knulf
February 1, 2021, 5:07pm
#1
Hello,
I'm trying to make IPv6 work from my home network using a 6in4 tunnel from Tunnelbroker (HE). So far without success. I cannot even ping ipv6.google.com from the router.
I set it up according to the instructions at tunnelbroker.net and this user guide on OpenWRT.org . I've also tried using the script from here and searched this forum for helpful tips.
I've probably missed something very basic in my setup and would really appreciate your help. Thank you in advance!
Here is my network and firewall config. Please let me know if you need more information.
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd23:3587:3330::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.dns='192.168.1.9' '9.9.9.9'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='9.9.9.9' '1.1.1.1'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.wg01=interface
network.wg01.proto='wireguard'
network.wg01.listen_port='51820'
network.wg01.private_key='XXXXXXXXXXXXXXX'
network.wg01.addresses='10.0.0.1/24'
network.@wireguard_wg01[0]=wireguard_wg01
network.@wireguard_wg01[0].route_allowed_ips='1'
network.@wireguard_wg01[0].public_key='XXXXXXXXXXXXXX'
network.@wireguard_wg01[0].allowed_ips='10.0.0.2/32'
network.@wireguard_wg01[0].description='mobile'
network.henet=interface
network.henet.proto='6in4'
network.henet.peeraddr='216.66.80.30'
network.henet.ip6addr='2001:XXX:XXXX:XX::2/64'
network.henet.tunnelid='TUNNELID'
network.henet.username='USERNAME'
network.henet.password='UPDATEKEY'
network.henet.mtu='1480'
network.henet.ip6prefix='2001:XXX:XXXX::/48'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan wg01'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 henet'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].dest_port='51820'
firewall.@rule[9].src='wan'
firewall.@rule[9].name='Allow-WireGuard'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-protocol-41'
firewall.@rule[10].proto='41'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].src_ip='216.66.80.30'
firewall.@rule[10].enabled='0'
firewall.@rule[11]=rule
firewall.@rule[11].src='wan'
firewall.@rule[11].name='Allow-protocol-51'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].extra='-m length --length 40'
firewall.@rule[11].proto='ipv6-nonxt'
firewall.@rule[11].enabled='0'
Further information:
Running OpenWrt 19.07.6 on a TP-Link Archer C6.
The router has a public IPv4 address on WAN from the ISP (cable modem). The address is not static, but hardly ever changes. In any case I use DDNS for things such as connecting to my home network via wireguard.
The firewall rules 'Allow-protocol-41' and 'Allow-protocol-51' are disabled at the moment. Enabling them did not seem to make a difference.
Thanks for your help!
trendy
February 1, 2021, 5:55pm
#2
I remember they have to be enabled.
Also, do you see your public IPv4 populated in the "Client IPv4 address" field of the tunnebroker page?
What is the output of ifup henet; logread -e henet
?
1 Like
knulf
February 1, 2021, 6:06pm
#3
Thanks for the quick reply! I have enabled the two firewall rules again and restarted the firewall. Yes, I can see my public IPv4 on the tunnelbroker page.
The output of ifup henet; logread -e henet
is:
root@OpenWrt:~# ifup henet; logread -e henet
Sun Jan 31 15:47:03 2021 daemon.notice netifd: Interface 'henet' is now down
Sun Jan 31 15:47:03 2021 daemon.notice netifd: Interface 'henet' is setting up now
Sun Jan 31 15:47:04 2021 daemon.notice netifd: Interface 'henet' is now up
Sun Jan 31 15:47:04 2021 daemon.notice netifd: tunnel '6in4-henet' link is up
Sun Jan 31 15:47:04 2021 user.notice firewall: Reloading firewall due to ifup of henet (6in4-henet)
Sun Jan 31 15:47:08 2021 user.notice 6in4-henet: update 1/3: nochg XX.XX.XXX.XX
Sun Jan 31 15:47:08 2021 user.notice 6in4-henet: updated
Mon Feb 1 19:02:45 2021 daemon.notice netifd: Interface 'henet' is now down
Mon Feb 1 19:02:45 2021 daemon.notice netifd: Interface 'henet' is setting up now
where XX.XX.XXX.XX is my public IP.
Does that help?
knulf
February 1, 2021, 6:16pm
#5
Yeah, I thought that it should work without the firewall rules but I added them just in case I misunderstood the instructions. Either way they don't seem to make a difference.
I have a public IP address and it is showing correctly on the tunnel details page. There must be something wrong with my config but I can't figure out what that might be. Do you see anything wrong with it? I appreciate your help!
krazeh
February 1, 2021, 6:20pm
#6
Is your router getting an IPv6 address?
knulf
February 1, 2021, 6:29pm
#8
The henet interface has the ...:2/64 from tunnelbroker assigned, if that's what you mean. Sorry, I am not super familiar with IPv6 (yet).
6in4-henet Link encap:IPv6-in-IPv4
inet6 addr: fe80::4d16:b83f/64 Scope:Link
inet6 addr: 2001:XXX:XXXX:XX::2/64 Scope:Global
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:363 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:31683 (30.9 KiB)
krazeh
February 1, 2021, 6:31pm
#9
No, I meant the LAN interface on the router. Has that got an IPv6 address?
knulf
February 1, 2021, 6:35pm
#10
Oh, sorry! Yes, there are IPv6 addresses on LAN and one of them is from the tunnelbroker assigned prefix. See here:
Protocol: Static address
Uptime: 0h 14m 27s
MAC: ...
RX: 5.78 MB (45436 Pkts.)
TX: 701.43 MB (472145 Pkts.)
IPv4: 192.168.1.1/24
IPv6: 2001:XXX:XXXX::1/60
IPv6: fd23:3587:3330::1/60
Is that not how it should be?
knulf
February 1, 2021, 6:39pm
#11
Here is the output of ifstatus henet; ip route get 1::
. I'm not sure what the part at the bottom about RTNETLINK answers: Permission denied
means.
root@OpenWrt:~# ifstatus henet; ip route get 1::
{
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
"uptime": 665,
"l3_device": "6in4-henet",
"proto": "6in4",
"updated": [
"addresses",
"routes",
"prefixes"
],
"metric": 0,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
],
"ipv6-address": [
{
"address": "2001:XXX:XXX:XX::2",
"mask": 64
}
],
"ipv6-prefix": [
{
"address": "2001:XXX:XXXX::",
"mask": 48,
"class": "henet",
"assigned": {
"lan": {
"address": "2001:XXX:XXXX::",
"mask": 60
}
}
}
],
"ipv6-prefix-assignment": [
],
"route": [
{
"target": "::",
"mask": 0,
"nexthop": "::",
"source": "2001:XXX:XXXX::/48"
},
{
"target": "::",
"mask": 0,
"nexthop": "::",
"source": "2001:XXX:XXXX:XX::2/64"
}
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
],
"inactive": {
"ipv4-address": [
],
"ipv6-address": [
],
"route": [
],
"dns-server": [
],
"dns-search": [
],
"neighbors": [
]
},
"data": {
}
}
RTNETLINK answers: Permission denied
1 Like
knulf
February 1, 2021, 6:54pm
#13
The answer is still the same:
root@OpenWrt:~# ip route get 1::
RTNETLINK answers: Permission denied
1 Like
knulf
February 1, 2021, 8:06pm
#14
Do you think that there is an issue with the routes?
root@OpenWrt:~# ip -6 route show
default from 2001:470:XXXX:XX::/64 dev 6in4-henet proto static metric 1024 pref medium
default from 2001:470:YYYY::/48 dev 6in4-henet proto static metric 1024 pref medium
2001:470:XXXX:XX::/64 dev 6in4-henet proto kernel metric 256 pref medium
2001:470:YYYY::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2001:470:YYYY::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fd23:3587:3330::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd23:3587:3330::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev 6in4-henet proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
. /lib/functions/network.sh
NET_IF6="henet"
network_flush_cache
network_get_ipaddr6 NET_ADDR6 "${NET_IF6}"
ip route get 1:: from "${NET_ADDR6%/*}"
ping6 -w 3 -I "${NET_ADDR6%/*}" openwrt.org
traceroute6 -s "${NET_ADDR6%/*}" openwrt.org
knulf
February 1, 2021, 8:50pm
#16
Still no luck. Here is the output from the commands above:
root@OpenWrt:~# . /lib/functions/network.sh
root@OpenWrt:~# NET_IF6="henet"
root@OpenWrt:~# network_get_ipaddr6 NET_ADDR6 "${NET_IF6}"
root@OpenWrt:~# ip route get 1:: from "${NET_ADDR6%/*}"
1:: from 2001:470:XXXX:XX::2 dev 6in4-henet proto static src 2001:470:XXXX:XX::2 metric 1024 pref medium
root@OpenWrt:~# ping6 -w 3 -I "${NET_ADDR6%/*}" openwrt.org
PING openwrt.org (2a03:b0c0:3:d0::1af1:1) from 2001:470:XXXX:XX::2: 56 data bytes
--- openwrt.org ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
traceroute6 also failed.
I really appreciate that you're taking the time to help me troubleshoot this. I am at a loss. Any more ideas?
1 Like
Try the static config:
. /lib/functions/network.sh
network_flush_cache
network_find_wan NET_IF
network_get_ipaddr NET_ADDR "${NET_IF}"
uci -q delete network.henet.tunnelid
uci -q delete network.henet.username
uci -q delete network.henet.password
uci -q delete network.henet.mtu
uci set network.henet.ipaddr="${NET_ADDR}"
ifup henet
And repeat the diagnostics .
knulf
February 1, 2021, 9:19pm
#18
Still no luck, unfortunately.
1 Like
Where did you get this address from?
The address for my tunnel is not the same as in the wiki.
knulf
February 1, 2021, 9:25pm
#20
Where did you get this address from?
The address for my tunnel is not the same as in the wiki.
That's the IPv4 endpoint for my tunnel. I got it from my tunnelbroker 'Tunnel Details' page.
1 Like
I had an HE tunnel working with 19.07.5 but then I upgraded to 19.07.6 and it stopped working.
If you are on 19.07.6 maybe you could try with 19.07.5 and see if it works there.
slh
February 7, 2021, 9:08pm
#22
Be aware that you'll lose the 6in4
package over a sysupgrade, which is required for he.net tunnels to work - reinstall that and you should be all set.
2 Likes