IPv6 Tunnel Broker

I actually just finished setting up my IP Tunnel to HE.NET for use with an IPv6 tunnel broker... works pretty well.

I'm not sure I follow you when you say the IP might change. The remote IP that is part of the HE.net tunnel won't change... you are assigned to a specific tunnel server when you create the he.net tunnel. So I'm gathering your concern is over your IP changing? If so I take it that is why you are using an authenticated tunnel, so that your equipment can update HE's tunnel config with your new IP?

I would venture to say that would be a feature request, to support entering tunnel credentials for that purpose.

Otherwise, simply setting up a 6in4 IP Tunnel works with HE.net. The endpoint IP is derived from the "server ipv4 address" portion of your tunnel config in HE.net's portal.

AFAIK, in the UTM 9.x world, creating an IPv6 in 4 tunnel (*with a routed subnet) required entering the user credentials  for the tunnel broker.

Specifically you'd select an authentication type (User), select your broker, and enter both the credentials for the connection (user/password) as well as the server address and the tunnel ID.

With my v9 config for he.net, the far-end endpoint is "tunnelbroker.net" - and I have specified the 6 digit tunnel ID.

What I think you're saying, though, is that none of that actually matters for XG, and all I need to have is the near- and far-end IPs configured to match the configuration at he.net!?

AFAIK, in the UTM 9.x world, creating an IPv6 in 4 tunnel (*with a routed subnet) required entering the user credentials  for the tunnel broker.

Specifically you'd select an authentication type (User), select your broker, and enter both the credentials for the connection (user/password) as well as the server address and the tunnel ID.

With my v9 config for he.net, the far-end endpoint is "tunnelbroker.net" - and I have specified the 6 digit tunnel ID.

What I think you're saying, though, is that none of that actually matters for XG, and all I need to have is the near- and far-end IPs configured to match the configuration at he.net!?

Pretty much yup. You don't use the tunnel ID or auth. It's just a simple tunnel.

So my tunnel looks like such, which is just a 6in4 defined with my external IP used in HE.net's config and the remote server HE.net gives me.

Then I use my /64 and /48 (carved into /64's) as v6 subnets assigned to my various interfaces. Set a route for ::/0 to go to the tunnel (which is the second step of adding a tunnel) and you should be good to go after setting up IPv6 firewall policies.

And so you can see my HE.net information:

When you add the tunnel, just be sure you set the zone to WAN and add the route for IPv6.

Bringing up an old topic - I'm running the same config with HE and all. It works perfectly for IPv6 access. However, I am not able to trace route from the XG or any endpoint behind the XG properly via IPv6 The route from the client hits the XG and then just stops. But when I trace route my IPv6 IP back to me, it works without issue all the way through. 

Any thoughts?