Ever since I started to learn more information about the IPv4 Internet as we know it and its eventual successor I was intrigued how I could connect to this new version of the Internet. Unfortunately my ISP was not providing native IPv6 connectivity so I had to find another way. What I found and how I achieved the end result was quite an adventure in networking!

What is IPv6

IPv6 is the newest version of the internet protocol which will eventually replace IPv4. Why do we need it? Simply IPv4 was quite badly designed and badly utilised we have run out of addresses. Thankfully, private addressing and NAT saved IPv4 so we will certainly continue to use it for some time to come but starting to use IPv6 now will benefit your understanding of a technology that we will all as network professionals have to adopt at some point in the future.

As we know IPv4 addresses are 32 bit and written in a dotted decimal notation:

This gives roughly 4.3 billion unique addresses. Sounds a lot but its actually not that many when you consider the number of internet connected devices which continue to increase year on year. As mentioned RFC 1918 private addressing as the above example IP address and NAT/PAT have slowed the usage but an awful lot of address space was wasted on original allocation of the protocol.

IPv6 however are 128 bit and written in hexadecimal:


As you can see, wildly different and longer but ultimately its goal is to provide over 340 trillion trillion trillion unique addresses. Check out in IPv6. See what they did there!

Tunnel Broker?

The tunnel broker I used is the fantastic A tunnel broker allows us to tunnel an IPv6 connection across the IPv4 address space to allow us to connect to the native IPv6 internet. In this case it is provided by Hurricane Electric, a US based ISP. They have no ulterior motive to get you to buy something, they are just awesome. Now once you access the site and set up an account, you will need to create your tunnel to a local (or as close as possible) server. This is the easy part as tunnel broker even gives you a page with a load of example configurations for different operating systems.

Network Diagram

Home Network


Now hopefully this diagram should explain what is going on in my network. The device I use as my perimeter is a Cisco ASA 5505. I have no router in front of it, the public IPv4 address is learnt dynamically via PPPoE, because it is a point-to-point link with my ISP I am unable to use the ASA directly as a IPv6 router as the ASA cannot have tunnel interfaces, although the device has the capability to support IPv6. I therefore needed an alternative, something that could have tunnel interfaces configured, the alternative I used is the magnificent Vyatta software router/firewall. (Now an offshoot called Vyos) With this device acting as a dedicated IPv6 router / firewall, here is what is going on. The Vyatta is advertising itself to the internal networks as an IPv6 gateway on all interfaces. A client on that network assigns itself an IPv6 address using SLAAC and then knows to send all IPv6 traffic to the gateway. Once the gateway receives traffic destined for a public IPv6 address, it routes the traffic into its configured tunnel interface which in turn is encapsulated in IPv4 (Protocol 41) as it exits onto the IPv4 internet. This protocol 41 traffic exits the IPv4 internet via the gateway and at that point is now on the ISP IPv6 internet backbone where it can then route across and access that public IPv6 service. Now there is a fair amount of configuration and I am using a very specific example however the same approach applies even if you are using a different device as your main gateway.



The ASA is straight forward. A 1-1 NAT to a private IP. An access list allowing protocol 41. That’s it. This config is from 8.3 code and above. Configuration on 8.2 code and below will be different.

object network Vyatta
nat (inside,outside) static <publicly assigned NAT>

access-list Internet-Inbound extended permit 41 object HE.NET object Vyatta

object network HE.NET

object network Vyatta

Now there are some obvious other configuration options required. Firstly I am assuming you have a static IP/s from your ISP, if you have a normal residential package then not likely. I’m also assuming your gateway is functioning correctly with an outside and inside network.


The configuration of the Vyatta I have obtained using the “sh configurations commands” as it is far easier to read. The first section is the internal address the NAT attaches to. The second is the tunnel interface and the third is the IPv6 static route.

set interfaces ethernet eth1 address ''
set interfaces ethernet eth1 address '2001:470:1f09:3d9::1/64'
set interfaces ethernet eth1 description 'Inside Interface'
set interfaces ethernet eth1 dhcpv6-options 'parameters-only'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id '00:0c:29:32:a2:d9'
set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits '1'
set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit '64'
set interfaces ethernet eth1 ipv6 router-advert default-preference 'high'
set interfaces ethernet eth1 ipv6 router-advert link-mtu '0'
set interfaces ethernet eth1 ipv6 router-advert managed-flag 'false'
set interfaces ethernet eth1 ipv6 router-advert max-interval '600'
set interfaces ethernet eth1 ipv6 router-advert other-config-flag 'true'
set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:1f09:3d9::/64 autonomous-flag 'true'
set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:1f09:3d9::/64 on-link-flag 'true'
set interfaces ethernet eth1 ipv6 router-advert prefix 2001:470:1f09:3d9::/64 valid-lifetime '2592000'
set interfaces ethernet eth1 ipv6 router-advert reachable-time '0'
set interfaces ethernet eth1 ipv6 router-advert retrans-timer '0'
set interfaces ethernet eth1 ipv6 router-advert send-advert 'true'
set interfaces ethernet eth1 smp_affinity 'auto'
set interfaces ethernet eth1 speed 'auto'

set interfaces tunnel tun0 address '2001:470:1f08:3d9::2/64'
set interfaces tunnel tun0 description 'HE.NET IPv6 Tunnel'
set interfaces tunnel tun0 encapsulation 'sit'
set interfaces tunnel tun0 'firewall'
set interfaces tunnel tun0 local-ip ''
set interfaces tunnel tun0 mtu '1420'
set interfaces tunnel tun0 multicast 'disable'
set interfaces tunnel tun0 remote-ip ''

set protocols static interface-route6 ::/0 next-hop-interface 'tun0'

This configuration will get you up and running and connected to the IPv6 web. I have multiple interfaces connecting in to different networks so there is much more config but it’s generally a copy paste job. If you do want to set up multiple networks on IPv6 then provide a /48 prefix which you can use to create a huge number of networks.

Word of warning is there is no NAT in IPv6 land to block unwanted inbound traffic so a functioning firewall is a must. Vyatta has a fully featured firewall built in, which I will post about in the future. If you are just getting started though I would simply allow all outbound traffic and block all inbound traffic using a zone based firewall. Zone based is far better than interface based because if you introduce multiple interfaces, it allows absolute granularity in defining what traffic is allowed to flow between zones.

Once you think your done. Try some IPv6 sites like the following:

The last two are incredibly helpful when testing you are secure and your firewall is functioning as required!

IPv6 Encapsulation using a tunnel broker
Tagged on:                     

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.