Centos – Configuring a Hurricane Electric IPv6 tunnel without being the default gateway

centosipv6networking

I've been trying to figure out if its possible to setup a Hurricane Electric IPv6 tunnel to be configured on a CentOS VPS server, but not make it the default gateway for all IPv6 traffic, but also to be able to utilise the /64 subnet delegated via the tunnel.

Using the CentOS 7 example with a few modifications in this guide (Its a Linode VPS):

https://www.linode.com/docs/networking/set-up-an-ipv6-tunnel-on-your-linode

The reason for the tunnel to not be the default gateway is I have native IPv6 via SLAAC and a delegated /64 already, but was hoping to add the IPv6 tunnel as a bit of a failover scenario/additional IPv6 network route to services running on this server.

All configurations I have seen in regards to setting up a "he-ipv6" interface, basically take over the default gateway, which makes my native IPv6 address space no longer pingable to the WAN side, but connectivity like ping and traceroute still works within the server on both interfaces, tested by specifying the specific interface on tests.

traceroute -6 -i eth0 ipv6.google.com

traceroute to ipv6.google.com (2a00:1450:400b:801::200e), 30 hops max, 80 byte packets
 1  2a01:7e00::xxxx:xxxx:xxxx:xxxx (2a01:7e00::8678:acff:fe5a:1a41)  0.919 ms  1.358 ms  1.425 ms
 2  2a01:7e00:7777:6::1 (2a01:7e00:7777:6::1)  0.832 ms 2a01:7e00:7777:1::1 (2a01:7e00:7777:1::1)  0.893 ms 2a01:7e00:7777:3::1 (2a01:7e00:7777:3::1)  2.858 ms
 3  2001:7f8:4::3b41:1 (2001:7f8:4::3b41:1)  1.489 ms  1.489 ms  1.470 ms
 4  2001:4860:0:1102::2 (2001:4860:0:1102::2)  1.768 ms 2001:4860:0:1103::3 (2001:4860:0:1103::3)  2.129 ms  2.306 ms
 5  2607:f8b0:e000:8000::6 (2607:f8b0:e000:8000::6)  11.461 ms 2001:4860::c:4000:dd7a (2001:4860::c:4000:dd7a)  30.924 ms  30.940 ms
 6  2001:4860::1:0:b04f (2001:4860::1:0:b04f)  12.182 ms  14.449 ms  13.446 ms
 7  2001:4860:0:1::1223 (2001:4860:0:1::1223)  10.631 ms  10.818 ms  11.042 ms
 8  dub08s01-in-x0e.1e100.net (2a00:1450:400b:801::200e)  11.695 ms  12.338 ms  11.674 ms

traceroute -6 -i he-ipv6 ipv6.google.com

traceroute to ipv6.google.com (2a00:1450:400b:c00::8b), 30 hops max, 80 byte pac                 kets
 1  jamesnetworks-3.tunnel.tserv1.lon2.ipv6.he.net (2001:470:1f1c:xxx::1)  5.321                  ms  8.443 ms  11.440 ms
 2  ge3-20.core1.lon2.he.net (2001:470:0:320::1)  11.657 ms  11.635 ms  11.610 m                 s
 3  2001:7f8:4::3b41:1 (2001:7f8:4::3b41:1)  12.799 ms  12.776 ms  12.745 ms
 4  2001:4860:0:1::2484 (2001:4860:0:1::2484)  12.380 ms 2001:4860:0:1103::3 (20                 01:4860:0:1103::3)  13.500 ms 2001:4860:0:1103::2 (2001:4860:0:1103::2)  12.769                  ms
 5  2001:4860::c:4000:dd7a (2001:4860::c:4000:dd7a)  12.871 ms 2607:f8b0:e000:80                 00::6 (2607:f8b0:e000:8000::6)  22.566 ms 2001:4860::c:4000:dd7a (2001:4860::c:4                 000:dd7a)  13.663 ms
 6  2001:4860::1:0:af90 (2001:4860::1:0:af90)  20.897 ms  11.010 ms  12.375 ms
 7  2001:4860::2:0:b051 (2001:4860::2:0:b051)  12.114 ms  22.411 ms  11.200 ms
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  dg-in-x8b.1e100.net (2a00:1450:400b:c00::8b)  11.499 ms  11.035 ms  11.800 ms

I've set up the tunnel and confirm it works, but my two /64 IPv6 address spaces don't work when both enabled. I'm looking for further guidance on what routing config I need to have to get this to work, possibly slightly outside the scope covered in the docs above.

The default gateway on the eth0 device it setup as:

default via fe80::1 dev eth0 proto ra metric 1024 expires 1796sec

When enabling the he-ipv6 interface, this is added in addition to the above:

default via 2001:470:1fxx:xx::1 dev he-ipv6 metric 1

The metric being higher, all traffic then tries to go through the he-ipv6 interface, which is not what I want. Equally, having two "default" routes seems like a bad idea.

What I'm trying to do is keep the native IPv6 connectivity working, while having the he-ipv6 active and available for traffic to be routed to the configured IPv6 addresses in my routed /64 via the tunnel, in addition to the existing /64 from Linode.

I believe I'll need to potentially do some static routing here, but unsure of how to tackle it.

So far, with being able to control the metric properly as per the guidance below, this is what the IPv6 routing table looks like:

unreachable ::/96 dev lo metric 1024 error -113
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113
# Additional route added by he-ipv6
2001:470:1f1c:xxx::/64 dev he-ipv6 proto kernel metric 256
# Adding any IPv6 in the HE routed /64 to eth0 adds the route below
2001:470:1f1d:xxx::/64 dev eth0 proto kernel metric 256
unreachable 2002:a00::/24 dev lo metric 1024 error -113
unreachable 2002:7f00::/24 dev lo metric 1024 error -113
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
unreachable 2002:ac10::/28 dev lo metric 1024 error -113
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
unreachable 2002:e000::/19 dev lo metric 1024 error -113
# Linode SLAAC IPv6
2a01:7e00::/64 dev eth0 proto kernel metric 256 expires 14395sec
2a01:7e00:xxxx:xxx::/64 dev eth0 proto kernel metric 256
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113
# Having fe80::/64 for both interfaces seems wrong?
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev he-ipv6 proto kernel metric 256
# eth0 (Linode IPv4/IPv6)
default via fe80::1 dev eth0 proto ra metric 1024 expires 1795sec hoplimit 64
# he-ipv6
default via 2001:470:1f1c:xxx::1 dev he-ipv6 metric 1025

The two references for fe80::/64 don't seem right here, I don't think the he-ipv6 would need this set in this case and I possibly need additional static routes to allow the routed /64 addresses to be externally accessible.

Any advice or solutions would be appreciated on getting this working!

Best Answer

It's fine to have two default routes but, as Ron points out in the comments, you'll almost certainly want them to have different metrics such that normally one (presumably the ethernet interface) will normally be preferred.

You'll want to edit the ifup script you added for the he-ipv6 interface and add METRIC=100 to the bottom. When the tunnel interface is brought up this should result in two default routes, the existing one with a metric of 1 and the new one with a metric of 100. If the default route via the ethernet port goes away then v6 traffic will start to flow via the tunnel.

Keep in mind that you may also want to add some additional v6 static routes via the tunnel interface based on what you'd like to reach via HE.

EDIT: Redhat/CentOS doesn't consistently implement/honor the METRIC value across the various interface scripts. You could certainly modify these scripts to include this value but this might not be desirable from an operability point of view, as you'd need to track any changes made upstream to these stock scripts.

So... you can do this from the CLI pretty easily:

sudo ip -6 delete default via 2001:470:1fxx:xx::1 dev he-ipv6 sudo ip -6 add default via 2001:470:1fxx:xx::1 dev he-ipv6 metric 100

You could also add this to be run automatically by creating a script called /sbin/ifup-local that would look something like this:

#!/bin/sh if [[ "$1" == "he-ipv6" ]] then sudo ip -6 delete default via 2001:470:1fxx:xx::1 dev he-ipv6 sudo ip -6 add default via 2001:470:1fxx:xx::1 dev he-ipv6 metric 100 else #DO_NOTHING fi

This should be called automatically by CentOS after each interface is brought up but will only do anything if the interface in question is literally "he-ipv6".

But first the confusing background

But before we can setup anything, we have to take a moment to realize something utterly confusing, non-obvious, non-intuitive:

You do not send IPv6 traffic out your WAN connection

i have two network cards in my router:

WAN: (xl0, 3Com), connected to modem

LAN: (rl0, RealTek), connected to internal LAN hub

But IP (Internet Protocol) traffic does not go out my WAN 3Com interface. My connection to the Internet is through DSL, which means my router uses PPPoE to connect to my ISP.

This means that pfSense creates another interface:

WAN: (PPPoE), connects through PPPoE tunnel to Internet

OPT1: (xl0, 3Com) connected to modem

LAN: (rl0, RealTek) connected to internal LAN hub

So my connection to the internet actually goes out this virtual interface. This becomes important, because only IPv4 goes out this "PPPoE" interface.

In order to have IPv6 support, we will actually be creating a 4th interface; one that is dedicated to only IPv6 traffic:

WAN: (PPPoE), connects through PPPoE tunnel to Internet

WANv6: (HE_GW), connects through HE.net tunnel

OPT1: (xl0, 3Com) connected to modem

LAN: (rl0, RealTek) connected to internal LAN hub

Your Tunnel info

First we need your tunnel information from your TunnelBroker page:

IPv6 Tunnel Endpoints

Server IPv4 Address: 209.51.181.2

Server IPv6 Address: 2001:470:3c10:1178::1 /64

Client IPv6 Address: 2001:470:3c10:1178::2 /64

Routed IPv6 Prefixes

Routed /64: 2001:470:3c11:1178:: /64

This first section are addresses related to your tunnel connection to Hurricane Electric (addresses that will be assocated with your WAN interface and gateways). The second section is your "LAN" addresses.

Configuring pfSense 2.1 with a Hurricane Electric Tunnel Broker tunnel

Create A New Tunnel Interface

Under Interfaces -> (assign), select the GIF tab, and click the + to add a new tunnel:
Next configure the new GIF options:
- Parent interface: WAN
- gif remote address: 209.51.181.2 (Server IPv4 Address from HE tunnel details page)
- gif tunnel local address: 2001:470:3c10:1178::2 (Client IPv6 Address from HE tunnel details page)
- gif remote tunnel address: 2001:470:3c10:1178::1 64 (Server IPv6 Address from HE tunnel details page)
- Description: HE.net IPv6 tunnel
and click Save.

Now your new GIF (Generic Interface) tunnel is configured:

Create a new IPv6 interface

Now that we've created a tunnel, we are going to create a separate IPv6-only interface that will send traffic out that tunnel.

Under Interfaces -> (assign), select the Interface assignments tab, and click the + to add a new interface:

Note: i happen to have an Atheros WiFi adapter, listed as OPT1. Don't let that confuse you.
In the drop-down for the newly added interface, select the previously created `GIF 209.51.181.2 (HE.net IPv6 tunnel):

and click Save.
After the interface OPT2 has been created, click it (either in the above list, or in the left menu under Interfaces -> OPT2.
Check Enable interface to reveal the configuration options:
- Description: WANv6 (this is to differentiate it from your IPv4 WAN)
- IPv6 Configuration Type: Static IPv6
- IPv6 address: 2001:470:3c10:1178::2 64 (Client IPv6 Address from HE tunnel details page)
and click Save.
Click Apply Changes to make the new interface active.

Allow ICMP messages

In order to use IPv6 (and also IPv4) you need to ensure that your router does not attempt to block any ICMP packets. If some security expert tries to tell you that responding to ICMP packets is a security risk and they should be blocked, gently pat them on the head and tell them *"of course it is". To allow incoming ICMP packets:

Click Firewall -> Rules
On the WAN tab, click +
Create the rule for IPv4 ICMP packets on the WAN interface:
- Action: Pass
- Interface: WAN
- TCP/IP Version: IPv4
- Protocol: ICMP
- Description: Allow all IPv4 ICMP packets
- Click Save
Click + to add another rule, this time to allow all IPv6 ICMP traffic on the WANv6 interface:
- Action: Pass
- Interface: WANv6
- TCP/IP Version: IPv6
- Protocol: ICMP
- Description: Allow all IPv6 ICMP packets
- Click Save
Click Apply Changes to apply your changes

Enable IPv6 on the pfSense LAN

Now you have to give the pfSense box an IPv6 address on your LAN interface. Just like it has a 192.168.1.1 IPv4 address on the LAN, now you need an IPv6 address. Except this address comes from Hurricane Electric; it is the Routed /64 address they give you.

Click Interfaces -> LAN
Change IPv6 Configuration Type to Static IPv6
Under the Static IPv6 configuration section, enter the routed /64 address provided by tunnelbroker:
Click Save
Click Apply Changes

Enable DHCPv6 Server

In order for clients to get IPv6 addresses, you have to enable the DHCPv6 server, and give it an address range it can assign addresses from.

Click Services -> DHCPv6 Server/RA
Check the Enable DHCPv6 server on LAN interface checkbox to reveal configuration options
In the Range from and to boxes, enter some range of addresses that are inside your Available Range, e.g.

Range: 2001:470:1f:b34::100:0 to 2001:470:1f:b34::100:fff

Linux – IPv6 works only after ping to routing box

Are the clients' prefixes being manually assigned? Usually they should automatically find the router via Neighbor Discovery Protocol (during which the router sends out advertisements and assign them prefixes automatically), but it sounds like that step might be missing.

Additionally, the router advertisement should be including its link-layer address as an option in the ICMP header of the router advertisement. If this field is missing, the client won't know how to send data to the router. It sounds like this could be the case. The client doesn't know how to reach the router, until it sends out the Neighbor Discovery message and it receives an Neighbor Advertisement from the router (with the router flag in the ICMP message set).

To include the source link layer address in your router advertisements, add the following into your radvd.conf

AdvSourceLLAddress on;