Setting Up an IPv6 Tunnel Through Hurricane Electric

Hurricane ElectricIt's 2012, and ISPs are still slow to adopt IPv6. It seems like very few of us can say that we have globally-accessible IPv6 addresses. doesn't even have an IPv6 address yet... and that makes me a very sad panda. But there is something I can do about it right now, without the help of my ISP.

If you have a Cisco router, I can show you how to create an IPv6 tunnel that will you have dual-stacked and on the IPv6 Internet in no time! This article assumes that you cannot use native IPv6 out to the Internet, and that you already have the router properly set up and in use in an IPv4 network.

The router I will use in this example is a 2621XM; I bought it for $150 on eBay. It has two FastEthernet ports. It was manufactured in 1999. So any model at least as recent as that should be able to handle this just fine. I do IPv4 NAT between the two FE ports so that the rest of my home network served by my AT&T U-Verse Residential Gateway stays separate from my lab network, but the lab still has to go through the U-Verse gateway to reach the Internet. (U-Verse claims that they'll push an IPv6 firmware upgrade out automatically to all their customers sometime in 2012, but I'll believe it when I see it.)

Cisco 2621xm*There's still some juice left in this crusty old thing*

For this to work for me, I needed to configure my U-Verse Gateway to put my Cisco router in "DMZ+" mode, and allow the outside interface of my Cisco router to receive a DHCP address. This allows my U-Verse gateway to assign my router the same public IPv4 address as itself, and forward all unspecified traffic to it.

We’re going to utilize the free service at Hurricane Electric for this. Follow that link and sign up. It’s their "Tunnel Broker" service that you’re after. After a short quiz, they will give you your very own IPv6 tunnel and your very own IPv6 address space! For free!

All you need to do now is configure your router. If you've never used Cisco IOS, these commands might look weird to you. They're shorthand for things like "enable" - enter "enable" mode which allows us privileged access so that we can make configuration changes to the router. "conf t" is shorthand for "configure terminal" - meaning "I wish to make configuration changes to this router from the terminal."

Router#conf t
Router(config)#ipv6 unicast-routing
Router#copy run start

At this point you have enabled ipv6 routing globally on your router. "Copy run start" is shorthand for "copy the running configuration to the startup configuration, effectively making these changes permanent."

Next, create a tunnel on your router like this:

Router#conf t
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:1f0e:5a4::2/64 (Use your side of the endpoint that Hurricane electric gave you!)
tunnel source (Your public IPv4 address)
tunnel destination (Hurricane Electric’s IPv4 endpoint for this tunnel)
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0

And you’re pretty much done! Configure your clients with an IPv6 address in that space, and you now have IPv6 connectivity all the way to the Internet. Google has a public DNS server at 2001:4860:4860::8888. Test out your tunnel by trying to ping that address. Remember that IPv6 and IPv4 are quite different. There is no NAT in IPv6. (Let's not talk about NAT64 yet.) Internet communication is the way it was truly meant to be – end to end. That also means the need to protect yourself with firewalls will become more important than ever, since you can’t hide behind a NAT anymore!

Now you can surf the web with a “dual-stack,” meaning that you’re runnnig both IPv4 and IPv6 — and your IPv4 packets will take their normal route, while your IPv6 packets will be diverted through your new tunnel. Seamlessly. Pretty neat huh? Try to ping and see what happens!

I guess that’ll have to do until ISPs catch up with IPv6 technology.

Comments are closed