Configure Hurricane Electric IPv6 over IPv4 Tunnel with Monowall

We have been holding on to IPv4 for a long time. We are well past the initial “run out of addresses” date thanks to VLSM, NAT and some other addressing tricks. The facts are, however, that IPv4 is running to its end and will eventually become obsolete. Fortunately, however, there are ways to ease into IPv6. One that I found, since my ISP does not yet offer IPv6 service, was to create a tunnel to someone who does. Tunnelbroker.net powered by Hurricane Electric was one of the options. Another tunnel broker you might consider is Core Transit who will tunnel IPv4, IPv6 and BGP sessions as well.

IPv6 support is still a bit scarce on home routers and firewalls as well. Luckily there is the Monowall project. I am not going to get into the basics of Monowall. You are welcome to read more about that here.
To begin, setup an account with Hurricane Electric. Create a new tunnel and review the vitals of the configuration they present you with. They will look something like this ( without pieces of the addresses removed of course):

As you are creating this tunnel you will need to ensure the tunnel broker can communicate with your firewall. It tracks your host’s availability with ICMP. To allow this create a firewall rule under “Firewall->IPv4 Rules”. Tunnel Broker will report the IP address that ICMP traffic should be allowed from. For me it ended up being 66.220.2.74 while the tunnel endpoint address was actually different.
After successfully setting up the tunnel on the provider side you can begin configuring the tunnel on your Monowall. First, ensure IPv6 functionality is enabled under “System -> Advanced”.

After saving, jump to the WAN interface settings at “Interfaces->WAN”. Look for the newly displayed IPv6 section. Under “IPv6 Mode” select “Tunnel”. For “IPv6 Address” enter the information you had listed under IPv6 Address (Client IPv6 Address) that came from Tunnel Broker. Also, add the tunnel endpoint IPv4 address to connect to on Tunnel broker’s side.

The WAN side is done so let’s get our LAN side up and running as well. Go to “Interface->LAN”. Enter the routed 64 address supplied by the tunnel broker in the IPv6 field. Also, check and enable the IPv6 Router advertisements option so clients get IPv6 gateway information automatically.

Finally, you will want to add a firewall rule to allow IPv6 traffic outbound. Go to “Firewall->IPv6 Rules” and choose the “LAN” interface tab. You can allow anything IPv6 outbound or you can limit to only select protocols and ports. If for some reason your tunnel does not come up be sure to double-check your settings and verify there is ICMP connectivity! Be sure to review the system and firewall logs of the Monowall to chase down errors.

This entry was posted in Networking and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.