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
. /lib/functions/network.sh
NET_IF6="henet"
network_flush_cache
network_get_ipaddr6 NET_ADDR6 "${NET_IF6}"
ip route get 1:: from "${NET_ADDR6%/*}"
ping6 -w 3 -I "${NET_ADDR6%/*}" openwrt.org
traceroute6 -s "${NET_ADDR6%/*}" openwrt.org

Still no luck. Here is the output from the commands above:

root@OpenWrt:~# . /lib/functions/network.sh
root@OpenWrt:~# NET_IF6="henet"
root@OpenWrt:~# network_get_ipaddr6 NET_ADDR6 "${NET_IF6}"
root@OpenWrt:~# ip route get 1:: from "${NET_ADDR6%/*}"
1:: from 2001:470:XXXX:XX::2 dev 6in4-henet proto static src 2001:470:XXXX:XX::2 metric 1024 pref medium
root@OpenWrt:~# ping6 -w 3 -I "${NET_ADDR6%/*}" openwrt.org
PING openwrt.org (2a03:b0c0:3:d0::1af1:1) from 2001:470:XXXX:XX::2: 56 data bytes

--- openwrt.org ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss

traceroute6 also failed.

I really appreciate that you're taking the time to help me troubleshoot this. I am at a loss. Any more ideas?

1 Like

Try the static config:

. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
uci -q delete network.henet.tunnelid
uci -q delete network.henet.username
uci -q delete network.henet.password
uci -q delete network.henet.mtu
uci set network.henet.ipaddr="${NET_ADDR}"
ifup henet

And repeat the diagnostics.

Still no luck, unfortunately.

1 Like

Where did you get this address from?
The address for my tunnel is not the same as in the wiki.

Where did you get this address from?
The address for my tunnel is not the same as in the wiki.

That's the IPv4 endpoint for my tunnel. I got it from my tunnelbroker 'Tunnel Details' page.

1 Like

I had an HE tunnel working with 19.07.5 but then I upgraded to 19.07.6 and it stopped working.
If you are on 19.07.6 maybe you could try with 19.07.5 and see if it works there.

Be aware that you'll lose the 6in4 package over a sysupgrade, which is required for he.net tunnels to work - reinstall that and you should be all set.

2 Likes