So, I decided to finally get my EdgeOS HE.net IPv6 tunnel howto done, although it should work in VyOS or Vyatta as well. This is how I have it setup and it is working for me, there are probably other ways to set it up that will work. They may also be more efficient too, but I don’t want to break a working setup.
Easiest way to do this is to SSH into your EdgeOS device. Then type the following commands to setup your firewall. Change WAN_LOCAL to your IPv4 local firewall rule, and change rule 15 to place the new HE.net IPv4 firewall rule as the second in your list.
set firewall ipv6-name tun-in default-action drop set firewall ipv6-name tun-in description "IPv6 Traffic To Internal" set firewall ipv6-name tun-in rule 10 action accept set firewall ipv6-name tun-in rule 10 description "Accept Established-Related" set firewall ipv6-name tun-in rule 10 state established enable set firewall ipv6-name tun-in rule 10 state related enable set firewall ipv6-name tun-in rule 15 action accept set firewall ipv6-name tun-in rule 15 description "Accept ICMP Echo" set firewall ipv6-name tun-in rule 15 icmpv6 type echo-request set firewall ipv6-name tun-in rule 15 protocol ipv6-icmp set firewall ipv6-name tun-local default-action drop set firewall ipv6-name tun-local description "IPv6 Traffic To Router" set firewall ipv6-name tun-local rule 10 action accept set firewall ipv6-name tun-local rule 10 description "Accept Established-Related" set firewall ipv6-name tun-local rule 10 state established enable set firewall ipv6-name tun-local rule 10 state related enable set firewall ipv6-name tun-local rule 15 action accept set firewall ipv6-name tun-local rule 15 description "Accept ICMP Echo" set firewall ipv6-name tun-local rule 15 icmpv6 type echo-request set firewall ipv6-name tun-local rule 15 protocol ipv6-icmp set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall name WAN_LOCAL rule 15 action accept set firewall name WAN_LOCAL rule 15 description "HE.net" set firewall name WAN_LOCAL rule 15 log disable set firewall name WAN_LOCAL rule 15 protocol icmp set firewall name WAN_LOCAL rule 15 source address 66.220.2.74
Now we create the tunnel to HE.net. Replace 2001:470:xxxx:482::2/64 with your Client IPv6 address, 184.105.253.14 with your Server IPv4 address.
set interfaces tunnel tun0 address 2001:470:xxxx:482::2/64 set interfaces tunnel tun0 description "HE.net IPv6 Tunnel" set interfaces tunnel tun0 encapsulation sit set interfaces tunnel tun0 firewall in ipv6-name tun-in set interfaces tunnel tun0 firewall local ipv6-name tun-local set interfaces tunnel tun0 local-ip 0.0.0.0 set interfaces tunnel tun0 multicast disable set interfaces tunnel tun0 remote-ip 184.105.253.14 set interfaces tunnel tun0 ttl 255
Next, we need to assign an IPv6 to our internal interface. On my EdgeRouter X, this is switch0. Other devices could be eth1, eth2, etc… Don’t forget to change 2001:470:xxxx:482::1/64 to an IP in your Routed /64 IPv6 Prefix, and 2001:470:xxxx:482::/64 to your Router /64 IPv6 Prefix.
set interfaces switch switch0 address 2001:470:xxxx:482::1/64 set interfaces switch switch0 ipv6 dup-addr-detect-transmits 1 set interfaces switch switch0 ipv6 router-advert cur-hop-limit 64 set interfaces switch switch0 ipv6 router-advert default-preference high set interfaces switch switch0 ipv6 router-advert link-mtu 0 set interfaces switch switch0 ipv6 router-advert managed-flag true set interfaces switch switch0 ipv6 router-advert max-interval 10 set interfaces switch switch0 ipv6 router-advert other-config-flag true set interfaces switch switch0 ipv6 router-advert prefix 2001:470:xxxx:482::/64 set interfaces switch switch0 ipv6 router-advert prefix 2001:470:xxxx:482::/64 autonomous-flag true set interfaces switch switch0 ipv6 router-advert prefix 2001:470:xxxx:482::/64 on-lin-flag true set interfaces switch switch0 ipv6 router-advert prefix 2001:470:xxxx:482::/64 valid-lifetime 2592000 set interfaces switch switch0 ipv6 router-advert reachable-time 0 set interfaces switch switch0 ipv6 router-advert retrans-timer 0 set interfaces switch switch0 ipv6 router-advert send-advert true
Next we set the IPv6 next hop. Again, don’t forget to change 2001:470:xxxx:482:: for your Routed /64 Prefix.
set protocols static route6 2001:470:xxxx:482::/64 next-hop 2001:470:xxxx:482::1 set protocols static interface-route6 ::/0 next-hop-interface tun0
Now, we setup the DHCPv6 server. Again, don’t forget to change 2001:470:xxxx:482:: for your Routed /64 Prefix.
set service dhcpv6-server shared-network-name LANIPv6 name-server 2001:470:20::2 set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 address-range prefix 2001:470:xxxx:482::/64 set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 address-range start 2001:470:xxxx:482::100 set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 address-range start 2001:470:xxxx:482::100 stop 2001:470:xxxx:482::200 set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 lease-time default 86400 set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 lease-time maximum 86400 set service dhcpv6-server shared-network-name LANIPv6 subnet 2001:470:xxxx:482::/64 name-server 2001:470:20::2
Finally, we set the EdgeOS device to update DNS-O-Matic. I use this to allow me to update my OpenDNS & HE.net tunnel info at the same time.
set service dns dynamic interface eth0 service dyndns host-name all.dnsomatic.com set service dns dynamic interface eth0 service dyndns login YOUUSERNAMEHERE set service dns dynamic interface eth0 service dyndns password YOURPASSWORDHERE set service dns dynamic interface eth0 service dyndns server updates.dnsomatic.com
Now commit and save your configuration, and issue a ping6 google.com. You should see valid results, no reboot your client and ping Google’s IPv6 address (this will vary based on your OS, Windows is ping -6 google.com).