IPv6

I can't seem to get the tunnelbroker.net setup to work. I followed some details I found here:

http://andrewhitchcock.org/?post=309

but not go.  Can anyone who has an he.net tunnel set up help me?  I'm using m0n0wall v1.32

Here's how I configured:

on the WAN interface, I turned on the IPv6 Mode as Tunnel.
the IPv6 address is set to what tunnelbroker says is my Client IPv6 Address (it ends in ::2)
I'm not sending router advertisements (ticked off by default)
The IPv6 gateway is grayed out, so I can't change that.
My IPv6 Tunnel is the the IPv4 address tunnelbroker calls "Server IP Address." I'm using the Chicago point of connection so it's 209.51.181.2.

On my LAN interface, I set my IPv6 Address to my Router /64 address. 
Router Advertisments are on.

I have an IPv6 LAN rule that sets any/all via ipv6 to allowed (just for testing).

I cannot ping the tunnelbroker IP address (the ::1) from the monowall--I'm not sure if that's normal or not?

I can ping the LAN interface from the internal hosts. I have both an OSX Snow Leopard and Windows 7 client and both ping fine. If I try to connect with a browser in either to something like ipv6.google.com, I see a pass allowed on the firewall rule on the monowall.  That tells me the clients are getting advertisements and know the monowall should be the IPv6 gateway, I think.

If I look at the monowall status.php page, I see the tunnel configured as follows:

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
   tunnel inet <my isp ipv4 address> --> 209.51.181.2
   inet6 fe80::250:8dff:fe5e:5fb0%gif0 prefixlen 64 scopeid 0x5
   inet6 < my tunnelbroker.net ipv6 address, ending in ::2> prefixlen 64

and I see the ipv6 default gateway up too:

Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0 =>
default                           gif0                          ULS        gif0

So, what am I missing? I'm a newbie to ipv6, so any pointers are most appreciated!

[can]

i have the setting the same as you i believe but i've attached some screen-shots showing what i entered.
have you allowed icmp from the tunnel server? (both ipv6 and ipv4) as they will drop the tunnel if they cant ping you.
I can ping the tunnelbroker IP address (the ::1) from the monowall
have you used the looking glass, try to ping your side of the tunnel (the ::2)

hope that helps

You need to update Tunnelbroker with your IPv4 address, either using a script or going to their website. The forums have a script you can run, when your IP address changes.

Use this script to update your IP address with Tunnelbroker:

Please use the format https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=1&pass=2&user_id=3&tunnel_id=4
Where:

1 = The new IPv4 Endpoint or "AUTO"
2 = The MD5 Hash of your password
3 = The User_id from the main page of the tunnelbroker
4 = The Global Tunnel ID from the tunnel_details page

http://www.tunnelbroker.net/forums/index.php?topic=150.msg674#msg674

You need to update Tunnelbroker with your IPv4 address, either using a script or going to their website. The forums have a script you can run, when your IP address changes.

My IPv4 hasn't changed.  I've never gotten a tunnel to come up at all yet. :-)

[can]

i have the setting the same as you i believe but i've attached some screen-shots showing what i entered.
have you allowed icmp from the tunnel server? (both ipv6 and ipv4) as they will drop the tunnel if they cant ping you.
I can ping the tunnelbroker IP address (the ::1) from the monowall
have you used the looking glass, try to ping your side of the tunnel (the ::2)

hope that helps

Hmm, I;'ve set the ipv4 IP of the tunnelbroker side on my WAN side to have all IP, so that covers ICMP.  Right now I have IPv6 on the WAN side to have access in as well (certainly not something I'd keep, but for fiddling with this stuff having all inbound IPv6 should cover the tunnel end).

I'm wondering if some of my older IPv4 NAT rules are causing issues, I'm going to disable those and see.

Thanks untraceablesmurf for responding!

Well well well, I finally got it set up.

I did a billion things, but one of them was to make sure I had the IP address that HE uses to test to see if ICMP is reachable re-added in. I had put that IP in for my tunnel to come up, but then I took it out figuring that it was only for the test. I have an ICMP rule in for the tunnel in Chicago as above as well.  I deleted the tunnel entirely on the HE side and recreated it, maybe that was key too.

I also took out all inbound NAT stuff. I'll probably add them back in and see where I break things, if NAT is used.

Very cool, on the 6 network now.

About 2 months ago, I used the same instructions, http://andrewhitchcock.org/?post=309 adapted for the 1.31 release and had no issues at all.  You definitely need to keep the ICMPv6 turned on!!

For open port testing from remote locations using IPv6 I used: http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-port-scanner.php

and for IPv4: http://www.subnetonline.com/pages/network-tools/online-port-scanner.php

They have a bunch of IPv6 tools that I found extremal helpful when setting up my IPv6 network.  Their ping6 tool is worth it's weight in gold!!!

m0n0wall has a built in rule to allow icmp to wan ip if using a Tunnel

From you comments, does this not work for you ?

Code:

# allow ping to make tunnel broker happy
pass in quick proto ipv6-icmp from any to $curwanip icmp-type 128
pass out quick proto ipv6-icmp from $curwanip to any icmp-type 129