Problems with being your own tunnelbroker

Hello all,

Management summary: having trouble being my own IPv6 tunnelbroker. I can ping everything on my local networks, but the /48 gateway or anything else on the internet just can't be reached. Probably a problem with neighbor discovery...

Having used Hurricane Electric as my IPv6 tunnelbroker for some time, I now want to be my own tunnelbroker. Therefor I leased my own VPS and /48 subnet at a provider. They have provided me with a gateway which is in the same /48 subnet. They don't route traffic destined to my subnet to a particular address in this /48.

My VPS has an IPv6 address in the /48. I provided the /48 as subnet mask in its configuration. For security purposes I won't provide my own IPv6 space, but the configuration is like:

interface: ens18
IPv6 address: 2001:0db8:1977::1977/48
IPv6 gateway: 2001:0db8:1977::1 (this device exists on my providers network.

The VPS runs Ubuntu 18.04 by the way. From the ens18 interface I can ping the gateway.

At home I've got my own OpenWRT 18.06.1 router. Between the VPS and home there's a 6in4 tunnel. 2001:0db8:1977:1::a/127 is the VPS tunnel address, the OpenWRT router has 2001:0db8:1977:1::b/127 as its address. The VPS routes 2001:0db8:1977:62::/64 through the tunnel.

On the router, I created the configuration in Luci on the wan6 interface with 6in4 as its protocol. OpenWRT configured by itself 2001:0db8:1977:62::1/64 on the br-lan interface. And the devices in my LAN all got a IPv6 address from this /64 network automagically configured.

From these devices I can ping 2001:0db8:1977:62::1, 2001:0db8:1977:1::b and 2001:0db8:1977:1::a (tunnel IP addresses) and 2001:0db8:1977::1977 (ens18 interface on my VPS). Unfortunately I can't ping anything on the internet and also not my gateway, 2001:0db8:1977::1.

I've tried all kinds of things. For example on the VPS I added this to the routing table:

ip -6 route add local 2001:0db8:1977:62::/64 dev lo

and added ndppd to the mix (network discovery protocol proxy daemon) as per It's configuration:

route-ttl 30000
proxy ens18 {
router yes
timeout 500
ttl 30000
rule 2001:0db8:1977:62::/64 {
iface bwplein

bwplein = 6to4 tunnel interface on VPS.

When I start a ping to my /48 gateway from a device in my local LAN, I see the gateway sends a neighbour sollicitation about my device's IP address. It also get's to my local LAN. I don't see however the device answering back by a advertisement. The same goes for my OpenWRT router: when I ping from there and use for example it's br-lan address, pinging the gateway doesn't work.

At this moment I'm not sure how to troubleshoot this problem. I've read many blogposts, tried to fiddle with all kinds of /proc/sys/net/ipv6/conf settings, but can't seem to solve this. Maybe it's in the firewall settings on my router, no idea anymore.

Has anyone a similar sitution and got this to work? Any good pointers? Any suggestions? Everything is welcome! :slight_smile:


This is wrong. This /64 route needs to be toward the tunnel facing your OpenWrt router, not loopback.

Yeah, I looked at this. When changing as you propose, pinging the tunnel interface on the VPS doesn't work anymore. Also pinging the internet-facing ens18 interface on the VPS will not work as doesn't the gateway.

When removing this route entirely at least the tunnel interface and ens18 interface can be pinged from my network at home. The gateway still not. The same when the loopback device is used. So when I wrote above post, I had already removed the route.


sysctl net.ipv6 2>/dev/null | grep forward
ip -6 a; ip -6 r
tcpdump -i any ip6 and icmp6


ip -6 a; ip -6 r
ping -c3

I have a similar configuration and had to reboot the VPS after obtaining routed IPv6 /64-pool to make it actually work.
Otherwise there was only traffic forwarded outside without anything routed back.