Help with setting up a 6to4 tunnel via TunnelBroker

[SapuSeven]

Hi there,

I have an issue connecting through a TunnelBroker 6to4 tunnel.

Packets are going out, but nothing comes back - I can see the outgoing packets in the firewall live logs.  Also I'm not behind a CGN.

My client is getting a valid IPv6 address from the router and pinging the router itself works.

Configuration images are here: https://imgur.com/a/GSPXYI6

Values from TunnelBroker:
Server IPv4 Address: red
Server IPv6 Address: green
Client IPv6 Address: blue
Routed /48: yellow

Any ideas on what could be the issue / what to test?

[Maurice]

So gateway monitoring doesn't work either? Do you have a dynamic IPv4 address? Maybe it changed and you need to update it in your tunnelbroker.net account.

Cheers
Maurice

[SapuSeven]

No, I have a static IPv4. Also I checked that my IP matches the one configured in TunnelBroker.

[Maurice]

And does gateway monitoring work? If not, do you see any inbound 6in4 packets in a packet capture on the parent interface (WAN)?

[SapuSeven]

Gateway monitoring shows OFFLINE with 100% loss.

I started a packet capture while pinging 2606:4700:4700::1111.
For the TUNNELBROKER interface I can see ping packets going out from my local to the remote tunnel address.
For the WAN address I only see one outgoing packet to the TunnelBroker Server IPv4 Address (red).
(see attached screenshots)

[Maurice]

What you can see in the WAN interface packet capture is a gateway monitoring echo request, which has no response.
Assuming all addresses are configured correctly, you're probably facing an upstream issue. Maybe your ISP filters 6in4?

[SapuSeven]

Just wrote to my ISP, they claim they don't block anything.
I double- and triple-checked the GIF config and I'm pretty sure its correct.
What else could there be?

[Maurice]

Since you see outgoing 6in4 packets on the WAN interface but no replies, I really can't think of a lot within OPNsense.

What type of Internet connection do you have? What MTU?

[SapuSeven]

Alright, I have an ISP-provided cable modem running in bridge mode.
The OPNsense box is connected to it via a network cable and uses DHCP to get its WAN IP.
Regarding MTU: I'm unfamiliar with that topic. How can I check this?

[Maurice]

Go to Interfaces: Diagnostics: Ping, enter the tunnel server's IPv4 address, packet size 1472, do not fragment enabled. If this works your MTU is 1500. Otherwise, reduce the packet size until the ping succeeds.

[SapuSeven]

Thanks.
With the settings you described, ping works. -> MTU is 1500

[SapuSeven]

I just remembered that OPNsense is running as a VM inside Proxmox.
Maybe that can cause the issue?

[Maurice]

Shouldn't have an impact unless there's NAT involved at some point. Are you using a bridged configuration in Proxmox?

[SapuSeven]

Yes, it's all "Linux Bridge" bound to physical ports

[SapuSeven]

So.. I've given it another shot today and just found my previous attempt, since I faced the exact same issue.
I have tried to set it up on a completely new instance of OPNsense and still can't get a single reply via the tunnel interface.
I even tried replacing my modem with a USB-tethered mobile phone, still nothing.
I'm still looking for a solution, if anyone is (un)lucky enough to come across this thread...