[Solved] 6in4 (IPv6-in-IPv4, RFC4213) When WAN Interface Has A Private Address

I've had 6in4 working well for months with the WAN IP being the public IP. I recently put an Ubiquiti Edgerouter in front of the OpenWRT router to handle the dual wan failover (I was never able to get dual WAN to work with 6in4).

Now the WAN interface of the OpenWRT router (running 18.06.2) has (from the Edgerouter's DHCP at

On the Edgerouter, I have a Source NAT masquerade for each WAN (eth1 and eth2) and a DNAT for each WAN pointing to Both for all protocols (which you'd think includes protocol 41)

Everything works fine on my network: all the ports for devices on the LAN are reachable, per the port forwarding rules in the OpenWRT router. Except for the 6in4 tunnel, which stopped working. TX/RX remains at 0. Local IPv4 address is as before, "empty to use the current WAN address".

Do I have to change the config on my OpenWRT router or should a change be applied to the Edgerouter??

1 Like

Yep, hence I noted "which you'd think includes protocol 41" in the OP.

Are you saying that

the fact that the WAN on the OpenWRT now has a private IP is not the problem,
everything seems to be configured properly,
(thus) I should find out whether protocol 41 is being passed to the OpenWRT router?

If yes, how would I go about testing for that?


If you have a static external IPv4, try static configuration first, then use dynamic if the issue persists.

I'd utilize Wireshark or tcpdump.

1 Like

I would first try to avoid that double-NAT setup.

1 Like

If you are using HE.net tunnel, then you'd have to use only one connection for the tunnel, which needs to be specified in their webpage:

or dynamically updated via the Openwrt HE interface.

Most likely other tunnel brokers work the same way.


thx @trendy yes, I have it auto updated even before dual WAN, as my IP is not static.

@vgaetera run tcpdump where, in the openwrt router?

Ubiquiti confirmed to me that my setup also passes protocol 41 (as you'd expect, "all protocols" means all protocols)

Have you permitted the HE tunnel check server to ping your new WAN interface?

See: https://forums.he.net/index.php?topic=3346.0 for the IP you have to permit ICMP-Echo-Request from, in the Edgerouter.


@lleachii hi again. The firewall on the edgerouter is turned off.

1 Like

@eduperez, can't avoid double NAT when using dual WAN, at least with Edgerouters...

Shites, after creating a firewall rule for allowing protocol 41 in the firewall, it works. But there were ZERO firewall rules before. Go figure!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.