Netgate SG-1000 microFirewall

Author Topic: IPv6 with Hurricane Electric Tunnel Broker - Documentation out of date  (Read 1253 times)

0 Members and 1 Guest are viewing this topic.

Offline britesc

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
  • Slowly Getting There
    • View Profile
Hi,
I am using 2.3.3-RELEASE-p1 (amd64)  and have been trying to follow the documentation pointed to by Hurricane Electric but it is not appropriate to my release as there are some major differences. This has left me with a half configured HE tunnel as I am not sure exactly what to do.
Is there anyone who is running 2.3.3-RELEASE-p1 (amd64) and a Hurricane Electric Tunnel that can walk me through the steps I need?
Apart from being disabled I am also partially sighted and need good, easy documentation to follow, rather than having to try and pull ideas from numerous sources.

Thank you to any kind soul, prepared to help.
Kind regards,
jB

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15188
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
I can take a look at the docs and update anything on the pfsense wiki sure.

Please point out the doc HE is pointing too or your looking at.  Have not looked at it in a while but its pretty basic.. prob could just use a bit of refresh on some screenshots, etc.  The basics would still be the same..

Your talking about this right?
https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker

Yeah just read through it and all the basics are still the same just some outdated images is all..

Have to run some errands but when I get back I will update the images and doublecheck all the wording.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline britesc

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
  • Slowly Getting There
    • View Profile
Hi johnpoz,
Thank you very much..
Regards,
jB


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15188
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Ok I updated it.. But there really was nothing changed other than how it looks.. I mean really - that was still valid on how its done.. If you could not figure it out from those instructions??

What exactly is not working??
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline britesc

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
  • Slowly Getting There
    • View Profile
Thank you for the update.
As I am partially sighted I was relying on the pictures rather than words which I also tend to forget easily.
With a picture I can do a comparison to see what needs to be done.
Also if really stuck, my wife can help me, she too needs pictures as she is still trying to come to terms with why windows 3.1 was scrapped and especially word 2!!!

I will start from the beginning again and if I get stuck will post my progress here...

Appreciate your support.
Kind regards and thanks,
jB  8)

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15188
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Ah -- that makes more sense now..  Thanks for killing my curiosity cat..

Yeah if you run into any issues - just let me know.. Happy to post BIGGER pictures if that helps, etc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline britesc

  • Newbie
  • *
  • Posts: 24
  • Karma: +1/-0
  • Slowly Getting There
    • View Profile
Haven't done it yet so was going to say thanks then but will says many thanks now so I don't appear rude.
Thank you

Offline pbnet

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
Re: IPv6 with Hurricane Electric Tunnel Broker - Documentation out of date
« Reply #7 on: February 14, 2018, 07:31:34 am »
@johnpoz

Quick question:
I have the following setup:
- WAN over PPPoE that offers both IPv4 and IPv6 (::/64)
- LAN (IPV4 DHCP, IPv6 using track WAN)
- LAN2 (different VLAN) - IPv4 DHCP

I tried to setup an HE.NET IPv6 TunnelBroker, and when setting up the IPv6 static IP on LAN2 (following the article: https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker, I get IP address overlapping - a bit normal since both IP addresses in the guide are in the same /64 if I read correctly).
Any idea ? Is my scenario even supported ?

Thanks,
Andy.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: IPv6 with Hurricane Electric Tunnel Broker - Documentation out of date
« Reply #8 on: February 14, 2018, 08:59:58 am »
Instead of this :
- WAN over PPPoE that offers both IPv4 and IPv6 (::/64)
- LAN (IPV4 DHCP, IPv6 using track WAN)
make your scenario look like this :
Quote
- WAN over PPPoE that offers IPv4 only.
- LAN (static IPV4 Ip - having the DHCP server dealing out the IPv4 on LAN).
Now, apply the  https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker

Your case is : dealing with a /64 from he.net and a /64 from your ISP. Probably possible (but why ?).

Offline pbnet

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
Re: IPv6 with Hurricane Electric Tunnel Broker - Documentation out of date
« Reply #9 on: February 15, 2018, 12:19:41 am »
Thanks Gertjan.

Well, if I get a /48 or /56 from HE.NET it will probably work.
Why: because I have 2 VLANs and would like to have IPv6 on both VLANs, which I can't do with a /64 from my ISP.
I'm open to any suggestions.

Thanks,
Andy.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: IPv6 with Hurricane Electric Tunnel Broker - Documentation out of date
« Reply #10 on: February 15, 2018, 03:54:37 am »
Ah, ok. I understand now.

When my ISP becomes IPv6-minded they will probably also pass along just a /64 - just for one LAN segment. I'm using my second LAN == OPT1 only for captive portal access, and the captive portal isn't IPv6 ready yet.

I'll be having the same question a you do now in the future.
I'd be glad to help, but : impossible to activate 2 he.net accounts on a same (WAN) IPv4 so I can add one /64 (first /64) to LAN and the second account to OPT1 (second interface).

You could do this :
Use the /56 from he.net.
From this /56, use the first /64 for LAN, teh second /64 for your next interface.
This means not using the IPv6 facilities from your ISP.

Btw : still, I guess it' possible to assign the /64 from your ISP to LAN, and a /64 from he.net to your second interface.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15188
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: IPv6 with Hurricane Electric Tunnel Broker - Documentation out of date
« Reply #11 on: February 15, 2018, 04:32:04 am »
That ISPs would give out only 1 /64 is asinine... They should at min give out a /60, but you know you could make an argument that any site should get a /48.  According to Arin policy a site is a building - so your home should get a /48..

https://www.arin.net/policy/nrpm.html
ARIN Number Resource Policy Manual
---
6.5.8.2.1. Standard sites
A site is a discrete location that is part of an organizationís network.

An organization may request up to a /48 for each site in its network
---
Its not like there is an issue with available space...

To be honest I would forget your ISP even supports ipv6 if they are not going to do it correctly.  Can you not request a different prefix size? /56 or /60?  If not then forget them and just use HE..  Little reason to use /64 and /48 from Arin unless you wanted to use the HE /64 for your guest segment and all your others out of your /48...

So a /24 prefix is the min isp allocation.. Your talking 16,777,216 /48's why are thy giving you 1 /64??  Not like they can not get bigger than /24  If they gave you /56 that is more than 4G sites... Come on - why are they making it difficult by giving you 1 /64.. Just plain moronic!!!
« Last Edit: February 15, 2018, 04:39:28 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2435
  • Karma: +192/-9
    • View Profile
Re: IPv6 with Hurricane Electric Tunnel Broker - Documentation out of date
« Reply #12 on: February 15, 2018, 02:36:32 pm »
That ISPs would give out only 1 /64 is asinine... ...
.... Come on - why are they making it difficult by giving you 1 /64.. Just plain moronic!!!
Oh, man, I understand that so well.
I just forwarded your message to the main support forum of Orange, the biggest ISP in France and Europe (120 million ++ clients).
They just started to implement IPv6 a couple of month ago ...
At least 30 million boxes have hardware that can't operate with IPv6 (chips are IP4v hard wired).
10 $ for each new box  - 20 $ for shipping and handling (can't outsource that one to a low salary country ^^).

I guess I will be using he.net for a long time  :)

Offline pbnet

  • Jr. Member
  • **
  • Posts: 58
  • Karma: +0/-0
    • View Profile
Re: IPv6 with Hurricane Electric Tunnel Broker - Documentation out of date
« Reply #13 on: February 16, 2018, 04:06:33 am »
@Gertjan

I know how it is...
I have a /64 for about 3 years now, since Digi (the main ISP in Romania) provides it.
Sadly, the move to /56 will come sometimes this year (no timeline defined).

Now back to our sheep (revenons a nos moutons :) )...
I can't seem to find a way to assign the /64 from Hurricane Electric to the second VLAN I have.
I only have a LAN tab, that points to VLAN1 and I need to et HE's V6 to VLAN2 (that is on a different NIC Card).

If I can't figure it out, I'll probably send them an e-mail.

@Community: any ideas on how to assign a specific NIC to HE V6 ?

Thanks,
Andy

Offline kpa

  • Hero Member
  • *****
  • Posts: 1233
  • Karma: +138/-6
    • View Profile
Re: IPv6 with Hurricane Electric Tunnel Broker - Documentation out of date
« Reply #14 on: February 16, 2018, 04:46:12 am »
Quote
@Community: any ideas on how to assign a specific NIC to HE V6 ?

Assign interfaces to your liking from the console menu (option 1) or do it from the webgui (Interfaces->Assignments). Then make sure the interface where you want to use the /64 prefix is enabled (Interfaces-><NAME>->"Enable". Then set the IPv6 configuration type for the interface to "Static IPv6" and assing an address from the /64 prefix to it, any address is fine but people usually use the ::1 address from the prefix for the interface on the router.