Hello,
I'm trying to make IPv6 work from my home network using a 6in4 tunnel from Tunnelbroker (HE). So far without success. I cannot even ping ipv6.google.com from the router.
I set it up according to the instructions at tunnelbroker.net and this user guide on OpenWRT.org. I've also tried using the script from here and searched this forum for helpful tips.
I've probably missed something very basic in my setup and would really appreciate your help. Thank you in advance!
Here is my network and firewall config. Please let me know if you need more information.
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd23:3587:3330::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.dns='192.168.1.9' '9.9.9.9'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan.peerdns='0'
network.wan.dns='9.9.9.9' '1.1.1.1'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='2 3 4 5 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='1 0t'
network.wg01=interface
network.wg01.proto='wireguard'
network.wg01.listen_port='51820'
network.wg01.private_key='XXXXXXXXXXXXXXX'
network.wg01.addresses='10.0.0.1/24'
network.@wireguard_wg01[0]=wireguard_wg01
network.@wireguard_wg01[0].route_allowed_ips='1'
network.@wireguard_wg01[0].public_key='XXXXXXXXXXXXXX'
network.@wireguard_wg01[0].allowed_ips='10.0.0.2/32'
network.@wireguard_wg01[0].description='mobile'
network.henet=interface
network.henet.proto='6in4'
network.henet.peeraddr='216.66.80.30'
network.henet.ip6addr='2001:XXX:XXXX:XX::2/64'
network.henet.tunnelid='TUNNELID'
network.henet.username='USERNAME'
network.henet.password='UPDATEKEY'
network.henet.mtu='1480'
network.henet.ip6prefix='2001:XXX:XXXX::/48'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan wg01'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 henet'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@rule[9]=rule
firewall.@rule[9].dest_port='51820'
firewall.@rule[9].src='wan'
firewall.@rule[9].name='Allow-WireGuard'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-protocol-41'
firewall.@rule[10].proto='41'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].src_ip='216.66.80.30'
firewall.@rule[10].enabled='0'
firewall.@rule[11]=rule
firewall.@rule[11].src='wan'
firewall.@rule[11].name='Allow-protocol-51'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].extra='-m length --length 40'
firewall.@rule[11].proto='ipv6-nonxt'
firewall.@rule[11].enabled='0'
Further information:
- Running OpenWrt 19.07.6 on a TP-Link Archer C6.
- The router has a public IPv4 address on WAN from the ISP (cable modem). The address is not static, but hardly ever changes. In any case I use DDNS for things such as connecting to my home network via wireguard.
- The firewall rules 'Allow-protocol-41' and 'Allow-protocol-51' are disabled at the moment. Enabling them did not seem to make a difference.
Thanks for your help!