[SOLVED] LUCI: Config Tunnelbroker 6in4

I've tried for over 4 hours to config my R7900 router to give LAN clients IPv6 access.

The previous router I had was working fine with the same he.net tunnel, giving clients an IPv6 address.

LEDE is able to ping and traceroute over IPv6.
Clients are getting a public IPv6 address that starts with the tunnelbroker prefix.

But clients can't ping6 or curl v6.ifconfig.co

Interfaces: https:/i.imgur[dot]com/dBj9A00.png

WAN6 (tried with "Use builtin IPv6-management" on and off) n3kAuxl%5B1%5D

WAN: IPv6 assignment length = 64. DHCP Server IPv6 settings are all disabled. Use builtin IPv6-management
is off.

LAN: IPv6 assignment length = 64. Use builtin IPv6-management is on. I tried all kinds of Router Advertisement-Service and DHCPv6-Service. I don't think I need an NDP proxy.

Could someone provide guidance on how to set this up using the GUI. there are ZERO guides for this, I searched extensively on google, github, stack sites and the forum.

IPv6: 2001:470:c:672::2/64
IPv6: 2001:470:d:671::/64

Typo? I think it should be 2001:470:d:672::/64

The config looks wrong, as you have something on wan.

The needed tunnel config is rather simple.
Best docs are probably in the old wiki:

Nothing should be needed for "wan", but you need most settings for the "wan6" 6in4 interface (remote tunnel endpoint ipv4, local ipv6 tunnel endpoint, routed prefix) and the ip6assign setting for "lan".

Note that you should used routed /48 prefix that he.net tunnelbroker offers. Not the small /64.

For odhcpd you need the "server" settings from here. The first example:
Nothing for wan or wan6.

And you have added the wan6 interface to "wan" zone in firewall?

Can you provide:

  • Copy of the WAN6 interface from /etc/config/network
  • Copy of the LAN interface from /etc/config/network
  • Copy of the LAN IPv6 settings from /etc/config/dhcp

Also, have you used the instructions to setup an OpenWrt device at Tunnelbroker's website?

Also, here is a breakdown of my setup:

hnyman did it! thank you. please bump me to be able to post more than 2 links (or I will wait to get there) and I will post a complete Luci guide to this. thank you!

one more thing: how I do set port forwarding for IPv6 under this config?

There is no port forwarding, as you are not using Network Address Translation.

You simply have to create an IPv6 TRAFFIC RULE as you normally would in OpenWrt.

Here's an example to allow BitTorrent IPv6 for all clients on LAN:

config rule                                                           
        option target 'ACCEPT'                                        
        option name 'Allow-BT_IPv6'                      
        option family 'ipv6'           
        option proto 'tcp'                                 
        option src 'wan'                                   
        option dest 'lan'                      
        option dest_port '51413'

I'm currently using tunnelbroker.net, and did not need to change the firewall configuration from the default values, just configure the proper interface:

config interface 'wan6
	option ifname 'pppoe-wan'
	option proto '6in4'
	option peeraddr '---.---.---.---'
	option tunnelid '------'
	option username '--------'
	option password '--------'
	option ip6prefix '2001:----::/48'
	option ip6addr '2001:----::2'
	option mtu '1472'
1 Like

Damn you guys are helpful in here!

ok! can i use comma separated and range in dashes in here?

and in

can i use '41' and ommit dest_port? in case i decide to use IPv6 only at a single Ubuntu machine and have this machine create the tunnel (I really only need IPv6 on that machine anyways).

From: https://openwrt.org/docs/guide-user/firewall/firewall_configuration

Name Type Required Default Description
proto protocol name or number yes tcpudp Match incoming traffic using the given protocol.
dest_port port or range no (none) For DNAT, redirect matched incoming traffic to the given port on the internal host. For SNAT, match traffic directed at the given ports. Only a single port or range can be specified, not disparate ports as with Rules (below).

Yes. As you can see above, that's exactly what you need to do to specify a protocol other than the normal: TCP, UDP or ICMP.

Free free to use the documentation.

1 Like

Ipv6 stops working after rebooting the router...

ing6 ipv6.google.com
PING ipv6.google.com(lax28s01-in-x0e.1e100.net) 56 data bytes
From lax28s01-in-x0e.1e100.net icmp_seq=1 Destination unreachable: No route
From lax28s01-in-x0e.1e100.net icmp_seq=2 Destination unreachable: No route


LAN: https://i.imgur.com/lqlAq43.png


PING lede-project.org (2a03:b0c0:3:d0::1af1:1): 56 data bytes
ping6: sendto: Network unreachable

On the windows client I can see that I get an assigned address but there is no gateway. Seems to be the same issue on the Ubuntu client.

Your LAN is displaying a link-local IPv6 address; and no Prefix Delegation!

I'll tell you now, my LAN configs look slightly different; and yours don't look like the instructions at Tunnelbroker.



config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask ''
	option ipaddr '192.168.xxx.1'
	option ip6addr '2001:470:xxxx:xxxx::1/64'
	option ip6prefix '2001:470:xxxx:xxxx::/64'

config interface 'henet'
	option proto '6in4'
	option peeraddr '216.xxx.xxx.xxx'
	option ip6addr '2001:470:xxxx:xxxx::2/64'
	option ip6prefix '2001:470:xxxx::/48'
	option mtu '1480'
	option tunnelid 'xxxxx'
	option username 'xxxxxxxxxx'
	option password 'xxxxxxxxxx'

(Also note, I use the IPv6 address I assigned to the LAN as the announced DNS server.)

I returned the R7900 because of WiFi issues, but I purchased a R7800 and will reply when it arrives. Thank you.

1 Like

I got the R7800 now. I already tried copying the tunnelbroker settings for Barrier Breaker. It didn't work. I have a /48, and tried it, didn't help.

It is configured it as follows:


config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option netmask ''
        option ipaddr ''
        option dns ''
        option ip6assign '64'

config interface 'wan'
        option ifname 'eth0'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option gateway ''
        # I can't put my cable modem in bridge mode
        # but 6in4 works perfectly on a R6250 running tomato.
        # It's firewall is completely off and all ports fwd to the R7900
        option dns ''

config interface 'wan6'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto '6in4'
        option peeraddr 'x.x.x.x' #local PoP for tunnelbroker
        option ip6prefix '2001:x:d:x::/64' #prefix per tunnelbroker
        option ip6addr '2001:x:c:x::2/64' #Client IPv6 Address per tunnelbroker
        # Server IPv6 Address per tunnelbroker doesn't get input anywhere


config dhcp 'lan'
        option interface 'lan'
        option ra 'server'
        option leasetime '4h'
        option start '2'
        option limit '250'
        list dns '2606:4700:4700::1111'
        list dns '2620:fe::fe'
        option dhcpv6 'server'
        option ra_management '1'

Firewall (just to be safe)

config rule
        option name 'Allow-Protocol-41-Tunnelbroker'
        option src      wan
        option proto    41
        option target   ACCEPT

Here's the kicker. I can ping the ubuntu machine on my LAN via http://www.ipv6now.com.au/pingme.php. Some services that depend on IPv6 and are accessed by machines outside of my LAN also report the ubuntu box as up and running. Both of these increase the RX and TX counters in Luci's WAN6 status. When those services don't reach out to my machine, both counters don't increase, no matter what I do (router diag or ubuntu machine curl/ping6.

In diagnostics. IPv6 ping of lede-project.org returns

PING lede-project.org (2a03:b0c0:3:d0::1af1:1): 56 data bytes
ping6: sendto: Network unreachable

In the ubuntu box

$ ping6 ipv6.google.com
PING ipv6.google.com(lax28s10-in-x0e.1e100.net) 56 data bytes
From lax28s10-in-x0e.1e100.net icmp_seq=1 Destination unreachable: No route

Overall I've put over 12 hrs into this. I don't know what else to do. On the R7900 at least it would work for a while before stopping. On this one it just doesn't (for outbound requests, inbound seems to work fine)

Update: the router and the client can ping the tunnel server IPv6 (::1) and client (::2), but neither can ping ipv6.google.com

In my (restricted) understanding, this is related to routing or firewall config. the tunnel itself is working.

anyone? bueller?

Your LAN issue still exists if the config you last shared is valid:

I wont be able to provide assistance if you dont configure the device per Tunnelbroker and/or like the config I graciously shared above.

1 Like

Thanks @lleachii

I am working with Tunnelbroker support and will report back. If the router itself can't ping in IPv6, not even tunnelbroker's own 2001:470:0:76::2, there is no point in troubleshooting the LAN at this point.

By any chance, are you running 17.04.5???

I am not running a vanilla 17.01.5. I patched kernel to fix sit.
And the upstream patch is pending.

1 Like