# IPv6 tunneling



## asdsdf (Feb 28, 2013)

Hi all, I'm having an issue (possibly with me rather than the OS) with a new FreeBSD build and IPv6 connectivity. This is via a HE.net tunnel, but not from the device itself, the FreeBSD box is just attached to an IPv6 capable LAN with the tunnel endpoint elsewhere. My problem is that I have a (currently very basic) IPFW ruleset which uses protocol neutral terms (ip rather than ip4/ip6, icmp rather than icmp4/6, etc) but some oddities are occurring where traffic doesn't seem to be being passed correctly. Allow me to paste two rulesets and ping summaries:


```
--- ipv6.l.google.com ping6 statistics ---
10 packets transmitted, [b]1 packets received[/b], 90.0% packet loss
round-trip min/avg/max/std-dev = 58.384/58.384/58.384/0.000 ms
```


```
00010   16096    9398190 allow ip from any to any via lo0
00020       0          0 deny ip from any to 127.0.0.0/8
00030       0          0 deny ip from 127.0.0.0/8 to any
00040       0          0 deny tcp from any to any frag
00050       0          0 check-state
00060    7052    4243658 allow tcp from any to any established
00070 1061861 1012713498 allow ip from any to any out keep-state
[b]00080       0          0 allow icmp from any to any[/b]
65535     588      42336 deny ip from any to any
```


```
--- ipv6.l.google.com ping6 statistics ---
10 packets transmitted, [b]10 packets received[/b], 0.0% packet loss
round-trip min/avg/max/std-dev = 33.813/40.743/58.416/9.132 ms
```


```
00010   16738    9521522 allow ip from any to any via lo0
00020       0          0 deny ip from any to 127.0.0.0/8
00030       0          0 deny ip from 127.0.0.0/8 to any
00040       0          0 deny tcp from any to any frag
00050       0          0 check-state
00060    7350    4310502 allow tcp from any to any established
00070 1063064 1012836570 allow ip from any to any out keep-state
00080       0          0 allow icmp from any to any
[b]00090       2        144 allow ipv6-icmp from any to any[/b]
65535     611      43992 deny ip from any to any
```

These "ipfw show" outputs are from after the ping tests have completed, so I'd particularly like to note the odd behaviour of the ICMP rules; with a blanket icmp rule (number 80) even though one packet was received, this rule was apparently never hit. And then with the second group (where rule 90 specifically allows icmpv6) even though I got 10 ping responses, the rule was only hit twice.

I'll admit that although my knowledge of networking is above average, my skillset lies mainly in Linux/netfilter/iptables so this could just be something I'm not used to, so any pointers would be welcome. Long-term I intend to set this machine up as the new tunnel endpoint, but I figured that setting it up as a client on my existing LAN setup (which works) was the way to start before getting ambitious. So far I haven't had any joy though, so all advice is gratefully received!


----------



## RusDyr (Feb 28, 2013)

I would recomment add "debug" rules 
`# ipfw add 65000 log logamount 99999 allow ip from any to any`
`# ipfw add 65100 log logamount 99999 allow ip6 from any to any`

after your 00090 rule and see records in */var/log/security*.
`# tail -f /var/log/security`


If it doesn't help, try to turn off firewall at all `# sysctl net.inet.ip.fw.enable=0;
 sysctl net.inet6.ip6.fw.enable=0`, may be the problem isn't in it.

P.S. My home server with IPv6 tunnel and "allow ipv6-icmp from any to any" works fine.


----------

