[ previous ] [ next ] [ threads ]
 From:  Brian Lloyd <brian at lloyd dot com>
 To:  Jakob Schwienbacher <jakob dot schwienbacher at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: setting up an IPv6 tunnel
 Date:  Sun, 20 Mar 2011 11:52:50 -0700
On Sat, Mar 19, 2011 at 4:25 AM, Jakob Schwienbacher <
jakob dot schwienbacher at gmail dot com> wrote:

> Hello Brian,
> Fine to hear that your tunnel is working now properly. Since the IPv6
> MTU is handled in a different way than in IPv4, I didn't understand it
> well right now.
> http://www.tcpipguide.com/free/t_IPv6DatagramSizeMaximumTransmissionUnitMTUFragment.htm
> I figured out a MTU size of 1280 (dirty ping & packet size). So I have
> the MTU of 1280 on each IPv6 client. I have to do some tests in the
> future to understand IPv6 MTU with tunnel configuration. Let me know
> your configuration when it works properly.

My configuration now works properly. The only problem I ended up having was
forgetting to add an IPv6 filter permit rule.

Anyway, here is the sequence, at least for setting up a tunnel to Hurricane
Electric. I suspect it will be the same for most tunnel brokers that are
supporting static IPv6-in-IPv4 tunnels.

Information needed:

   1. Your fixed IPv4 address. This will be the near-end (your m0n0wall WAN
   interface) IPv4 terminus for the tunnel.
   2. The IPv4 address of the far end (tunnel broker) of the IPv4 tunnel.
   3. The IPv6 address for the near-end terminus of the tunnel.
   4. The IPv6 /64 address block assigned for use inside your network,
   probably assigned to the LAN on your network but it could be subnetted
   further. (Not going to talk about subnetting.)

I signed up with Hurricane Electric and then created the first tunnel. In
the case of Hurricane Electric I selected the Tunnel Broker and then used
the configuration information provided by them. I know I posted it before
but here it is again so that all the information is in one message.

*IPv6 Tunnel Endpoints*Server IPv4 address: IPv6 address:
2001:470:*1f04*:d49::1/64Client IPv4
IPv6 address:2001:470:*1f04*:d49::2/64*Available DNS Resolvers*Anycasted
IPv6 Caching Nameserver:2001:470:20::2Anycasted IPv4 Caching Nameserver:*Routed IPv6 Prefixes and rDNS Delegations*Routed /48:
2001:470:8301::/48Routed /64:2001:470:*1f05*:d49::/64

With this information I set up m0n0wall as follows:

   1. Insure that m0n0wall is routing IPv4 properly, that DHCP is working,
   and DNS forwarding is working. IPv4 needs to be working properly before an
   IPv6 tunnel can be set up.
   2. Enable IPv6 under the "System > Advanced" menu.
   3. On the WAN interface:
      - Set IPv6 mode to Tunnel
      - Set IPv6 address to the Client IPv6 address provided by the tunnel
      - Enable IPv6 RA (router advertisements)
      - Set IPv6 tunnel endpoint to the Server IPv4 address
      - NOTE: the IPv6 gateway is left blank as the tunnel appears as a
      point-to-point link. The router does not need to know the IPv6 address at
      the far end as all traffic entering the tunnel must exit there
      (FWIW, the far-end IPv6 address for my tunnel was specified as the Server
      IPv6 address -- 2001:470:*1f04*:d49::1.)
   4. On the LAN interface:
      - Set IPv6 mode to "static"
      - Set the IPv6 address to the first address in the Routed /64 block.
      In this example that is 2001:470:1f05:d49::1.
      - enable (check) Send IPv6 router advertisements, Managed address
      configuration, and Other stateful configuration.
   5. On the Firewall IPv6 Rules create a rule to allow traffic to pass.
   Your policy may be different than mine so I won't make any suggestions here.
   For initial testing to ensure your IPv6 configuration is working it may be
   best to create a rule that passes everything.
   6. I am going to assume you are using the m0n0wall DHCP server. Click on
   the "Enable IPv6 DHCP server on LAN interface" check box.
   7. Set the DHCP IPv6 range. In my case I am using 2002:439f:8b7d:1::50
   to 2002:439f:8b7d:1::70.
   8. The DHCP default least time and maximum least time values are
   acceptable for testing.
   9. The default values for the DNS forwarder are probably acceptable. Set
   to your preferences.

This produced a working IPv6 configuration for my school. M0n0all appears to
be providing proper information to clients in DHCP and Clients are able to
use IPv6 after this.

One more comment: if you are planning to run multiple /64 subnets (who
really needs that much address space!) then you would use the /48 prefix and
create your /64s out of that space. You must run router

Hope this helps others needing to enable IPv6 in their networks.

BTW, I am also running 6to4 at my home. 6to4 is a much simpler setup. If
there are people having difficulty setting up 6to4 I will be happy to share
my experience using 6to4 on Comcast's network. (I was part of Comcast's IPv6

Brian Lloyd, WB6RQN/J79BPL
3191 Western Dr.
Cameron Park, CA 95682
brian at lloyd dot com
+1.767.617.1365 (Dominica)
+1.931.492.6776 (USA)