On Sat, Mar 19, 2011 at 4:25 AM, Jakob Schwienbacher <
jakob dot schwienbacher at gmail dot com> wrote:
> Hello Brian,
> Fine to hear that your tunnel is working now properly. Since the IPv6
> MTU is handled in a different way than in IPv4, I didn't understand it
> well right now.
> I figured out a MTU size of 1280 (dirty ping & packet size). So I have
> the MTU of 1280 on each IPv6 client. I have to do some tests in the
> future to understand IPv6 MTU with tunnel configuration. Let me know
> your configuration when it works properly.
My configuration now works properly. The only problem I ended up having was
forgetting to add an IPv6 filter permit rule.
Anyway, here is the sequence, at least for setting up a tunnel to Hurricane
Electric. I suspect it will be the same for most tunnel brokers that are
supporting static IPv6-in-IPv4 tunnels.
1. Your fixed IPv4 address. This will be the near-end (your m0n0wall WAN
interface) IPv4 terminus for the tunnel.
2. The IPv4 address of the far end (tunnel broker) of the IPv4 tunnel.
3. The IPv6 address for the near-end terminus of the tunnel.
4. The IPv6 /64 address block assigned for use inside your network,
probably assigned to the LAN on your network but it could be subnetted
further. (Not going to talk about subnetting.)
I signed up with Hurricane Electric and then created the first tunnel. In
the case of Hurricane Electric I selected the Tunnel Broker and then used
the configuration information provided by them. I know I posted it before
but here it is again so that all the information is in one message.
*IPv6 Tunnel Endpoints*Server IPv4 address:22.214.171.124Server IPv6 address:
IPv6 address:2001:470:*1f04*:d49::2/64*Available DNS Resolvers*Anycasted
IPv6 Caching Nameserver:2001:470:20::2Anycasted IPv4 Caching Nameserver:
126.96.36.199*Routed IPv6 Prefixes and rDNS Delegations*Routed /48:
With this information I set up m0n0wall as follows:
1. Insure that m0n0wall is routing IPv4 properly, that DHCP is working,
and DNS forwarding is working. IPv4 needs to be working properly before an
IPv6 tunnel can be set up.
2. Enable IPv6 under the "System > Advanced" menu.
3. On the WAN interface:
- Set IPv6 mode to Tunnel
- Set IPv6 address to the Client IPv6 address provided by the tunnel
- Enable IPv6 RA (router advertisements)
- Set IPv6 tunnel endpoint to the Server IPv4 address
- NOTE: the IPv6 gateway is left blank as the tunnel appears as a
point-to-point link. The router does not need to know the IPv6 address at
the far end as all traffic entering the tunnel must exit there
(FWIW, the far-end IPv6 address for my tunnel was specified as the Server
IPv6 address -- 2001:470:*1f04*:d49::1.)
4. On the LAN interface:
- Set IPv6 mode to "static"
- Set the IPv6 address to the first address in the Routed /64 block.
In this example that is 2001:470:1f05:d49::1.
- enable (check) Send IPv6 router advertisements, Managed address
configuration, and Other stateful configuration.
5. On the Firewall IPv6 Rules create a rule to allow traffic to pass.
Your policy may be different than mine so I won't make any suggestions here.
For initial testing to ensure your IPv6 configuration is working it may be
best to create a rule that passes everything.
6. I am going to assume you are using the m0n0wall DHCP server. Click on
the "Enable IPv6 DHCP server on LAN interface" check box.
7. Set the DHCP IPv6 range. In my case I am using 2002:439f:8b7d:1::50
8. The DHCP default least time and maximum least time values are
acceptable for testing.
9. The default values for the DNS forwarder are probably acceptable. Set
to your preferences.
This produced a working IPv6 configuration for my school. M0n0all appears to
be providing proper information to clients in DHCP and Clients are able to
use IPv6 after this.
One more comment: if you are planning to run multiple /64 subnets (who
really needs that much address space!) then you would use the /48 prefix and
create your /64s out of that space. You must run router
Hope this helps others needing to enable IPv6 in their networks.
BTW, I am also running 6to4 at my home. 6to4 is a much simpler setup. If
there are people having difficulty setting up 6to4 I will be happy to share
my experience using 6to4 on Comcast's network. (I was part of Comcast's IPv6
Brian Lloyd, WB6RQN/J79BPL
3191 Western Dr.
Cameron Park, CA 95682
brian at lloyd dot com