EdgeOS HE.net IPv6 Tunnel

So, I decided to finally get my EdgeOS HE.net IPv6 tunnel howto done, although it should work in VyOS or Vyatta as well.  This is how I have it setup and it is working for me, there are probably other ways to set it up that will work.  They may also be more efficient too, but I don’t want to break a working setup.

Easiest way to do this is to SSH into your EdgeOS device.  Then type the following commands to setup your firewall.  Change WAN_LOCAL to your IPv4 local firewall rule, and change rule 15 to place the new HE.net IPv4 firewall rule as the second in your list.

set firewall ipv6-name tun-in default-action drop
set firewall ipv6-name tun-in description "IPv6 Traffic To Internal"
set firewall ipv6-name tun-in rule 10 action accept
set firewall ipv6-name tun-in rule 10 description "Accept Established-Related"
set firewall ipv6-name tun-in rule 10 state established enable
set firewall ipv6-name tun-in rule 10 state related enable
set firewall ipv6-name tun-in rule 15 action accept
set firewall ipv6-name tun-in rule 15 description "Accept ICMP Echo"
set firewall ipv6-name tun-in rule 15 icmpv6 type echo-request
set firewall ipv6-name tun-in rule 15 protocol ipv6-icmp
set firewall ipv6-name tun-local default-action drop
set firewall ipv6-name tun-local description "IPv6 Traffic To Router"
set firewall ipv6-name tun-local rule 10 action accept
set firewall ipv6-name tun-local rule 10 description "Accept Established-Related"
set firewall ipv6-name tun-local rule 10 state established enable
set firewall ipv6-name tun-local rule 10 state related enable
set firewall ipv6-name tun-local rule 15 action accept
set firewall ipv6-name tun-local rule 15 description "Accept ICMP Echo"
set firewall ipv6-name tun-local rule 15 icmpv6 type echo-request
set firewall ipv6-name tun-local rule 15 protocol ipv6-icmp
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall name WAN_LOCAL rule 15 action accept
set firewall name WAN_LOCAL rule 15 description "HE.net"
set firewall name WAN_LOCAL rule 15 log disable
set firewall name WAN_LOCAL rule 15 protocol icmp
set firewall name WAN_LOCAL rule 15 source address 66.220.2.74

Now we create the tunnel to HE.net.  Replace 2001:470:xxxx:482::2/64 with your Client IPv6 address, 184.105.253.14 with your Server IPv4 address.

set interfaces tunnel tun0 address 2001:470:xxxx:482::2/64
set interfaces tunnel tun0 description "HE.net IPv6 Tunnel"
set interfaces tunnel tun0 encapsulation sit
set interfaces tunnel tun0 firewall in ipv6-name tun-in
set interfaces tunnel tun0 firewall local ipv6-name tun-local
set interfaces tunnel tun0 local-ip 0.0.0.0 
set interfaces tunnel tun0 multicast disable
set interfaces tunnel tun0 remote-ip 184.105.253.14
set interfaces tunnel tun0 ttl 255

Next, we need to assign an IPv6 to our internal interface.  On my EdgeRouter X, this is switch0.  Other devices could be eth1, eth2, etc…  Don’t forget to change 2001:470:xxxx:482::1/64 to an IP in your Routed /64 IPv6 Prefix, and 2001:470:xxxx:482::/64 to your Router /64 IPv6 Prefix.

set interfaces switch switch0 address 2001:470:xxxx:482::1/64
set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1
set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64
set interfaces switch switch0 ipv6 router-advert default-preference high
set interfaces switch switch0 ipv6 router-advert link-mtu 0
set interfaces switch switch0 ipv6 router-advert managed-flag true
set interfaces switch switch0 ipv6 router-advert max-interval 10
set interfaces switch switch0 ipv6 router-advert other-config-flag true
set interfaces switch switch0 ipv6 router-advert prefix 2001:470:xxxx:482::/64
set interfaces switch switch0 ipv6 router-advert prefix 2001:470:xxxx:482::/64 autonomous-flag true
set interfaces switch switch0 ipv6 router-advert prefix 2001:470:xxxx:482::/64 on-lin-flag true
set interfaces switch switch0 ipv6 router-advert prefix 2001:470:xxxx:482::/64 valid-lifetime 2592000
set interfaces switch switch0 ipv6 router-advert reachable-time 0
set interfaces switch switch0 ipv6 router-advert retrans-timer 0
set interfaces switch switch0 ipv6 router-advert send-advert true

Next we set the IPv6 next hop.  Again, don’t forget to change 2001:470:xxxx:482:: for your Routed /64 Prefix.

set protocols static route6 2001:470:xxxx:482::/64 next-hop 2001:470:xxxx:482::1
set protocols static interface-route6 ::/0 next-hop-interface tun0

Now, we setup the DHCPv6 server.  Again, don’t forget to change 2001:470:xxxx:482:: for your Routed /64 Prefix.

set service dhcpv6-server shared-network-name LANIPv6 name-server 2001:470:20::2
set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64
set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 address-range prefix 2001:470:xxxx:482::/64
set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 address-range start 2001:470:xxxx:482::100
set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 address-range start 2001:470:xxxx:482::100 stop 2001:470:xxxx:482::200
set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 lease-time default 86400
set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 lease-time maximum 86400
set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 name-server 2001:470:20::2

Finally, we set the EdgeOS device to update DNS-O-Matic.  I use this to allow me to update my OpenDNS & HE.net tunnel info at the same time.

set service dns dynamic interface eth0 service dyndns host-name all.dnsomatic.com
set service dns dynamic interface eth0 service dyndns login YOUUSERNAMEHERE
set service dns dynamic interface eth0 service dyndns password YOURPASSWORDHERE
set service dns dynamic interface eth0 service dyndns server updates.dnsomatic.com

Now commit and save your configuration, and issue a ping6 google.com.  You should see valid results, no reboot your client and ping Google’s IPv6 address (this will vary based on your OS, Windows is ping -6 google.com).