Configuring IPv6 Through A Tunnel Broker Service

A location that doesn’t have access to native IPv6 connectivity may obtain it using a tunnel broker service such as Hurricane Electric. A core site with IPv6 can deliver IPv6 connectivity to a remote site by using a VPN or GIF tunnel.

This section provides the process for connecting pfSense® with Hurricane Electric (Often abbreviated to or HE) for IPv6 transit. Using is simple and easy. It allows for multi-tunnel setup, each with a transport /64 and a routed /64. Also included is a routed /48 to be used with one the tunnels. It’s a great way to get a lot of routed IPv6 space to experiment with and learn, all for free.

Sign Up for Service

Before a tunnel can be created, ICMP echo requests must be allowed to the WAN. A rule to pass ICMP echo requests from a source of any is a good temporary measure. Once the tunnel endpoint for has been chosen, the rule can be made more specific.

To get started on, sign up at The /64 networks are allocated after registering and selecting a regional IPv6 tunnel server. A summary of the tunnel configuration can be viewed on’s website as seen in Figure Tunnel Config Summary. It contains important information such as the user’s Tunnel ID, Server IPv4 Address (IP address of the tunnel server), Client IPv4 Address (the firewall’s external IP address), the Server and Client IPv6 Addresses (representing the IPv6 addresses inside the tunnel), and the Routed IPv6 Prefixes.

../_images/tunnelbroker-tunnelbroker-providerconfig.png Tunnel Config Summary

The Advanced tab on the tunnel broker site has two additional notable options: An MTU Slider and an Update Key for updating the tunnel address. If the WAN used for terminating the GIF tunnel is PPPoE or another WAN type with a low MTU, move the slider down as needed. For example, a common MTU for PPPoE lines with a tunnel broker would be 1452. If the WAN has a dynamic IP address, note the Update Key for later use in this section.

Once the initial setup for the tunnel service is complete, configure pfSense to use the tunnel.

Allow IPv6 Traffic

On new installations of pfSense after 2.1, IPv6 traffic is allowed by default. If the configuration on the firewall has been upgraded from older versions, then IPv6 would still be blocked. To enable IPv6 traffic, perform the following:

  • Navigate to System > Advanced on the Networking tab

  • Check Allow IPv6 if not already checked

  • Click Save

Allow ICMP

ICMP echo requests must be allowed on the WAN address that is terminating the tunnel to ensure that it is online and reachable. If ICMP is blocked, the tunnel broker may refuse to setup the tunnel to the IPv4 address. Edit the ICMP rule made earlier in this section, or create a new rule to allow ICMP echo requests. Set the source IP address of the Server IPv4 Address in the tunnel configuration as shown in Figure Example ICMP Rule to ensure connectivity.


Example ICMP Rule

Create and Assign the GIF Interface

Next, create the interface for the GIF tunnel in pfSense. Complete the fields with the corresponding information from the tunnel broker configuration summary.

  • Navigate to Interfaces > Assignments on the GIF tab.

  • Click fa-plus Add to add a new entry.

  • Set the Parent Interface to the WAN where the tunnel terminates. This would be the WAN which has the Client IPv4 Address on the tunnel broker.

  • Set the GIF Remote Address in pfSense to the Server IPv4 Address on the summary.

  • Set the GIF Tunnel Local Address in pfSense to the Client IPv6 Address on the summary.

  • Set the GIF Tunnel Remote Address in pfSense to the Server IPv6 Address on the summary, along the with prefix length (typically / 64).

  • Leave remaining options blank or unchecked.

  • Enter a Description.

  • Click Save.

See Figure Example GIF Tunnel.


Example GIF Tunnel

If this tunnel is being configured on a WAN with a dynamic IP, see Updating the Tunnel Endpoint for information on how to keep the tunnel’s endpoint IP updated with

Once the GIF tunnel has been created, it must be assigned:

  • Navigate to Interfaces > Assignments, Interface Assignments tab.

  • Select the newly created GIF under Available Network Ports.

  • Click fa-plus Add to add it as a new interface.

Configure the New OPT Interface

The new interface is now accessible under Interfaces > OPTx, where x depends on the number assigned to the interface.

  • Navigate to the new interface configuration page. (Interfaces > OPTx)

  • Check Enable Interface.

  • Enter a name for the interface in the Description field, for example WANv6.

  • Leave IPv6 Configuration Type as None.

  • Click Save

  • Click Apply Changes.


Example Tunnel Interface

Setup the IPv6 Gateway

When the interface is configured as listed above, a dynamic IPv6 gateway is added automatically, but it is not yet marked as default.

  • Navigate to System > Routing

  • Edit the dynamic IPv6 gateway with the same name as the IPv6 WAN created above.

  • Check Default Gateway.

  • Click Save.

  • Click Apply Changes.


Example Tunnel Gateway

Navigate to Status > Gateways to view the gateway status. The gateway will show as “Online” if the configuration is successful, as seen in Figure Example Tunnel Gateway Status.


Example Tunnel Gateway Status

Setup IPv6 DNS

The DNS servers likely answer DNS queries with AAAA results already. Entering the DNS servers supplied by the tunnel broker service under System > General Setup is recommended. Enter at least one IPv6 DNS server or use Google’s public IPv6 DNS servers at 2001:4860:4860::8888 and 2001:4860:4860::8844. If the DNS Resolver is used in non-forwarding mode, it will talk to IPv6 root servers automatically once IPv6 connectivity is functional.

Setup LAN for IPv6

Once the tunnel is configured and online, the firewall itself has IPv6 connectivity. To ensure clients can access the internet on IPV6, the LAN must be configured also.

One method is to set LAN as dual stack IPv4 and IPv6.

  • Navigate to Interfaces > LAN

  • Select IPv6 Configuration Type as Static IPv6

  • Enter an IPv6 address from the Routed /64 in the tunnel broker configuration with a prefix length of 64. For example, * 2001:db8:1111:2222::1 for the LAN IPv6 address if the Routed /64 is 2001:db8:1111:2222::/64.

  • Click Save

  • Click Apply Changes

A /64 from within the Routed /48 is another available option.

Setup DHCPv6 and/or Router Advertisements

To assign IPv6 addresses to clients automatically, setup Router Advertisements and/or DHCPv6. This is covered in detail in IPv6 Router Advertisements.

A brief overview is as follows:

  • Navigate to Services > DHCPv6 Server/RA

  • Check Enable

  • Enter a range of IPv6 IP addresses inside the new LAN IPv6 subnet

  • Click Save.

  • Switch to the Router Advertisements tab

  • Set the Mode to Managed (DHCPv6 only) or Assisted (DHCPv6+SLAAC)

  • Click Save.

Modes are described in greater detail at Router Advertisements (Or: “Where is the DHCPv6 gateway option”).

To assign IPv6 addresses to LAN systems manually, use the firewall’s LAN IPv6 address as the gateway with a proper matching prefix length, and pick addresses from within the LAN subnet.

Add Firewall Rules

Once LAN addresses have been assigned, add firewall rules to allow the IPv6 traffic to flow.

  • Navigate to Firewall > Rules, LAN tab.

  • Check the list for an existing IPv6 rule. If a rule to pass IPv6 traffic already exists, then no additional action is necessary.

  • Click fa-level-down Add to add a new rule to the bottom of the list

  • Set the TCP/IP Version to IPv6

  • Enter the LAN IPv6 subnet as the Source

  • Pick a Destination of Any.

  • Click Save

  • Click Apply Changes

For IPv6-enabled servers on the LAN with public services, add firewall rules on the tab for the IPv6 WAN (the assigned GIF interface) to allow IPv6 traffic to reach the servers on required ports.

Try It!

Once firewall rules are in place, check for IPv6 connectivity. A good site to test with is An example of the output results of a successful configuration from a client on LAN is shown here Figure IPv6 Test Results.


IPv6 Test Results

Updating the Tunnel Endpoint

For a dynamic WAN, such as DHCP or PPPoE, can still be used as a tunnel broker. pfSense includes a DynDNS type that will update the tunnel endpoint IP address whenever the WAN interface IP changes.

If DynDNS is desired, it may be configured as follows:

  • Navigate to Services > DynDNS

  • Click fa-plus Add to add a new entry.

  • Set the Service Type to be Tunnelbroker.

  • Select WAN as the Interface to Monitor.

  • Enter the Tunnel ID from the tunnel broker configuration into the Hostname field.

  • Enter the Username for the tunnel broker site.

  • Enter either the Password or Update Key for the tunnel broker site into the Password field.

  • Enter a Description.

  • Click Save and Force Update.

If and when the WAN IP address changes, pfSense will automatically update the tunnel broker.