Home > Firewalls > Configuring Vyatta with an IPv6 Tunnel Broker

Configuring Vyatta with an IPv6 Tunnel Broker

October 9th, 2010 Leave a comment Go to comments

One way to get connected to the IPv6 network is by using a tunnel broker. The broker provides an IPv4 endpoint to send IPv6 encapsulated packets. This works best if you have a static IPv4 address. The tunnel broker needs to be configured to send packets for your IPv6 address range to your IPv4 address. I choose to use Hurricane Electric as my tunnel broker.

In my network I have one public IPv4 address assigned to my pfSense firewall. Vyatta is installed specifically for the IPv6 tunnel with a private IP. If your Vyatta system doesn’t have a public IPv4 address you will need your firewall to pass protocol 41 to Vyatta.

With pfSense you can do this on the System -> Advanced page under IPv6. You also need to create a firewall rule on pfSense allowing any protocol from the tunnel broker’s IPv4 endpoint to the Vyatta private IP.

Switching over to the Vyatta system we can bring up the tunnel. The tunnel provider will provide you with the their IPv4 endpoint address, a IPv6 address for their end of the tunnel, an IPv6 address for your end of the tunnel, and a routable IPv6 range for your systems behind Vyatta.

Let’s start by configure the IPv4 address for the Vyatta interface

set interfaces ethernet eth0 address x.x.x.x/24
set interfaces ethernet eth0 description "Internal"
commit

Now configure the IPv4 address you assigned above as the tunnel’s local-ip, the tunnel broker’s IPv4 endpoint address for the remote-ip, and the IPv6 address for your side of the tunnel.

set interfaces tunnel tun0 encapsulation sit
set interfaces tunnel tun0 local-ip x.x.x.x
set interfaces tunnel tun0 remote-ip x.x.x.x
set interfaces tunnel tun0 address xx:xx:xx:xx::xx/64
set interfaces tunnel tun0 description "IPv6 Tunnel"
commit

Next configure the IPv6 address for the Vyatta interface by picking one in the routeable IPv6 range provided by the broker. If you have a public IPv4 address on your Vyatta system you will want this to be a separate interface.

set interfaces ethernet eth0 address xx:xx:xx:xx::xx/64
commit

We also need to setup a default route for IPv6 addresses outside the assigned range to go through the tunnel.

set protocols static interface-route6 ::/0 next-hop-interface tun0
commit

At this point the tunnel should be up and running. Try using ping6 to ping the IPv6 address at the remote end of the tunnel. If you would like you can configure Vyatta to use a DNS server and you can test with ping6 ipv6.google.com.

set system name-server xx.xx.xx.xx
commit

The last step is to advertise the IPv6 address range to clients connected to the Vyatta interface. The prefix is the routable IPv6 range provided by the broker. Clients will auto assign the last half of the address. Use the same interface that you configured the IPv6 address on.

set interfaces ethernet eth0 ipv6 router-advert prefix xx:xx:xx:xx::/64
set interfaces ethernet eth0 ipv6 router-advert send-advert true
commit

I highly recommend that you configure the IPv6 firewall. With no rules in place all packets are allowed through to any client. When rules are put in place the default last rule is to deny all. Vyatta uses iptables so you will probably want rules to allow established and related traffic.

set firewall ipv6-name tun-local description "IPv6 Traffic To Router"
set firewall ipv6-name tun-local rule 10 description "Accept Established-Related"
set firewall ipv6-name tun-local rule 10 action accept
set firewall ipv6-name tun-local rule 10 state established enable
set firewall ipv6-name tun-local rule 10 state related enable
set interfaces tunnel tun0 firewall local ipv6-name tun-local
 
set firewall ipv6-name tun-in description "IPv6 Traffic To Internal"
set firewall ipv6-name tun-in rule 10 description "Accept Established-Related"
set firewall ipv6-name tun-in rule 10 action accept
set firewall ipv6-name tun-in rule 10 state established enable
set firewall ipv6-name tun-in rule 10 state related enable
set interfaces tunnel tun0 firewall in ipv6-name tun-in
commit

I also created rules to allow pinging of the Vyatta system and any IPv6 client behind it.

set firewall ipv6-name tun-local rule 15 description "Accept ICMP Echo"
set firewall ipv6-name tun-local rule 15 action accept
set firewall ipv6-name tun-local rule 15 protocol ipv6-icmp
set firewall ipv6-name tun-local rule 15 icmpv6 type echo-request
 
set firewall ipv6-name tun-in rule 15 description "Accept ICMP Echo"
set firewall ipv6-name tun-in rule 15 action accept
set firewall ipv6-name tun-in rule 15 protocol ipv6-icmp
set firewall ipv6-name tun-in rule 15 icmpv6 type echo-request
commit
Categories: Firewalls Tags: , ,
  1. Anon
    November 9th, 2010 at 21:58 | #1

    What a well written post! Thank you so much for putting all the necessary information in one place. Once I found this post everything fell into place for me. A double-bonus for including firewall configs.

    Suggestion: You have a few example configuration lines with “set interface ethernet …” that need to be updated to “set interfaces ethernet …” (at least my VC6.1 install required interfaces to be plural)

  2. Arne
    June 14th, 2011 at 16:30 | #2

    Thank you very much for this excellent writeup!

  3. Whiplash
    August 5th, 2011 at 04:14 | #3

    Thanks very much! My tunnel is up!
    As soon as my new site is finished, I will link to this page! :)

  4. April 22nd, 2012 at 19:02 | #4

    Hello, and thank you for the excellent post. I was wondering if you might have the opportunity to post an example of the firewall rules and port forwarding on the pfsense side. Insights into that would help me to greatly understand. Thank you.

  1. No trackbacks yet.