IPv6 through a TunnelBroker on OPNSense
MMy ISP is nice, but a bit slow and dense. It serves me with one single dynamic IPv4 address and doesn’t give a rat’s ass about IPv6 protocol. Their thinking is simple: if IPv4 was good-enough a decade ago (when we had 500 kbps links), why change it now, right? According to the technical support of my ISP behemoth, IPv6 is too new, not in demand and therefore not on their future roadmap at all.
IPv6 standard is not new (it was formalized in 1998) and it definitely is in demand — according to the current IPv4 exhaustion report. Out of five registrars that coordinate allocation of addresses globally, only AFRINIC has few old IPv4 addresses left — and they will deplete them all this year, turning on a black market of IPv4 address reselling.
I cannot put this more plainly: YOU NEED YOUR HOME IPv6 ALLOCATION ASAP.
Luckily we don’t need to wait for ISPs and their mercy to get IPv6 networks allocated. We can route IPv6 traffic from home devices through an IPv4 networking tunnel to a nearest IPv6 tunnel broker and enable IPv6 independently of ISPs. Think about it as a VPN tunnel with an explicit purpose to enable routing and flow of IPv6 traffic.
Note: when you choose a VPN provider (if you need one), make sure to select the one that offers both IPv4 and IPv6 routing through VPN. Once you start investigating, you’ll be surprised how few VPN providers actually do that… Before you ask, I use Perfect Privacy VPN, because reasons.
There are many IPv6 tunnel brokers available, although they are slowly disappearing as more and more ISPs are adopting native IPv6. I am a faithful user of Hurricane Electric tunnel broker because they are free, offer beefy /48 network allocations, and they are awesome.
Establishing IPv6-in-IPv4 with HE Tunnel Broker and OPNSense
Step 1: Your OPNSense firewall needs to be connected directly to the Internet. If your device is hidden behind ISP’s NAT, you will need to configure a firewall rule to allow IP protocol 41 (6in4) to enter your network and get to OPNSense. OPNSense (or whatever device faces the WAN) also needs to allow inbound ICMPv4 traffic from the WAN side. If you are paranoid and prefer to disable ICMPv4 (which is NOT a good idea), you can restrict the inbound ICMPv4 traffic to allow only ECHO_REQUEST messages originating from the assigned HE TunnelBroker Server IPv4 address.
Step 2: Head to tunnelbroker.net, create an account and create a new IPv6 tunnel at the server that is the closest to your location. They have plenty of endpoint locations to choose from:
Once your tunnel is created, do not forget to request a /48 IPv6 prefix in the control panel of your new IPv6 tunnel. I know, I know, you think that the default /64 network is gigantic already, why would you ever need an even larger network space for your tiny home, right? Let me explain how IPv6 addressing works, and you will understand that /64 network is actually not that large.
Global Unicast Addresses (GUA) have reserved the first 3 and last 64 bits. The remainder 61 bits in the middle are divided between global routing prefix and Subnet ID.
SLAAC (Stateless Address Autoconfiguration) mechanism — which we will use to configure IP addresses — allows auto-assignment of unique IPv6 addresses to devices on the network — and it requires a full /64 network to work. So, if you ever want more than one SLAAC-enabled network at home, you need to request more than one /64 network. I have three interfaces on my OPNSense, so I need (at least) three /64 networks. Or one larger sub-dividable network. TunnelBroker is offering either /64 or /48 — no other alternatives.
So, grab that /48 while you are at the Tunnel Details page — you will need it later.
There are five essential pieces of information that you should write down and remember while at the TunnelBroker console— we will need them in a jiffy:
Step 3: Add GIF tunnel to your OPNSense. This is not a common type of interface; it is hidden a bit, but you will find it if you dig into Interfaces — Other Types — GIF
Add a new GIF tunnel port with the following details:
Parent interface WAN
GIF remote address [assigned Server IPv4]
GIF tunnel local address [assigned Client IPv6]
GIF tunnel remote address [assigned Server IPv6] /64
Route Caching disabled
ECN friendly behavior disabledStep 4: Assign the GIF tunnel port to a new interface. You will find assignments in Interfaces-Assignments. Select the GIF tunnel for a New Interface and hit the + sign next to it. A new network interface will appear under your Interfaces, probably named something like OPT4. Select it, enable it, and rename it to whatever your heart desires (I named it TUN for, you know, Tunnel). With that set, your OPNSense should have an active IPv6 connection to the world that terminates on OPNSense.
Step 5: Set IPv6 firewall rules. I keep this one really simple with only three rules assigned to TUN interface:
- Allow all inbound IPv6 ICMP traffic from any sources
- Deny any outbound traffic to 2620:108:700f::/48
- Deny any outbound traffic to 2a01:578:3::/48The first rule is kinda obvious — IPv6 management relies heavily on ICMP controls and you should let ICMP flow, even if you are paranoid. (note to self: don’t be paranoid, IPv6 will work better if you are not)
The second and the third rule are not that obvious; they deny IPv6 flow to Netflix servers. Yes, Netflix. Netflix hates VPNs or proxy servers because… Reasons. Tunnel Broker uses exit endpoints that are registered as VPN exits and as Netflix hates VPNs, you won’t be able to Netflix through TunnelBroker. We have to block IPv6 traffic to Netflix, so streaming clients will downgrade to IPv4 and keep streaming.
Step 6: Assign IPv6 to your LAN interfaces. What fun is it to have IPv6 on the WAN port of your router if the rest of your home networks can’t see it? Head to each of your LAN interfaces, set IPv6 Configuration type to Static IPv6, and assign them a static IPv6 address that is in the range of your routed /48 space (as given to you by TunnelBroker). I used IPv6 subnetting calculator to split my /48 into 4 networks — because I have three LAN interfaces:
Each OPNSense LAN interface gets its own publicly routable IPv6 address — I typically assign the first address (::1) of each subnet to the LAN port. Repeat the below process for each of your LAN interfaces, save and apply changes as you go:
Step 7: Enable RA and SLAAC. How do IPv6 addresses get to clients on LAN networks? While DHCPv6 exists, it is very rarely used as IPv6 standard includes a much cooler way to assign addresses. As explained at the beginning, routers regularly advertise its IPv6 routes through RAs (Route Advertisements) on each LAN interface, so all IPv6-capable devices can hear RA messages. Devices then use SLAAC (StateLess Address AutoConfiguration) to generate its own IPv6 address — based on advertised route and its own HW MAC address. If you can, do avoid DHCPv6 and use RA and SLAAC instead.
The RA configuration is under Services — Router Advertisements. I might be doing an overkill by advertising “all” routes (::) and OPNSense as a default DNS server, but this configuration works for me and I’m not touching it. Repeat the same RA assignment for each of your LANs:
With this step applied, your devices should get IPv6 advertisements, create its own routable IPv6 addresses and start using IPv6. We are in business!
ping6 2620:fe::fe
PING 2620:fe::fe(2620:fe::fe) 56 data bytes
64 bytes from 2620:fe::fe: icmp_seq=1 ttl=60 time=7.05 ms
64 bytes from 2620:fe::fe: icmp_seq=2 ttl=60 time=7.01 ms
64 bytes from 2620:fe::fe: icmp_seq=3 ttl=60 time=7.19 ms
64 bytes from 2620:fe::fe: icmp_seq=4 ttl=60 time=7.27 msStep 8: Define DDNS for Tunnel Broker. This step is required for all households that get dynamically-assigned IP addresses from ISPs. The moment when your ISP will change your public IP address, the TunnelBroker will stop working. So, we need to create the auto-fix.
First, let’s head back to the TunnelBroker portal and grab three pieces of information:
- Tunnel name (you will find it on the home dashboard, looks something like this: tunnel123456.tunnel.tserv14.sea1.ipv6.he.net
- Username (the one you created when you made the TunnelBroker account)
- Update key (found on the Advanced page of your tunnel settings) — will be used as password
Now you can create the Dynamic DNS Sevice on OPNSense and allow automatic updating:
This is it! To recap, here are key steps to enable IPv6 using TunnelBroker on OPNSense:
- Create your own /48 tunnel on tunnelbroker.net
- Create and configure a GIF interface on OPNSense
- Define IPv6 firewall rules
- Assign IPv6 addresses to LAN interfaces
- Enable RA and SLAAC
- Configure Dynamic DDNS to allow the tunnel to work after public IPv4 change (if you are assigned a dynamic public IP by your ISP)
