This blog post is part of a series on ipv6. In part 1, I provided an overview of ipv6 and looked at Teredo, the technology built into Windows Vista; in part 2, I looked at AYIYA tunnels through aiccu, using sixxs net as a tunnel broker. Part 2.5 is a collection of useful ipv6 tidbits, and part 3 describes gogonet/freenet6 tunnels.
In part 4, I will describe the IPv6 tunnel I have been using all along since 2008: A Hurricane Electric 6in4 tunnel, typically terminating on a router, though it could be terminated on a PC, as well. I aim to break part 4 into chunks, each describing setup for a different make and model of router.
Provisioning of the tunnel
Make sure the router you will be using allows itself to be pinged from either “the Internet”, or at the least from HE’s server, currently66.220.2.74.
Sign up with Hurricane’s Electric tunnelbroker.net service.
Once signed in, under “user functions”, choose “Create Regular Tunnel”.
Enter the IPv4 endpoint, and hit “Submit”. If you are a home user, your IPv4 endpoint is the public IP your ISP assigned to you, see whatismyip.org.
And you are done. Helpfully, the tunnel details page also allows you to get sample configurations for a variety of PC and router operating systems, including Linux, Windows, Cisco IOS, Juniper JunOS and Juniper ScreenOS.
Updating your dynamic IPv4 address
If you are in a home environment, your public IPv4 address may change from time to time. You can update it from the tunnel details page, or you can use tunnelbroker.net’s ipv4 update page that is intended to be used from a script, for automatic updates.
Routers supporting 6in4 tunnels
Whether enterprise class or home router, here are some of the devices that support 6to4 with 6in4 tunnels today (February 2010). On the home router side, it’s clear that it is early days yet. Comcast’s ipv6 trials may change the competitive landscape here.
Juniper
Any SSG or ISG firewall running ScreenOS 6.0.0 or later, as well as (with some limitations) Netscreen firewalls on ScreenOS 5.4.0. Part 4.1 describes the setup.
Any JunOS router – J-Series, M-Series, E-Series, T-Series, &c. All the way back to JunOS 9.1 if need be.
Any SRX firewall, with the caveat that SRX does not yet support ipv6 firewalling as of JunOS 10.1, though it does support ipv6 tunneling and routing.
EX switches do not support ipv6 tunnels yet, though the feature is road-mapped.
Cisco
It’s the usual mess of IOS versions depending on model, paired with feature set. A very Cisco-savvy fellow over at the HE forums has an excellent breakdown. In a nutshell, IOS 12.4 or later should work, and you’ll need the right feature set.
Switch support for IPv6 is good. You’ll need to check model / IOS version / feature set here, too.
Apple
Apple Airport Extreme supports 6to4, and a one-click tunnel provisioning, too. This is the only home router that I’d be confident to use for IPv6 today, without needing to fear that a firmware update would break IPv6. Mainly because a firmware update did break IPv6, and Apple fixed it in v1.5. For this router, IPv6 is an officially supported feature.
[Update 2010-04-28] Comcast will use this router in their IPv6 dual-stack trials, as one of three choices.
Netgear
Comcast will use the Netgear WNR3500 and Netgear WNR1000 in their IPv6 dual-stack trials. Whether these routers support 6in4 tunnels is unknown to me at this point.
D-Link
[Update 2011-08-03: D-Link have updated their site with a list of devices supporting native IPv6] According to D-Link, the following router models support IPv6. Comcast are using the DIR-655 and DIR-825 in their native dualstack IPv6 trial.
D-Link IPv6 Certified Routers
- DIR-601 Wireless N 150 Home Router (Hardware Revision A1)
- DIR-615 Wireless N 300 Router (Hardware Revision E1)
- DIR-632 Wireless N 8-Port Router (Hardware Revision A1)
- DIR-655 Xtreme N Gigabit Router (Hardware Revision B1)
- DIR-825 Xtreme N Dual Band Gigabit Router (Hardware Revision B1)
- DHP-1320 Wireless N PowerLine Router (Hardware Revision A1)
Other IPv6 Certified Products
- DHP-W306AV PowerLine AV Wireless N Extender (Hardware Revision A1)
- DAP-1350 Wireless N Pocket Router and Access Point (Hardware Revision A1)
- DAP-1360 Wireless N Range Extender (Hardware Revision B1)
- DAP-2590 AirPremier N Dual Band PoE Access Point
D-Link state that their DSL modem routers, the DSL-2540B and DSL-2640B also support IPv6.
D-Link DGS-3200 and DGS-3600 switches officially support IPv6.
Linksys
WRT610N, with reports that firmware updates break ipv6 support and that Linksys support is firm that ipv6 is not an officially supported feature. More testing is in order here, too.
[Update] A Linksys live chat operator tells me that native IPv6 is supported on the WRT610N, and that there is no official documentation for this. No word on tunnels. I have reached out to their press office to get details and will update if/when I get an answer.
[Update] The Comcast trial forums float the WRVS4400N as supporting tunneled and native IPv6.
Buffalo Technology
A “number of” their wireless products support ipv6. I have reached out to their press office to get details and will update if/when I get an answer.
AVM
FRITZ!Box 7270 (experimental “Labor” version)
I have reached out to their press office to get details and will update if/when I get an answer.
Thorsten on (mostly) Tech 
Actually, HE’s tunnels are supported on the Netscreen 5GT using some versions of the 5.4 code. The configuration is nearly identical to the 6.x code tunnel config.
On an unrelated note, I have noticed many network-ready Brother printer/all-in-one devices have IPv6 configuration options in their menus. I haven’t run v6 on any though so no way to say how well it works.
Thank you for the feedback on Netscreen.
As for the Brother printers: It works completely seamlessly. I enabled IPv6 on my HL-2170W a while ago, for no good reason really. Your comment made me fire up wireshark and see what happens when I’m printing a test page – sure enough, as my printer port uses the name of the printer, this all goes over IPv6 by default, using the link-local fe80 address. The printer itself has a link-local address and an address provisioned to it by RA.
I’m handing out an IPv6 DNS server via the “O” flag and DHCPv6. I don’t know whether my Brother printer grabs that, or what it would use a DNS server for, anyway.
In a few hard-to-reach places, it is documented that Juniper put some IPv6 features in (one rev of) the 5XT code but I could never find the specific code rev information nor a copy of it to test with (even when asking very nicely of the JTAC).
The NS-5XT ended at ScreenOS 5.3.0. ScreenOS 5.3.0 did have ipv6 support, but experimental and “hidden” only, with the 5GT and ISG2000 being mentioned at the time for testing. You can install “latest 5.3.0” and see how it behaves.
There was also a ScreenOS 5.0-ipv6 specifically for the NS-5XT. Not having access to a 5XT, I can’t test any of these releases.
After much searching, I found 5.3.0r10b for the XT hoping it would have the IPv6 functionality in it. It doesn’t. Evidence of fail:
ns5xt-> set envar ipv6=yes
ipv6 not supported
When I glanced over the NS code download site, I didn’t see anything specific to a special code rev that supports IPv6 so it must be buried a bit on their site. Google cached copies of Juniper’s docs (from 2004) seem to imply it was 5.0 code with the addition of IPv6, not 5.3.
Yorickdowne,
Can you help me find this screenos 5.0-ipv6 version ?
Many thanks,
ron
I can help you find it, though I can’t provide it to you. Since it’s subject to Copyright.
Go to http://www.juniper.net. Choose Support as the top tab, then under “Download Software” click on “ScreenOS”. The platform is “NS-5xt”, and there’s the version you’re looking for.
To do this, you will need an account that has a software entitlement for the NS-5xt linked to it.
Yorick,
Found the files, will start testing soon….
I couldn’t find the NS-5XT ScreenOS 5.0-ipv6 firmware on Juniper website, can you please help me find this screenos 5.0-ipv6 for NS5XT? Many thanks
I’d open a JTAC case and ask for it. It’s long past EOL, but they may make it available to you on a goodwill basis.
An interesting discovery today. I was looking over printers at the local electronics chain and found some of the Canon all-in-ones have IPv6 in their configuration menu. The Canon MP560 and MP620 models have the option in their menus. Not sure of any other models.
I can hereby confirm that a D-Link 615 rev. D3 will NOT do ipv6, cannot do protocol forwarding (required for some tunnels) and slows down to snails pace when confronted with UPD traffic (used for freenet6 / ayiya tunnels). The dir-615 rev D is something you want to stay away from if you want ipv6. The rev. C version does do IPv6, but it was only sold in the US, and did have a fair amount of ipv6 related problems.
I can confirm the D-Link DIR-825 Rev B1 does IPv6. I have had one for some time now it’s a bit slow, but useable. The main thing is the phone Company’s ADSL hardware has no IPv6 support, so i have to use a tunnel.
Does anyone know if DIR-685 Rev. A2 supporting IPv6 is coming up?
@Sam: It’s not listed in D-Link’s blog post about v6 readiness. I’d check in with D-Link to see what their plans are.
Moving this comment which landed on the CDNAC post here instead:
raghavintrigue:
Hello, I saw your old posts about connecting to an ipv6 when behind a NAT in an ipv4 network. It’s still a situation like this at my university, and sadly all the services mentioned in those solutions are dead. Do you have any suggestions on how to go about this today?
Basically, the situation is that I have a home server that only has static ipv6 (ipv4 is behind NAT), so the only way to connect to it from outside local network is via ipv6. I need to access this from my university, which again is behind a NAT (so can’t use static tunnels) but since it only supports ipv4 and does not resolve or connect to ipv6, I need a way to connect to my home server.
Thanks in advance for any help. 🙂
If I get that right, your home network is behind CGNAT, Carrier Grade NAT, which means you cannot port-forward IPv4 on your home router. You have full v6 connectivity at home, via your ISP. Your university does not offer IPv6 connectivity.
If you use a Windows machine at U, and you have full admin access to it, you could try Teredo tunneling. There are multiple resources online on how to make that work with Win10. Your U might block Teredo tunnels, that’s a matter of testing.