1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Setting up IPv6 for HE Tunnelbroker

Discussion in 'Tomato Firmware' started by lancethepants, Aug 20, 2011.

  1. lancethepants

    lancethepants Network Guru Member

    This tutorial will show how to setup up routed /64. It should be is possible too setup a /48 too.
    I went through tunnelbroker.net, so that it what I will be showing.

    The Firmware

    You will need to find a version of Tomato that supports IPv6 and the IPv6 gui for your router (if it exists), in order to follow the tutorial.

    I personally have been using the Toastman builds for the Asus RT-N16. I believe all of his builds for MIPSR2 Routers support it. (Please correct me if I'm wrong)
    He also has firmware for MIPSR1 routers labeled "tomato-K26-1.28.78xxMIPSR1-Toastman-ND-MiniIPv6.trx", for routers with 4mb flash, like the WRT series.

    Other mods I believe have IPv6 gui.

    Shibby mod

    Victek mod

    Any others?

    I believe that you should be able to find IPv6 gui firmware for most tomato supported routers.

    IPv6 is not available on Linux 2.4 tomato firmwares, only under Linux 2.6 where it has been explicitly included.

    Now for the Tutorial

    First you'll have to sign up for a tunnelbroker account, and go through the process of getting a routed /64. Once you have done that, you'll end up with a page like this under your list of Tunnels. As you can see, I also have a routed /48, which I am not presently using.

    We'll be using some of these values to enter into the router.

    Then in the router, go to "Basic -> IPv6", Fill in the fields with the ones of your tunnel, and save.

    edit: You can easily setup a /48 too. Just change 'Assigned / Routed Prefix' with your routed /48, and change 'Prefix Length' to 48. Make sure to hit tab after that so that 'Router IPv6 Address' will automatically adjust to the new settings.

    You can try MTU to default and see if that works for you. If your router receives it's IP by dhcp, try out 1480 , and 1472 for PPPoE. If none of those work for you, put 1280, and it should work at that setting if it's an MTU issue. You can play around with it until you find the highest usable MTU. It would be something in the 1400's range I imagine. The higher that is possible the better, because it allows more information to be sent per packet. 1280 will work, but fragments the packets more.

    Then head to "Advanced -> Firewall", and check "Respond to ICMP ping", and save. Your network needs to respond to ICMP in order for the tunnel to be created.


    For those of you with a static IP address, you can just manually update your "Client IPv4 Address:" in the tunnel page. If you have a dynamic IP address like me, also perform the following

    Head to "Basic -> DDNS"


    edit: Recent git commits found in some TomatoUSB mods have fixed the TunnelBroker DDNS "Unkown response" error that shows up, you should probably expect to see this fix in the next official stable release of TomatoUSB. 10/20/2011


    That should be it. Save and reboot the Router.
    It takes a moment for the IPv6 tunnel to be established once the Wan connection is up.
    Make sure your OS has IPv6 enabled, Windows 7 should be already. You can also setup static IPv6 addresses on your local network that fall within you routed /64 range.

    Under "Port Forwarding -> Basic IPv6", you can open ports to all, or specific machines.

    I use afraid.org for DDNS, and have setup AAAA DNS records for this.

    Test out your connection

    edit: icanhazip.com seems to have lost it's ipv6 checking capability, not sure if or when it will come back, but there's plenty of other places that will tell you too. 10/11/2011

    edit 2: icanhazip now appears to work again with ipv6 addressing.


    If you've setup a static IPv6 address on Windows 7, you will actually have 2 IPv6 addresses. Along with your static IP, you will have a "Temporary IPv6 address" , and it's through this address the you will be recognized on the web.
    Taken from the TunnelBroker forum,
    "Basically, it's trying to emulate the dial up days where you had a certain degree of anonymity because every time you would dial in to the internet, you would get a different address."

    If you wish to disable this temporary address, run "netsh int ipv6 set privacy disabled", and then reboot.

    I hope this helps demystify the IPv6 setup :)
    bigank, cyclonechuah, philess and 5 others like this.
  2. xen0exe

    xen0exe Networkin' Nut Member

    Great post! Followed your directions and got it to work thanks!

    Router: Asus RT-N16
    Mod: Shibby's Mod
    File: tomato-K26USB-1.28.905xRAF-EN-MIPSR2-079V-AIO.trx7.6 MB12-Oct-1
  3. lancethepants

    lancethepants Network Guru Member

    Glad to hear, thanks for the feedback!
  4. LanceMoreland

    LanceMoreland Network Guru Member

    Your tutorial worked perfectly. Thank you. Kind of funny, when I set up the ipv6 DDNS, I got a scolding from Hurricane electric.

    "Sunday, February 12, 2012 4:01:32 PM:
    This tunnel is already associated with this IP address. Please try and limit your updates to IP changes"

  5. Runamok81

    Runamok81 Networkin' Nut Member

    Just found this, I posted a similar guide.
    My setup uses a static Uverse IP and toastmans build.
  6. LanceMoreland

    LanceMoreland Network Guru Member

    Has anyone successfully set up an /48 address?
  7. lancethepants

    lancethepants Network Guru Member

    I hadn't tried it, but now that you brought it up I did it successfully.

    All you have to do is change 'Assigned / Routed Prefix' with your routed /48, and change 'Prefix Length' to 48. Make sure to hit tab after that so that 'Router IPv6 Address' will automatically adjust to the new settings, then reboot.
  8. Zanshi

    Zanshi Networkin' Nut Member

    Thank you! Worked great :)
  9. Wam7

    Wam7 Networkin' Nut Member

    Thanks you, had to change the MTU to 1480 for mine to work. I score 9/10 for IPv6, the advanced stats say that my ISP (VirginMedia UK) does not support Ipv6, they are really dragging their feet on this.
  10. HorseCalledHorse

    HorseCalledHorse Addicted to LI Member

    Great tutorial, lancethepants. Saved me hours and possibly days of head scratching. Works perfectly on my new Linksys E3000 running Victek's latest mod.
  11. lancethepants

    lancethepants Network Guru Member

    Thanks for all the feedback!

    This is just a heads up if your are also running DNSCrypt with IPv6. There's nothing wrong with it, just a warning of what to expect.

    After setting up DNSCrypt with the following guide, or if you use Shibby's latest builds with DNSCrypt integrated, I noticed the following when checking my IPv6.

    IPv6 + DNSCrypt.png

    It shows only a 9 out of 10 on IPv6. Naturally this alerted me and I want to see what test failed. This is the message.

    IPv6 message.png

    This is stating that DNS over IPv6, which was previous working, now is not. This however does not limit the functionality of the HE tunnel.

    A little explanation:
    To surf the web on IPv6, all you need is some form of functioning DNS. Whether your queries are performed over IPv4 or IPv6 it doesn't really matter, as they should both return the same results.
    Usually dnsmasq will query all dns servers (IPv4 and IPv6 alike), and then begin to give preference to the one that responds the quickest. When using DNSCrypt, it's necessary to add 'strict-order' to dnsmasq's config in order to ensure all DNS queries are sent through DNSCrypt only. This essentially prevents any DNS queries to any other server including IPv6 servers defined in Basic->IPv6.
    That is why this message occurs, as it is not capable of performing DNS over IPv6. DNSCrypt is the default for all IPv4 and IPv6 address lookups. Everything will still continue to function as before.

    When will this message matter? When the internet has completely moved to IPv6 and IPv4 has been phased out. By that time, DNSCrypt will operate over IPv6 anyway.
  12. TC777

    TC777 Networkin' Nut Member

    This was helpful for me to get it working with my Asus RT-N66U router. Although after trying it, is it normal that websites still see the regular IPv4 address? It seems kind of pointless to run IPv6 if that is the case, or I must be missing something? I probably am, as I'm not that knowledgeable about this.
  13. lancethepants

    lancethepants Network Guru Member

    Once you have IPv6 setup, it will be preferred over IPv4, if and only if the site you visit is IPv6 enabled. Not all the websites you'll visit have IPv6 availability yet, it's still a continual ongoing process. Most big sites do now, like facebook, google etc. If you've confirmed that you've succesfully setup IPv6 through the guide, then you're all set. Now everyone else just needs to catch up to you.
    Does test-ipv6.com or icanhazip.com confirm that you have IPv6 working? If so, then what your seeing is normal.
  14. Cyberian75

    Cyberian75 Network Guru Member

    Even with DNSCrypt turned off, I'm getting...
    IPv6 OpenDNS IPs are listed first in dnsmaq config.

    What could be wrong?
  15. lancethepants

    lancethepants Network Guru Member

    You probably still have 'strict-order' under dnsmsasq options. 'strict-order' only allows the first DNS resolver to be used, this is how we guarentee that dnscrypt is always used. Your IPv6 nameserver may be first in resolv.dnsmasq, but the 'server' option in dnsmasq.conf takes presidence, and I don't believe Tomato is setup to put IPv6 nameserver in dnsmasq.conf. You may put it manually, but it requires a restart of dnsmasq, and tomato will just wipe out your settings anyway. As long as 'strict-order' is enabled, IPv6 won't be uesd. You can remove it, and OpenDNS will always be used since their DNS resolvers are in you IPv6 config, but it won't guarentee that it's encrypted.

    I've pondered on how to enable DNSCrypt and allow encrypted IPv6 DNS. DNSCrypt now supports IPv6, but you can only use IPv4 or IPv6 at a time, but unless you have native IPv6, I wouldn't trust my entire DNS to a tunnel. I think you would have to run two instances of DNSCrypt. One that handles IPv4, and one that handles IPv6. I just can't figure out how to tell the IPv6 static DNS settings to query to IPv6 localhost ( ::1 ) but on a nonstandard port (like 40). I'm sure it's possible, but I think the gui may not allow it, or work it right.
  16. Cyberian75

    Cyberian75 Network Guru Member

    No, I didn't put that option. I resolved the problem by setting it manually on my computer.

    It doesn't appear to pass IPv6 DNS IPs to connected devices.
  17. lancethepants

    lancethepants Network Guru Member

    That's an interesting issue. I haven't had any problem with using IPv6 when I've left my PCs to acquire it automatically.

    Edit: Just to clarify, are you having issues connecting to IPv6 enabled sites, or are you having issues performing DNS queries over IPv6?

    Just a few things to point out, maybe or maybe not relevant.

    1. You don't need to have IPv6 enabled DNS to visit IPv6 sites. Queries performed over IPv4 will return IPv4 and IPv6 results. And if IPv6 is active, it will prefer the IPv6 DNS result of IPv4.

    2. DNSMasq will prefer that fastest DNS server. In the case of tunnelled IPv6, IPv4 queries will almost always be faster, because the IPv6 tunnel will not be as fast as your native connection.

    3. Perhaps this is a bug. Perhaps trying a different build might work. Or maybe this could be resolved by clearing nvram and re-entering you settings by hand. I believe we've seen that issue at least once with IPv6.

    4. From your other post, despite it not showing a value for IPv6 DNS (looks the same as in mine) I can confirm that my router still performs DNS over IPv6 (as long as you DO NOT use 'strict-order). Using tcpdump I've observed the actual IPv6 DNS packets. If you're really in doubt, you should try it out yourself and see if they don't show up.
  18. Cyberian75

    Cyberian75 Network Guru Member

    Thanks for your explanation. I was just not passing all the tests at test-ipv6.com.
  19. RonV

    RonV Network Guru Member

    Thanks for this post. I finished my IPv6 configuration this morning and got 10/10 on the IPv6 test site. Now I just have to do some windows 7/2008 configurations to get rid of teredo and I think I am all set.

    Just an update it looks like Windows 7 automatically disabled teredo when the IPv6 address went live. When I executed the ipconfig command it was now listed as "media disconnected" on my 3 workstations.
  20. gfunkdave

    gfunkdave LI Guru Member

    I tried to do this, and it only seems to work halfway. I'm running Toastman 1.28.0501 MIPSR2Toastman-RT-N K26 USB VPN on an RT-N66U.

    As far as I can tell, the 6to4 tunnel is established. My laptop gets an ipv6 address. The routing table on the router under Advanced-Routing shows a lot of IPv6 entries. I can look up IPv6 hosts in DNS. I just can't ping anything or connect to anything. The test-ipv6.com site says I don't have IPv6.

    I can ping ipv6.google.com, and it looks up the address, but can't ping:
    C:\Users\david>ping ipv6.google.com
    Pinging ipv6.l.google.com [2607:f8b0:4006:800::1012] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Ping statistics for 2607:f8b0:4006:800::1012:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    I have MTU set to 1280 in Tomato, and also in the TunnelBroker advanced settings.

    Any ideas?
  21. gfunkdave

    gfunkdave LI Guru Member

    Update: Fixed it...mostly. Appears there was something wrong with HE. When I created a new tunnel with a different location, it works. But now, the test-ipv6.com website tells me the things below. But if I go to a command prompt and type nslookup -q=AAAA ipv6.test-ipv6.com, it works. If I ping ipv6.test-ipv6.com, it says that ping can't find the hose (DNS failure). What's going on? Thanks!

    A lookup for an IPv6-only name failed; yet the lookup and connect for dual-stack connected via IPv6. Something appears to be confused with the DNS lookups.
    [​IMG] IPv6 connections work, but connections using DNS names do not use IPv6. For some reason, your browser or your OS is not doing IPv6 DNS 'AAAA' lookups. [more info]
  22. gfunkdave

    gfunkdave LI Guru Member

    ...and now it's working fine. I had to reboot. :D
  23. Bird333

    Bird333 Network Guru Member

    Can someone explain what this service is for? Is this just to use IP6 addresses?
  24. gfunkdave

    gfunkdave LI Guru Member

    Yeah. At this point I think it's mostly for nerd cred. I am unaware of anything of consequence on IPv6 that's not also on v4.
  25. Bird333

    Bird333 Network Guru Member

    So do you have to use a service to go IP6?
  26. gfunkdave

    gfunkdave LI Guru Member

    Yes, that's what Tunnelbroker is. It's free.
  27. stcbus

    stcbus Serious Server Member

    Has anyone figured out how to do routed subnets or vlans with your /48? I can't figure out how to divide it up and enable it for other LANs.
  28. VirtualLarry

    VirtualLarry Serious Server Member

    Thank you, OP, for this guide! I was just reading about Comcast's IPv6 rollout (I'm on Verizon FIOS), and I wanted to have some IPv6 fun. I signed up for a Tunnel at HE, and input the info into my router, an E2500 running Shibby Tomato 1.08.

    The PC that is wired to that router, shows 9/10 on test-ipv6.com . No problems. (Did have to re-boot to enable it, it seemed.)

    But I have some other desktops in the other room, that are connected via an identical router, running in WEB mode. On my main desktop, I get IPv4 connectivity just fine, but test-ipv6.com gives me 0/10. "No IPv6 address detected".

    An IPCONFIG /ALL, shows
    IPv6 Address: (my HE prefix, plus my address)
    Temporary IPv6 Address: (my HE prefix, plus a different address)
    Link-Local IPv6 Address: fe80:: (some address)

    The default gateway shows an fe80:: address too. Should that show my HE prefix?

    Edit: The "Tunnel adapter Teredo Tunneling Pseudo-Interface" shows
    IPv6 Address: 2001:0: xxx (NOT my HE prefix)
    Default Gateway: fe80:: xxx

    >ping -6 www.google.com

    Pinging www.google.com [2607:f8b0:400c:c01::93] with 32 bytes of data:
    Destination host unreachable.
    Destination host unreachable.
    Destination host unreachable.
    Request timed out.

    Ping statistics for 2607:f8b0:400c:c01::93:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    >tracert -6 www.google.com

    Tracing route to www.google.com [2607:f8b0:400c:c01::93]
    over a maximum of 30 hops:

    1 Destination host unreachable.

    Trace complete.

    So IPv6 DNS is working? But not transit?
  29. koitsu

    koitsu Network Guru Member

    If you're a Comcast customer, you (more than likely) get native IPv6 (some areas don't have it yet, but most do). I strongly suggest giving native IPv6 a try and get rid of the tunnel broker nonsense. I don't know if Shibby 1.08 has this fix in place, but Toastman's most recent build (released a few days ago) does (meaning you don't need the workaround):

  30. VirtualLarry

    VirtualLarry Serious Server Member

    These are some replies I got at a different forum. Apparently, passing IPv6 over a wireless bridge, is a non-trivial problem, and they have an RFC for a proxy spec for it.

  31. Daky

    Daky Network Guru Member

    Thanks for tutorial.

    I am having issues with Windows 8.

    For some reason, i am unable to ping anything, where with Windows 7 i am having no issues.

    I contacted HE, but, they say that they are unable to provide me much support since they are Linux ppl.

    Any1 else having issues with Windows 8 ?

    Windows 7:

    Pinging ipv6.l.google.com [2607:f8b0:4009:802::1013] with 32 bytes of data:
    Reply from 2607:f8b0:4009:802::1013: time=24ms
    Reply from 2607:f8b0:4009:802::1013: time=23ms
    Reply from 2607:f8b0:4009:802::1013: time=22ms
    Reply from 2607:f8b0:4009:802::1013: time=22ms

    Windows 8:

    Pinging ipv6.l.google.com [2607:f8b0:4009:802::1013] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 2607:f8b0:4009:802::1013:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    When i go to: http://test-ipv6.com/ it gives me 10/10 on both Windows OS's.

    Also, when i do tracert from Windows 8, it times out.

    Please help :)
  32. philess

    philess Networkin' Nut Member


    I dont have any Windows 8 box at hand to test it myself. Good luck.
    Alternatively you can try a different ping program, for example fping.
    Also dont forget to check your Windows firewall settings, turn it off temporarily.
  33. Daky

    Daky Network Guru Member


    Thanks for responding.

    Firewall is completely disabled (service), so, i don't think it should be an issue here.

    C:\Windows\system32>ping -6 google.com

    Pinging google.com [2607:f8b0:4009:804::1003] with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 2607:f8b0:4009:804::1003:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    C:\Windows\system32>nslookup google.com
    Server: home.router

    Non-authoritative answer:
    Name: google.com
    Addresses: 2607:f8b0:4009:804::1003

    Fast pinger version 3.00
    (c) Wouter Dhondt (http://www.kwakkelflap.com)

    Pinging 2607:f8b0:4009:804::1003 with 32 bytes of data every 1000 ms:

    2607:f8b0:4009:804::1003: request timed out
    2607:f8b0:4009:804::1003: request timed out
    2607:f8b0:4009:804::1003: request timed out
    2607:f8b0:4009:804::1003: request timed out

    Ping statistics for 2607:f8b0:4009:804::1003:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
    Approximate round trip times in milli-seconds:
    Minimum = 0.0 ms, Maximum = 0.0 ms, Average = 0.0 ms

    Please advise
  34. philess

    philess Networkin' Nut Member

  35. Daky

    Daky Network Guru Member

    That didn't help :\

    No problem, ill get back to google :)
  36. kyrios

    kyrios Serious Server Member

    My ISP gave specific proxy IPv4: port for their customers's need of IPV6.

    Non customers (wordwide users) can't use this proxy. Instead, my ISP provide tunnel for others (different IPv4 with user/pass).

    So the best is to use proxy for me instead tunnel, right? How do I implement it into Tomato?
    So I do not have to write proxy info into browser/etc.
    Using WAN-Up script? But how?
  37. philess

    philess Networkin' Nut Member

    If i understand you correctly, you need to install a proxy daemon on Tomato.
    Google for squid proxy for example, or just search the forum here. You are
    a bit off topic. Proxy has nothing really to do with ipv6 setup.
  38. kyrios

    kyrios Serious Server Member

    @philees: which one is better for me? proxy or tunnel?

    OK, I have experience with entware.
    If proxy is better than tunnel (in my case), what proxy I shall install?
    rtpproxy, tinyproxy, ziproxy, microproxy, 3proxy, or other?

    EDIT: Got the answer.
    Tunnel is much better than Proxy.

    Proxy: only for TCP based application.
    Tunnel: support any application. Unicast, multicast, tcp based, udp based, non-tcp/non-udp.
  39. philess

    philess Networkin' Nut Member

    It is not a question of better or worse. You said your ISP is giving you a proxy port.
    I think you are having trouble understanding this.

    Can you give me a link to your ISP's website with a description of this?
  40. kyrios

    kyrios Serious Server Member

    This is my ISP tunnel.
    There is also FAQ on that site.

    BTW, I have tried everything and I can't use /find a way implement it into Tomato 9013 R1.1n.
    Also have tried combination Tunnel MTU from 0, 1472, and 1480.
    I used Google DNS IPV6 in DNS column.
  41. philess

    philess Networkin' Nut Member

    Well that FAQ does only cover very little about using "IPv6 over TCP". Ignore
    everything about proxy or OpenVPN as they mention it.

    It may not be possible at the moment to use that IPv6 service with multiple computers (or from the router).

    I cannot see what exact data they give you because it requires loggin in as a customer.
    In the video FAQ, http://rdc-v6.telkom.co.id/tunnel/winXP_ipv6_udp_tunnel/, they briefly
    show the menu after logging in. "IPv6 over TCP Tunnel" that is what you have to activate.
    I assume after doing so, the page will show more details.

    Have you tried connecting your computer to their IPv6 service following their FAQ etc?

    If all else fails, just give up on that providerĀ“s IPv6 and use HE Tunnelbroker instead.
  42. cyclonechuah

    cyclonechuah Reformed Router Member

    hello, i am a newly registered user who is trying to configure my modem to use ipv6, but i am wondering why i am unable to view attachments in the threads.
  43. Cyberian75

    Cyberian75 Network Guru Member

    DDNS updates are failing all of a sudden -- even with DNS-o-Matic.

    Anybody else?
  44. Matt Wilson

    Matt Wilson Reformed Router Member

    What DDNS service are you using? Hard to figure out if anyone is having the same problem if we don't even know if we have the same service
  45. Cyberian75

    Cyberian75 Network Guru Member

    Uhh, the Built-in DDNS.
  46. Cyberian75

    Cyberian75 Network Guru Member

    Had to use the "update key" under Advanced tab on Tunnel Broker instead of my password.
    Rick Hansen likes this.
  47. Huey

    Huey Networkin' Nut Member

    DNScrypt uses I think OpenDNS servers. Anyway if you add in the ipv6 Static DNS their ipv6 DNS servers: 2620:0:ccc::2 and 2620:0:ccd::2 you should get 10 out of 10 again.
    Last edited: Oct 6, 2014
  48. Fairfaxed

    Fairfaxed New Member Member

    The the latest linksys modems use IPv6 or do you have to do this for it to work??
    Last edited: Apr 1, 2016
  49. gfunkdave

    gfunkdave LI Guru Member

    Just about all hardware made in the last few years supports IPv6. The issue is whether your ISP supports it. If not, you need something like the HE Tunnelbroker service to access IPv6 networks. Else you can do it natively through your ISP.

Share This Page