Issue with 6in4 tunnel stops internet from working

Setup a 6in4 tunnel with HE as per https://openwrt.org/docs/guide-user/network/ipv6/ipv6tunnel-luci and the tunnel seems to connect to HE and I can see packets flowing with the RX and TX values. As soon as the tunnel (interface) is enabled, mostly all internet connectivity stops working. Devices are getting an IPv6 address through DHCP. When the tunnel is disabled, internet works fine again. While the tunnel is enabled, pings work fine.

What could be the issue here?

You will need to provide more information than just that, like the actual configuration files you touched (make sure to obfuscate sensitive information, but keep at least (front-) parts of the IP addresses involved, so the prefix can checked, without revealing your exact one). Device, version of OpenWrt and the type/ name of the ISP connection (cgNAT?!) would also be beneficial.

1 Like

Define "internet stops working" for us: does DNS stop working? does IPv4 PING work? ...?

1 Like

@slh I'll upload the configs when I'm home later.

It's an Asus RT-AX53U running OpenWrt 22.03.05. Not a CG-NAT connection, normal NAT (I have my own public IP).

@eduperez DNS works. Some websites won't load at all, some websites load after 30-60 seconds. Some websites load instantly. IPv4 and IPv6 pings work.


If the 6in4 interface is up but I set IPv6 assignment length on wan to disabled, internet works as normal (obviously without IPv6).

Have you tried with a different exit node?
How did you configure the MTU on each link?

Do you by any chance block pings on IPv4?

HE Tunnelbroker requires that the Tunnel Check server can ping the IPv4 endpoint IP. It's an obscure requirement noted in their Wiki and on the tunnel setup page.

If that doesn't work, feel free to share your network config:

cat /etc/config/network

Just FYI, this requires creating another tunnel instance on the HE Tunnelbroker site.

1 Like

I tried with another exit node, no difference. MTU is at 1480.

I don't block IPv4 pings no and I can see traffic RX/TX on the HE interface

1 Like

@slh, @eduperez, @lleachii

/etc/config/network:

config interface 'wan6'
        option proto '6in4'
        option peeraddr '216.66.88.98'
        option ip6addr '2001:xxx:xxxx:16e::2/64'
        option username 'xxx'
        option password 'xxx'
        option mtu '1480'
        option tunnelid '878xxx'
        option auto '0'
        list ip6prefix '2001:xxx:xxxx::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.1'
        option broadcast '192.168.0.255'
        option device 'br-lan'
        option force_link '0'
        list dns_search 'lan'
        option ip6assign '64'

/etc/config/dhcp:

config dhcp 'wan6'
        option interface 'wan6'
        option ignore '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option dhcpv4 'server'
        option leasetime '4h'
        option ra_dns '1'
        option ra 'server'
        option ra_slaac '0'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dhcpv6 'server'

I think you also need:

list ip6class 'wan6'

Also:

Remove. You will need to assign IPv6 DNS servers as you are not receiving an upstream announcement of servers (i.e. a tunnel). HE provides 2001:470:20::2.

Make 1 to ensure compatibility with all client devices.

Add

list dns '2001:470:20::2'

Hope this helps!

Thanks for the help! Just to confirm, am I setting list dns '2001:470:20::2' on wan6 and lan or just wan6? I changed settings to what you suggested and I've just seen that devices are getting a router address of fe80:..., is this normal or should it be set to the IPv6 address OpenWRT shows under lan (2001:...)?

It should work setting on wan6.

  • fe80 is a link-local address, it's usually common that this is seen Wikipedia has more information on the uses of this
  • To be clear, the settings I provided should cause your LAN clients to get IPv6 addressees from a /64 that comes the ip6prefix on the HE tunnel
  • Can you clarify this?
  • Does this mean your LAN interface has a HE IP?

So yeah, my LAN clients get an HE-prefixed IP but the default gateway that’s gets set in their DHCP (or SLAAC) settings is the fe80 address.

I had it working before and then it just stopped. Starting to think it’s an issue with HE.

Yes, this is correct.

For reasons (TM) dhcpv6 does not provides default gateway.
With IPv6 we have router advertisement. These are sent (and are only valid) on a link. therefore you will see link local addresses.
Furthermore with IPv6 you can have multiple routers on a link. Each router can then advertise if it provides a default gateway and/or (more specific) routes. The validity of a router is gotten via it's life time which is part of the RA packet.
Example: you could have one router providing a default route and one router which routes to your VPN and another router which routes to your friends next door...

Thanks @lleachii and @_bernd, this has been a great learning experience with IPv6 as I practically knew nothing about it before.

The HE tunnel works for a bit and stops working. I've asked them to verify if it's possibly an issue on their end. At least I know my configuration works.