Debugging a Hurricane Electric IPv6 Tunnel on OPNsense 25.1.12?

Started by buedi, July 27, 2025, 08:14:07 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 27, 2025, 08:14:07 AM
Hello everyone,
I searched the forum and some other bits of the internet and it seems like this setup usually is a no-brainer. But for some odd reason, I cannot get it up and running and I am a bit lost on how to debug this.
I got myself a /64 prefix from tunnelbroker.net and try to configure it on my OPNsense. Although on my end all lights show up green / up, I cannot even ping the remote end of the tunnel.
What I did is what is in the documentation here: https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html.
I ended up having a gif Interface in the interface overview which shows up and the correct IPv6 addresses.
Also in the gateways, I made sure the tunnel is the default IPv6 gateway.

ifconfig shows me that the interface is there with the correct prefix length:
```
gif0: flags=1008051<UP,POINTOPOINT,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1280
        description: IPv6Tunnel (opt7)
        options=80000<LINKSTATE>
        tunnel inet 1xx.x.x.9 --> 216.66.80.30
        inet6 fe80::aab8:e0ff:fe03:fec5%gif0 prefixlen 64 scopeid 0xf
        inet6 2001:470:xxxx:xxx::2 prefixlen 64
        groups: gif
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```
netstat -rn6 shows me that the IPv6 tunnel is indeed the default gateway:
```
Routing tables

Internet6:
Destination                       Gateway                       Flags         Netif Expire
default                           2001:470:xxxx:xxx::1          UGS            gif0
```

But I cannot ping the other end of the tunnel. All "local" IPv6 addresses work. Even when configuring SLAAC, my clients get valid IPv6 addresses and up until the LAN interface on the OPNsense I can ping all hosts. It just seems like nothing wants to go through the tunnel.
But if I look at the live view and filter the destination IP I am trying to ping, it shows no blocked traffic... quite contrary, it shows that the packet was sent through the tunnel interface.

And this is where I am lost now... I have the impression that all interfaces are configured correctly and that the route for IPv6 traffic into the tunnel is honored. Tunnelbrocker.net is a free service and I want to make sure I have checked everything on my side before trying to open a ticket and ask them for help. Is there anything else I can do to debug if I have a problem on my end?

July 31, 2025, 06:08:12 PM #1
Are you behind CGNAT by any chance? Is your WAN IPv4 address identical to the client IPv4 address which is displayed in the tunnelbroker.net web interface?
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
August 02, 2025, 06:53:44 AM #2
There is no CGNAT in my case and yes, both IPs show the same. I am self-hosting all kind of stuff from home and I get a "pretty static" (usually for months) IPv4 address from my ISP.

I did make some progress today, though. I picked another Provider and was able to establish the tunnel and ping from my OPNsense to the other end of the tunnel and to the ipv6.google.com address. I am not able to get this working from my LAN yet, although I have a Firewall Policy on my LAN interface which allows IPv6 and IPv4 (both rules are identical) to *.

Advertisement seems to work, as my systems in the LAN get an IPv6 address assigned from the block that the Tunnelbroker assigned me. Also I can ping the IPv6 addresses of the OPNsense, but traffic does either not seem to get routed through the tunnel or it does not find its way back.

How would I debug that? Is tcpdump the way to go or is this not sufficient to check routing issues, but rather for packet inspection? I am not very proficient in the BSD area. Pointing me in the right direction / the right tools to debug this should be enough, as I am willing to learn and get better in managing OPNsense and using BSD. So any tips are very welcome how you would start debugging the current situation that OPNsense can now utilize the Tunnel, but Systems in LAN not, despite getting their IPv6 address and default route to the OPNsense assigned.

Thank you very much in advance :-)
August 02, 2025, 12:24:08 PM #3
Packet captures are indeed a powerful tool to locate the issue. Try captures on all involved interfaces (gif, wan, lan) to see what shows up where. The OPNsense GUI has a neat packet capture feature btw. (Interfaces / Diagnostics).

Also, try pinging a target on the Internet from OPNsense itself, but with the source address set to the LAN interface address (which should be from your routed /64).
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
August 03, 2025, 02:24:34 PM #4
Thanks for your reply. I did some packet captures, and I see my packets coming in from my client and seeing that they are meant for example to reach the ipv6.google.com IPv6 address. I am not as far to see in the Capture itself if that packet was routed properly. Maybe I should try to analyze the pcap files with Wireshark so see more information?

I begin to doubt that the tunnel is doing anything at all, even when I can reach ipv6.google.com from my OPNsense. When pinging ipv6.google.com directly from the OPNsense, I get a roundtrip time of about 0.1 to 0.2 ms. When www.google.com with IPv6, I get a more realistic roundtrip time of around 15-20 ms. I refuse to believe that IPv6 manages to improve roundtrip time that much ;-)

Also, to set up the GIF interface, I get the following information from Hurricane Electric:
- Server IPv4 address (where I need to talk on the IPv4 Network to reach out to the HE Tunnelbroker)
- Server IPv6 address (a /64 which ends with ::1)
- Client IPv6 address (a /64 which ends with ::2 and is in the same network as the Server IPv6 address)

Now my common sense and the tutorial at https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html tells me, that when configuring the GRE Interface, I need to
- Put the Server IPv6 address into the GIF tunnel remote address and
- the Client IPv6 address into the GIF tunnel local address

If I configure it that way, I can not ping a Remote IPv6 address.
When I enter them the other way round, I can (seeminly) ping Remote IPv6 addresses. Now when I reverse the configuration again (as it should be according to the Tutorial), I still seems to work.

All that makes no sense to me. The low ping times and that I have to configure the GIF interface "wrong" to get IPv6 up and running and then can revert it and it still seems to work (on the OPNsense only, though), throws me off the track. I cannot comprehend this.

When I do a Live trace via Firewall --> Logfiles --> Live View and filter for example the ipv6.google.com destination address, it shows me that the firewall rules are allow the traffic to the IPv6 Tunnel interface I created. Because of the low latency, I suppose my packets never leave the OPNsense and no matter what IPv6 address is resolved by DNS, it stays on the OPNsense. Otherwise, pings which are the same as for 127.0.0.1 should not be possible.

Maybe I should sleep another night over this...
Print
Go Up Pages1
User actions