Debugging a Hurricane Electric IPv6 Tunnel on OPNsense 25.1.12?

Started by buedi, July 27, 2025, 08:14:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 27, 2025, 08:14:07 AM
Hello everyone,
I searched the forum and some other bits of the internet and it seems like this setup usually is a no-brainer. But for some odd reason, I cannot get it up and running and I am a bit lost on how to debug this.
I got myself a /64 prefix from tunnelbroker.net and try to configure it on my OPNsense. Although on my end all lights show up green / up, I cannot even ping the remote end of the tunnel.
What I did is what is in the documentation here: https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html.
I ended up having a gif Interface in the interface overview which shows up and the correct IPv6 addresses.
Also in the gateways, I made sure the tunnel is the default IPv6 gateway.

ifconfig shows me that the interface is there with the correct prefix length:
```
gif0: flags=1008051<UP,POINTOPOINT,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1280
        description: IPv6Tunnel (opt7)
        options=80000<LINKSTATE>
        tunnel inet 1xx.x.x.9 --> 216.66.80.30
        inet6 fe80::aab8:e0ff:fe03:fec5%gif0 prefixlen 64 scopeid 0xf
        inet6 2001:470:xxxx:xxx::2 prefixlen 64
        groups: gif
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```
netstat -rn6 shows me that the IPv6 tunnel is indeed the default gateway:
```
Routing tables

Internet6:
Destination                       Gateway                       Flags         Netif Expire
default                           2001:470:xxxx:xxx::1          UGS            gif0
```

But I cannot ping the other end of the tunnel. All "local" IPv6 addresses work. Even when configuring SLAAC, my clients get valid IPv6 addresses and up until the LAN interface on the OPNsense I can ping all hosts. It just seems like nothing wants to go through the tunnel.
But if I look at the live view and filter the destination IP I am trying to ping, it shows no blocked traffic... quite contrary, it shows that the packet was sent through the tunnel interface.

And this is where I am lost now... I have the impression that all interfaces are configured correctly and that the route for IPv6 traffic into the tunnel is honored. Tunnelbrocker.net is a free service and I want to make sure I have checked everything on my side before trying to open a ticket and ask them for help. Is there anything else I can do to debug if I have a problem on my end?

Today at 06:08:12 PM #1
Are you behind CGNAT by any chance? Is your WAN IPv4 address identical to the client IPv4 address which is displayed in the tunnelbroker.net web interface?
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions