Setting up a IPv6 Gateway on Hurricane Electric using Ubuntu 10.04.2

First thing you’ll need to do is register at the Hurricane Electric website and create your tunnel. I’m not going to go over that since there’s a lot  of help on the Hurricane Electric Website about it. These instructions only apply to you after you’ve registered as a user and set up your tunnel on there website.

These instruction’s  apply to Debian and Ubuntu derivatives, I’m sure they will work for other distributions with a little tweaking. Thanks to angelou on the Hurricane Electric web forum for doing most of the hard work. These instructions are mostly his work, with ufw firewall instructions are provided by me.

Take a note of your Tunnel details from the Hurricane Electric website, you’ll need them to set up your Linux IPv6 Gateway. The IPv6 addresses below are used for documentation purposes only, see RFC 3849  (no point  showing everyone on the internet my home IPv6 address, that would just be silly 🙂 )

HE Server IPv4 Endpoint
Static IPv6 assignment from my routable range 2001:DB8:8:7aa::1
Client IPv6 Endpoint 2001:DB8:7:7aa::2

You need to edit /etc/network/interfaces and add your own data to the bottom of the file. Two bits of data, the first bit goes after your own network adaptor (usually eth0). and the second part after that.

  • Adding static IPv6 address from my routable range.
  • Adding a static route to the Client IPv6 endpoint also called the he-ipv6 tunnel interface.
  • Please note that the IP’s are on different networks.

The IPv6 and IPv4 setting below will of course be yours and not the ones I’ve made up for the purpose of showing how it’s done 🙂

Now were going to install and configure radvd. First, install radvd.

Then configure radvd for your routed range.

The only part you have to change below, is the “prefix” which will be yours IPv6 prefix.

Now your going to edit the sysctl.conf file so that when you reboot IPv6 will still be forwarded to other IPv6 enabled devices.

Now were going to enable IPv6 forwarding on the fly.

All going well, you could bring up the interface followed by radvd and everything should work. However, I wouldn’t recommend it. Ever devices on your network that gets an IPv6 address would be visable to all IPv6 enabled devices on the internet (samba shares springs to mind).

Setting up a ufw firewall under ubuntu for IPv6

Enable IPv6 support under ufw

Change the following part to yes

Enable the default forward policy to Accept

Now we need to enable UFW, at the terminal type :

Like most people, I’m behind a firewall/router so I have a Private Class B Network Address same as most PC users these days. I would like to add access to all my network devices on my own network.

To do this I do the following at the terminal:

I want to allow IPv6 services from my HE Server IPv4 Endpoint, inbound and outbound. IPv6  over IPv4 tunnels (HE Electric) and 6to4 are supported by using the ‘ipv6′ pro‐
tocol (’41’).

I would like to allow bootp services on port 67 from the radvd service.

I want to allow access to services running on this Linux Gateway under my own ipv6 assigned routable range eg. ssh, samba within my own network only.

Ok, if you’ve followed the instructions correctly, you should now be able to bring up the IPv6 interface and ping an IPv6 address with no problem.

Bringing up the he-ipv6 interface.

Now, if you type the following

You should see something similar to this:

Now to test the tunnel.

You should get the following ping replies if your tunnel is working correctly.

That’s it, all done! 😀

Hint: Any other Linux workstation, Vista and Windows 7  workstation that you have on your home network will automatically get an IPv6 address and will be accessible externally (outside your home network). So I would suggest that you firewall them and use the host scan tool provided by HE Electric to test them.


Alternatively, you can turn the Gateway into an IPv6 Firewall, and only allow IPv6 traffic that originates from your network, blocking all incoming traffic that doesn’t originate from within your network.

If you decide that you want to restrict all incoming IPv6 traffic from the Internet to your own local network, then you need to edit the file before6.rules, use the command to edit the file.

Add the following before the commit command. Thanks to Ezra for pointing out the need for this.

Updated firewall rules below on 16/02/12.

Done 😀


Hurricane Electric – Tunnel Broker
IPv6 Universal TCP Port Scanner
Test your IPv6
Easy Config for Linux Router
Building a IPv6 Gateway
anyweb sample configurations
IPv6 – Ubuntu Wiki
Ubuntu UFW Firewall
Private Class B Network Address
Neighbor Discovery for IP Version 6
Radvd config manpage
Enabling IPv6 Privacy Extensions on Ubuntu Linux
IPv6 at home – A guide to getting started
IP6: Getting a functional DHCPv6 and Route Advertising together
Linux Home Automation – Home IPv6 Networking
Various DHCP Servers and Client configuration examples
Linux IPv6 HOWTO (en)
RDNSSD Not adding DNS servers to resolve.conf

6 thoughts on “Setting up a IPv6 Gateway on Hurricane Electric using Ubuntu 10.04.2

  1. This is the best guide I’ve found on doing this – thanks! Was running into lots of issues doing this on Hardy Heron but finally upgraded to latest LTS (10.04) and everything is working now 🙂

  2. So I would suggest that you firewall them and use the host scan tool provided by HE Electric to test them.

    Is it possible to do this with ufw on the gateway, or does it have to be done by each device? If it is possible on the gateway, could you explain how, as I’ve been trying to figure it out and google isn’t giving me any useful answers.

  3. Ah. I didn’t think about doing it with ip6tables manually. Thanks for the tip. I’m used to having a hardware firewall, so I’m not an expert on software ones. Which is why I went with Ubuntu’s supposed easy to use ufw in the first place.

    I’m really surprised that there are no guides about setting up the firewall to block forwarding incoming requests. Sure it’s important to firewall the server running as the gateway, but why does nobody care about protecting all the desktops and portable devices behind it? Seems like that should be a high priority. Especially since you just have to block everything to start with (I’d much rather have all the ports on my Windows boxes blocked and have bittorrent not work optimally then leave all ports open for instance). Then later people can figure out how to open specific ports if they need them.

    In case anyone else is interested, to block incoming requests over TCP run: “ip6tables -I FORWARD -i he-ipv6 -p tcp –syn -j DROP”. I’m not sure about UDP, since the version of nmap I have won’t scan UDP ports over IPv6, but I ran “ip6tables -I FORWARD -i he-ipv6 -p udp -j DROP”. So hopefully that worked.

  4. Thanks Ezra,

    If you don’t mind, I’ll add the above to the tutorial as an extra. And once again, thanks for the info 😀

  5. Pingback: Plusnet IPv6 still delayed, so let’s go spelunking in a Hurricane Electric tunnel | Richard's Blog

Leave a Reply