Configuring an IPv6 Tunnel with Hurricane Electric
My ISP at home is great. I have infinite bandwidth because they have no idea how to do any rate limiting. Heck, they’re not even skilled enough to know that I have several public IP addresses from their DHCP server. That means, though, that they’re not ready for IPv6. They’ve ignored my emails and support tickets asking about their deployment strategy, so I gave up and looked at turning up a tunnel with a broker. I chose Hurricane Electric for no particular reason; they were just the first ones I found. The setup was super-easy and works flawlessly.
When you add a new tunnel to your account, you are given a 64-bit IPv6 network to use at your local site and you have the option of asking for a 48-bit network as well. I’m not planning on having more than one IPv6 subnet right now and the number of hosts don’t quite reach 1.84467441 × 1019, so I opted to stick with the provided network. HE also provides an IOS configlet for your end of the tunnel. Here’s the config I’m using sans the default route out Tunnel0.
interface Tunnel0 description To Hurricane Electric IPv6 no ip address ipv6 address 2001:470:1F0E:446::2/64 ipv6 traffic-filter ACL-TUN0 in ipv6 inspect INSP-OUT out tunnel source FastEthernet0/1 tunnel destination 220.127.116.11 tunnel mode ipv6ip end
We’re talking IOS here. I have an ASA 5505 on the head of my network, and, though it supports IPv6 routing (and filtering), it doesn’t support the manual tunnel used to connect to HE. I ended up picking an 1841 off of eBay to run parallel to my firewall. There are other ways to connect the tunnel, though, and HE provides configurations for lots of platforms like Windows and Linux hosts; I’m a network guy, though…why not just install more network gear?
Don’t get caught up in the warm glow of IPv6, though. This is the open Internet just like when your grandmother plugs the new Macbook Pro you got her directly into the cable modem. You will need to put in some filtering and inspection to protect yourself at the edge. Though beyond scope today, take a look at the lines for ipv6 inspect and ipv6 traffic-filter for a starting point.
native IPv6 support questions my way.
- Netbox Upgrade Play-by-play - April 25, 2023
- Sending Slack Messages with Python - March 15, 2023
- Using Python Logging to Figure Out What You Did Wrong - February 26, 2023
As a shameless plug, here’s my tutorial for building it on a Linux box and adding the processes to hand out RAs and allow IPv6 forwarding
What I want to know is how did you land such a sweet deal with your ISP. We only have two choices where I leave – Cable with Time Warner – or DSL with Frontier. They both are pitiful and expensive.
Does the router has public IP address on the FastEthernet0/1 interface?
I’m trying to do the same config behind a NAT router (DSL router) and I cannot get the ping replies from the default IPv6 GW.
Hi, Dan. The f0/1 interface does indeed have a public IP. I tried and failed to get this working inside my 5505, so I used my ISP’s ignorance and cabled my router parallel to it. I’m sure the key involves protocol 41 passing through the NAT device.
I digged a big trough the protocols and the conclusion is:
IPv6IP is a tunnel that uses protocol number 41 and like GRE it cannot go over NAT.
The only thing you can do is to instruct the DSL router to forward that one to a host (I am behind a DSL router).
What other people do is to overcome this is IPv6overUDPoverIPv4 (gogonet does this with the TSP protocol).