[Ukfreebsd] HE tunnel configuration for freebsd gateway box.

Sevan / Venture37 venture37 at gmail.com
Tue May 24 23:39:43 BST 2011

On 24 May 2011 23:23, Mark Blackman <mark at exonetric.com> wrote:
> Hi,
> As I spent a bit of time coming up with this configuration, I'll post it here for
> reference, but beware this doesn't include any firewall configuration. I'm sure
> others have already come up with this, but I would have appreciated this as a
> cut-n-paste configuration which I didn't find this concisely laid out.
> This configuration will turn your FreeBSD box into a local IPv6 router
> for your internal LAN (after you've signed up with HE's tunnel broker at
> http://www.tunnelbroker.net/), bearing in mind this will expose your internal LAN to arbitrary external IPv6 source addresses as there is no firewall/filtering in this configuration.
> This configuration includes a setting up router advertisements on your network,
> so everything on the network will pick this router and prefix up anyway for ipv6.
> In particular, any OS X machines will just use it (assuming they're on the
> IPv6 automatic default setting).
> obviously, 'bge0' will need to change if you don't use bge0 internally and
> reboot after this configuration is applied with your own interface names,
> IPv4 endpoints and IPv6 tunnel endpoints and subnets.
> -------------------
> # extras for /etc/sysctl.conf
> net.inet6.ip6.auto_linklocal=1
> -------------------
> # extras for /etc/rc.conf
> ipv6_enable="YES"
> ipv6_network_interfaces="auto"  # all interfaces
> # this the HE "routed" /64 subnet, not the tunnel subnet, but they will be nearly identical
> ipv6_prefix_bge0="2001:470:1b09:168d"
> ipv6_gateway_enable="YES"       # Set to YES if this host will be a gateway.
> rtadvd_enable="YES"             # Set to YES to enable an IPv6 router
> rtadvd_interfaces="bge0"                # Interfaces rtadvd sends RA packets.
> # IPv6 Tunnel Client
> gif_interfaces="gif0"
> # is the actual RFC1918 address of your tunnel termination, but does assume your firewall will pass protocol 41, the other address will be from HE
> gifconfig_gif0=""
> # these are your ipv6 tunnel endpoints
> ipv6_ifconfig_gif0="2001:470:1b08:168d::2 2001:470:1b08:168d::1 prefixlen 128"
> ipv6_defaultrouter="2001:470:1b08:168d::1"

Cool :)
If you're using PF as your firewall having  "pass in on $ext_if inet
proto ipv6" in your ruleset should save your hair & allow 6in4 traffic
in & out (you'll probably want to tie that down further by being more


More information about the Ukfreebsd mailing list