Setting up a Raspberry Pi as an IPv6 gateway using Hurricane Electric.

First thing you’ll need to do is register at the Hurricane Electric Website and create your own tunnel. I’m not going to go over that since there’s a lot of help on the Hurricane Electric Website about it. These instructions only apply to you, after you’ve registered as a user, and set up your tunnel on their website.

Take a note of your Tunnel details from the Hurricane Electric website, you’ll need them to set up your Linux IPv6 Gateway. The IPv6 addresses are used for documentation purposes only, see RFC 3849 (no point showing everyone on the Internet my home IPv6 address range).

HE Server IPv4 Endpoint
Static IPv6 assignment from my routable range 2001:DB8:8:7aa::1
Client IPv6 Endpoint 2001:DB8:7:7aa::2

Ok first thing to do is enable IPv6 support on your raspberry pi, at the prompt type.

To make the change permanent, you will have to edit the modules file and have your pi load it at start-up (reboot). To do this edit the modules file, type the following.

Your modules file should look similar to this after to append the “ipv6” line at the end.

You need to edit /etc/network/interfaces and add your own data to the bottom of the file. Two bits of data, the first bit goes after your own network adaptor (usually eth0). and the second part after that.

  • Adding static IPv6 address from my routable range.
  • Adding the Hurricane Electric Tunnel interface (called he-ipv6)
  • Please note that the IP’s are on different networks.

The IPv6 and IPv4 setting below will of course be yours and not the ones I’ve made up for the purpose of showing how it’s done 🙂

Now we’ll deal with DNS, you have two options, you can either use your ISP’s DNS server and hope that it’s set up to deal with IPv6 resolution, or you can use free public recursive DNS servers. I’m going to use Google’s public recursive DNS servers which I know work.

To set this up, you’ll need to edit the /etc/resolv.conf file and add the DNS servers in. Type the following at the prompt.

Add the following and save.

Testing the Tunnel

Before we go any further, were going to bring the tunnel up and test it.

At the prompt, type the following.

To test, type the following.

You should get similar results to me.

If your results are similar to above then your raspberrypi is connected to the IPv6 Internet (Hurrah!) :-). If not then check your IPv6 settings and ask for help on the HE forum here.

Now we need to bring the interface down, we’ll bring it back up again after we’ve firewalled it.


Forwarding and Firewalling

First we need to enable IPv6 forwarding, we do this by editing the /etc/sysctl.conf file and uncomment the following line. (it should look like this)

Next we’re going to install and setup iptables-persistent using our own IPv6 rules.

IPv6 Stateful Firewalling for your network.

I’ve tested the following firewall rules using a number of sites and they work great for me, feel free to use them, I’ll even include links later to test the firewall for yourself.

Copy and paste the following file and call it called “”

Once you have the file on your raspberrypi, you’ll need to run it to set up the firewall rules.

Make the file executable.

Run the file to execute the firewall rules.


You can verify that the rules have been applied by typing the following at the prompt.

This will give you a list similar to this partial list.

Making the firewall rules persistant.

To make the firewall rules persistant (re-apply after a reboot), we are going to install a piece of software called “iptables-persistent”.

During the install process, the package will dump the firewall rules that are currently active (including the one that you’ve applied above). To a file called “/etc/iptables/rules.v6”.

To check that this is the case, type the following.

Your output should look similar like this

All done, at this point I usually reboot and list the firewall rules to ensure they are being applied.
If you want to do this then reboot your pi.

When the Pi’s rebooted, list the firewall rules as you did above using the command below.

You should get an output similar to mine below..

A couple of points to remember.

  1. If you have to install the raspberrypi on the DMZ of your network to get your IPv6 tunnel working, then I would suggest that you set up a IPv4 firewall on your raspberrypi that only allows access from your network.
  2. If you are going to allow SSH access externally (over the internet), then thinks about installing denyhosts on your raspberry pi, this will help stop brute force ssh attacks on your Pi.

Installing and setting up Dnsmasq

I’ve previously used radvd to advertise the IPv6 route, and configure hosts using slaac. This time, I’m going to be using Dnsmasq which will be taking care of IPv4 DNS, DNS Cache, DHCP and IPv6, DNS and router advertisement. Most people use their home router to take care of DHCP and DNS, which is fine. But since my own raspberry pi is connected directly via ethernet to my home router, and uses the same power bar for electricity. It seemed sensible to set it up for IPv4 and IPv6 and turn off DHCP allocation on the router.
You of course can make your own mind up about that. 🙂

First we need to install Dnsmasq, at the prompt type

Below is a snippet of my dnsmasq.conf file with a basic setup. Feel free to use and/or adapt as needed. To edit your own dnsmasq.conf file, type the following at the prompt.

Here’s part of my dnsmasq.conf file (the part that applies to IPv6 anyway), feel free to use/change as needed.

At the moment, I’m using dnsmasq at home to allocate IPv4 addresses (DHCP) and (IPv4 DNS cache) as my Pi is directly connected to my router and uses the same power bar. I’ve taken that part out of the configuration file below, as it may not apply to you.

After you’ve finished editing the dnsmasq.conf file, you will need to restart dnsmasq. To do this type the following at the prompt.


iptables – Archwiki
IPv6 Firewalling – SixXS Wiki
Iptables Tutorial
Netfilters Website
ip6tables(8) : man page
6in4 Wikipedia
IPv6 Using Hurricane Electric’s 6in4 Tunnel
Dynamic Host Configuration Protocol – Wikipedia
IPv6 Firewalling – SixxS Wiki
Ubuntu forum ufw blocking packets

7 thoughts on “Setting up a Raspberry Pi as an IPv6 gateway using Hurricane Electric.

  1. Hi,

    Nice article, what’s the maximum speed one would get? I noticed ~10Mbps in your screenshot. I have 60Mbps at home, should I buy a rpi for this or will I run into networking bottlenecks?

  2. Hello, I have some questions to you about the guide and I have som problems with setting up the tunnel. Can I get you email and bother you with some questions or are you very busy?

    Best regards,
    Rickard Carlsson

  3. Nice guide.

    I usually set up my eth0 to use both static IPv4 and static IPv6. So if your IPv4 net is, 2001:DB8:7:7aa::/64 is the tunnel and 2001:DB8:8:7aa::/64 is your routeable net you get from HE (notice that the third group is different from the tunnel device and your LAN net).

    You need to set up your local nets first, both IPv4 and IPv6. Notice you don’t need to set up a IPv6 DNS server if you don’t want to. Most (all?) DNS servers will look up IPv6 AAAA records too.
    Test with this line. It will work or not, you’ll see. 😉

    $ getent hosts

    Get information from HE and fill in your IPv4 information and the information from HE about the tunnel. If you are behind a NAT, you need to set local to your private IPv4 address. If you are on a real IPv4 net (wouldn’t think so) you use your real addres.

    $ ip -4 add show dev eth0 | grep -o -e “inet \([0-9]\{1,3\}\.\)\{3\}[[:digit:]]\{1,3\}”


    # /etc/network/interfaces
    auto eth0
    # IPv4
    iface eth0 inet static
    # IPv6 (no gatway, we are the one!)
    iface eth0 inet6 static
    address 2001:DB8:8:7aa::1
    netmask 64

    auto he-ipv6
    # IPv6 tunnel
    iface he-ipv6 inet6 v4tunnel
    address 2001:DB8:7:7aa::1
    netmask 64
    gateway 2001:DB8:7:7aa::2
    ttl 255
    mtu 1472

    Notice you now will have an address 20001:DB8:8:7aa::1 for your machine. Don’t use the tunnel IP. So if you add 2001:DB8:8:7aa::1 to your AAAA DNS record it will be reachable from IPv6 internet. You should also notice that you have a huge amount of real addresses, so you need an address plan.

    My suggestion
    IPv4. -> IPv6 -> 2001:DB8:8:7aa::100:1 to 2001:DB8:8:7aa::100:ffff -> 2001:DB8:8:7aa::101:1 to 2001:DB8:8:7aa::101:ffff

    And if you use port 80, you could add this adress to your web server.
    2001:DB8:8:7aa::100:80 and only have web server listening to it. If you have SSH (port 22) on the same machine, add this address for SSH. 2001:DB8:8:7aa::100:22.
    Much easier to handle the firewall. You also set up so ssh only listen to port 22 on 2001:DB8:8:7aa::100:22 and not ::100:80 and vice versa.

    Well, that is the plan I have anyway. 😉

    Yes, a nice firewall for routers are shorewall6. You need a firewall. And then just add package radvd to distribute your prefix, 2001:DB8:8:7aa::/64 to all your MS Windows, Mac and Linux machines in your network and they are out on Internet too.
    Dont forget /etc/sysctrl and net.ipv6.all.forwarding=1 and FORWARDING in your IPv6 router.

Leave a Reply