Configuring a 6in4 tunnel on the pfSense firewall
If you've read my article on connecting to the IPv6 Internet, you should be familiar with the principles of IPv6 over IPv4 connectivity and have some basic IPv6 knowledge.
I've wanted to use IPv6 with my pfSense firewall for quite some time but it seems that the developers don't want to be bothered supporting it. Fear not! There is a way to get IPv6 connectivity, though it won't work through the GUI.
I won't go into a great amount of detail on configuring your end PCs for IPv6 connectivity except to say that it's generally turned on by default for Linux, you need to add "ipv6_enable" and reboot for FreeBSD, and that you need to add the IPV6 protocol in Windows XP (newer versions have it enabled by default). From that point on, your computer should send out solicitation messages which your pfSense firewall will respond to and you'll get allocated an IPv6 address.
For the remainder of this article, I'm using this article (cached version here) for my template. That article is intended for native IPv6 connectivity, not tunneled connectivity. Also note that you should have configured an IPv6 over IPv4 tunnel. I suggest using a provider such as Hurricane Electric. Lastly, once you have a tunnel configured, you'll want to allow pings from the tunnel's endpoint to your router so it knows your side is up. I enabled this by going to Firewall/Rules and adding a ping rule that allows only the IPv4 tunnel endpoint to ping your firewall's external IP. Use ICMP, then Any ICMP type, then specify the host IP of the remote tunnel endpoint. Don't forget to apply it!
For your pfSense box, you'll want to be running the latest release (1.2.3-RELEASE as of this writing). Be sure to enable SSH from the web gui since you'll need to log into the command line. For your tunnel settings, I'll assume the following addresses:
- WAN IPv6 IP: 2001:db8:0:1::2
- WAN IPv4 IP: 192.0.2.2
- WAN IPv4 Tunnel Destination: 192.0.2.15
- LAN IPv6 allocation: 2001:db8:0:2::/64
Log into your firewall using the credentials you configured when you first set it up. At the menu, use option 8 to drop to a shell. Next, create the following file:
#!/bin/sh # IFOUT = outside interface # IFIN = inside interface # DFGW = default gateway IFOUT="gif0" IFIN="bge0" DFGW="2001:db8:0:1::1" ####### Configure the stuff # Configure the interfaces ifconfig $IFOUT create ifconfig $IFOUT tunnel 192.0.2.2 192.0.2.15 ifconfig $IFOUT inet6 2001:db8:0:1::2 prefixlen 64 route -n add -inet6 default 2001:db8:0:1::1 ifconfig $IFOUT up ifconfig $IFIN inet6 alias 2001:db8:0:2::1 prefixlen 64 # Set the default route route -n add -inet6 default $DFGW # Configure IPv6 forwarding sysctl net.inet6.ip6.forwarding=1 # My /etc/rtadvd.conf looks like this # # bce1:\ # :addrs#1:addr="2001:db8:0:2::":prefixlen#64:tc=ether: # # Startup rtadvd /usr/sbin/rtadvd -d -D -c /etc/rtadvd.conf $IFIN
Save this file as 00_config-ipv6-if.sh under /usr/local/etc/rc.d/ so it will automatically be executed upon reboot and change the permissions to 755 so it has permissions to execute. Don't forget to change the inside interface to the name of your interface.
Next we need to configure the pf firewall to allow the tunnel to work. Create a file with the following contents:
#!/bin/sh
#
# IFOUT = outside interface
# IFIN = inside interface
# DFGW = default gateway
IFOUT="gif0"
IFIN="bge0"
####### Configure the stuff
# Configure PF
# pfSense puts it's rules in /tmp/rules.debug for debugging purposes after boot
# We will use these rules, add IPv6 additions, read the config with pfctl and
# disable and enable PF
cat /tmp/rules.debug | sed "/User-defined rules follow/{
p;s/.*/\
pass in quick on $IFIN inet6 from any to any\\
pass out quick on $IFIN inet6 from any to any\\
pass out quick on $IFOUT inet6 from any to any\\
pass quick proto ipv6-icmp from any to any\\
# pass in on $IFOUT inet6 proto tcp from any to any port 22\\
/;}" > /tmp/rules.config-ipv6.txt
# Read the new PF configuration file
pfctl -f /tmp/rules.config-ipv6.txt
pfctl -d; pfctl -e
Save this file as 10_config-ipv6-pf.sh under /usr/local/etc/rc.d/ and chmod it to 755 so it can execute on startup.
Lastly, create /etc/rtadvd.conf and add the following to it:
bge1:\ :addrs#1:addr="2001:db8:0:2::":prefixlen#64:tc=ether:
Save that file. At this point you can either reboot your pfSense box or execute the two scripts. You should have IPv6 connectivity through your tunnel. You can test it using traceroute6 and ping6. Another great test to try is to go to http://ipv6.google.com. If the logo bounces, you have IPv6 connectivity.
Enjoy!
October 31st, 2010 - 07:52
“Don’t forget to change the inside interface to the name of your interface.”
Which interface are you referring to, WAN or LAN?
November 6th, 2010 - 19:03
The LAN interface name should be changed to whatever your actual interface is. I frequently use the Cisco jargon of “inside” and “outside” when talking about NAT so I’m not always mindful of readers’ experience with some technologies. I’ll be more careful and descriptive in the future.
November 14th, 2010 - 23:17
Hi Chris. Thank you for the Great Tutorial in 6to4 tunneling behind PFSense 1.2.3
ON the PFsense /Console I successfully use ping6 and traceroute6 to ipv6.google.com.
However I still run into issues below.
ISSUES: fails to ping6 or traceroute6 on Fedora12 laptop and Windows XP behind pfSense_1.2.3 Firewall
I went into the network manager aplet for fedora12 and set ipv6 to Automatic, Automatic addresses only , automatic dhcp only
but I still only get a local hex inet6 addr: fe80:21e:33::
IN Pfsense I tried ENabling ipv6 traffic and NAT encapsulated ipv6 => that did not make a difference wether it was enabled or not.
Still works from PFSense but not from the XP(ipv6 installed) or Fedora 12 PCs.
Is there something else missing that I might need to do on PFSense 1.2.3 to get the 2 PC’s to work with it?
Using :
Hurricane Electric Tunnel Broker
ICMP Pass thru for IP : 66.220.2.74 and the other IPV4 addie given by the tunnelbroker.
#traceroute6 ipv6.google.com
1 me-1.tunnel.tserv13.fly-ash9.ipv6.he.net 93.929 ms 94.527 ms 94.469 ms
2 gige-g4-12.core1.fly-ash1.he.net 92.563 ms 92.536 ms 98.791 ms
3*left out repeat of 5
4*left out repeat of what is below
5 2001:4860::1:0:5db 147.075 ms 105.185 ms 105.201 ms
6 2001:4860::2:0:a7 108.601 ms 106.623 ms 105.212 ms
7 2001:4860:0:1::bf 115.521 ms 115.538 ms 108.123 ms
8 yw-in-x63.1e100.net 108.189 ms 108.336 ms 107.214 ms
# ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:7:8ee::2 –> 2001:4860:8003::93
16 bytes from 2001:4860:8003::93, icmp_seq=0 hlim=57 time=107.948 ms
16 bytes from 2001:4860:8003::93, icmp_seq=1 hlim=57 time=105.751 ms
16 bytes from 2001:4860:8003::93, icmp_seq=2 hlim=57 time=107.196 ms
November 28th, 2010 - 11:21
Karl,
Sounds like you don’t have the rtadvd daemon running. You may want to check the config for that and make sure it matches your interface names. Alternatively,
you could try statically assigning an address.
Hope that helps!
January 14th, 2011 - 17:59
Isn’t this post actually just about setting up an IPv6 tunnel, not setting up a 6to4 tunnel? 6to4 does not require a tunnel broker and instead uses an anycast address for tunneling traffic.
January 16th, 2011 - 10:34
Great catch! It’s actually referred to as 6in4, not 6to4, so I’ve fixed the article.
September 7th, 2011 - 07:17
Hi Chris,
I didn’t see till today that you responded to my question
…
Anyway, the tunnel has been working like a charm, except today.
My computer died (leaking capacitors), so now I am working on my laptop. After I set my account in Outlook 2010, Outlook was able to send test-emails but it was not able to log on onto the mailserver of my host to download incoming emails (strange, since outgoing works).
Telnet using cmd gave a blinking _ and the host did not see my IP pop up in the logs over there. However, from my pfSense router it worked. So I disabled IPv6 on my laptop and guess what, Outlook works?!
Is there anything in those scripts that might interfere with Outlook?
September 8th, 2011 - 09:07
Never mind, turns out the POP3 server was not listening on IPv6, it does now
But strange that XP won’t revert to IPv4 if IPv6 does not work, 7 reverts to IPv4 after a few seconds of no response through IPv6.
September 10th, 2011 - 15:13
Bart,
I’m glad you’ve resolved your connectivity problems on your laptop. That is indeed strange that XP doesn’t revert to IPv4. I wonder if it’s a DNS issue or if the IPv6
stack on XP isn’t as mature as on Win7? Regardless, please remember that when you configure a 6in4 tunnel on your pfSense device (or any router for that matter), you are
now completely exposed to the Internet and no longer have the inherent protections that NAT gives you, so you’ll want to configure some firewall rules for your IPv6 network to keep the bad guys out.
Chris
October 2nd, 2011 - 10:39
Hmm, my last response got removed?
It’s strange indeed and I think it’s the implementation in XP, but I doubt MS will ever create an update for it.
As for a firewall, I have installed ESET Smart Security v4.2.71.2 (switching to v5 after I’ve tested it) on all the clients since it supports IPv6. Set it to interactive mode so if someone tries to get in, I get a warning, if a program wants to go online, I get a warning as well. Both with IPv4 and v6. Then it’s just the matter of setting it to allow or block it
.
ps. Can I use this howto with Debian as well or are there to many differences between Linux and FreeBSD? Thinking about ditching pfSense because lack of 802.11n support in FreeBSD drivers.
October 3rd, 2011 - 16:43
Bart,
I don’t do a lot of work in Debian these days, but the last time I checked, pf was only available on the BSDs – FreeBSD, NetBSD, OpenBSD. I have a few links to some great starter material for iptables under Linux here:
http://www.xaero.org/index.php/archive/mastering-iptables/
Hope that helps!
Chris
October 11th, 2011 - 14:28
Okay.
but I’m looking specifically for an IPv6 howto like this one but made for Debian.
I know about IPtables, already have some books about it
October 17th, 2011 - 15:24
Hmm… I don’t know of any off the top of my head, but I’d imagine that you’ll want to change the address family in your IPv4 IPtables script to IPv6. Here’s a sample IPTables filter I’ve grown over the years.
#!/bin/bash
IPT=/sbin/iptables
#flush current tables
$IPT -F
#allow all outgoing connections
$IPT -P OUTPUT ACCEPT
#first, deny all incoming
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
#Web
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
# Anti-attack stuff
#First, deny loopback and private space
$IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP
$IPT -A INPUT --in-interface ! lo --source 10.0.0.0/8 -j DROP
$IPT -A INPUT --in-interface ! lo --source 172.16.0.0/12 -j DROP
$IPT -A INPUT --in-interface ! lo --source 192.168.0.0/16 -j DROP
#Next, rate limit ICMP
$IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
#Next, drop weird packets with weird TCP states
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
#Allow responses to connections we initiated...
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Hope that helps!