6to4 tunnel with tunnelbroker.com

RouterOS General
1

Hello everyone,

I just wanted to share some experiences regarding the usage of IPv6 on my R450G router. Please excuse any technical errors, since I am farely new to Mikrotik and to using IPv6.

I registered lately an account at http://www.tunnelbroker.com, a website offering free 6to4 tunnels. The service is operated by Hurricane Electric, which claims to be the largest IPv6 traffic provider. Of course the goal of the free offering is to attrack paying customers. But at least it is a standardized mechanism, which does not require obscure client software like http://www.sixxs.net does.

With a few clicks one can get a working 6to4 tunnel with its own /64 or /48 (routable!!!) IPv6 network prefix. The website also provides some basic commands to get an 6to4 tunnel working on the Mikrotik plattform.

/interface 6to4 add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=78.53.216.104 mtu=1280 name=sixbone remote-address=216.66.80.30
/ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f0a:9bc::1 scope=30 target-scope=10
/ipv6 address add address=2001:470:1f0a:9bc::2/64 advertise=yes disabled=no eui-64=no interface=sixbone

These commands will leave you with a working tunnel. Unfortunately you will not be able to use it from any client computer connected to your Mikrotik box right away. Instead you need to advertise a routable IPv6 network prefix on the link your PC is connected first. The following code does the trick:

/ipv6 address add address=2001:470:9909:1:20c:42ff:fe52:941/64 advertise=yes comment="" disabled=no eui-64=yes interface=ether2-local

Now you will be able to browse the IPv6 enabled part of the internet. At least until your public IPv4 address changes like mine does due to a forced disconnect from my ADSL provider. The problem here is, that both endpoints of a 6to4 tunnel do need to know their own public IP address as well as the one of the remote site. So you need to update for local configuration on the Mikrotik router as well as the remote site everytime your public IPv4 address changes. Luckily tunnelbroker.com offers a http based API for making your public IPv4 address known to the remote site.

Please use the format > https://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=$IPV4ADDR&pass=$MD5PASS&user_id=$USERID&tunnel_id=$GTUNID
Where:

$IPV4ADDR = The new IPv4 Endpoint (AUTO to use the requesting client’s IP address)
$MD5PASS = The MD5 Hash of your password
$USERID = The UserID from the main page of the tunnelbroker (not your username)
$GTUNID = The Global Tunnel ID from the tunnel_details page

This does look just perfect for automation. Since the webpage does not require https, the fetch tool of the Mikrotik OS does the job. So to get IPv6 working after each ADSL reconnect, I wrote myself a little script. I based it partially on the DynDNS Update Script, which I found in the wiki.

# 6in4 tunnel endpoint update script
# for use with tunnelbroker.com (Hurricane Electric)
# by r@n

# Define User Variables
# Change to the IPv4 interface, which is to be used as tunnel endpoint
:global pubinterface "Alice"

# User ID for tunnelbroker.com (NOT USERNAME!!!)
:global userid "?????????????????"

# Password for tunnelbroker.com as MD5 hash
# Note: Use a generator which does not add a newline to your password!
# This one works fine for me: http://www.miraclesalad.com/webtools/md5.php
:global md5passwd "????????????????"

# Globally unique ID for your tunnel within the tunnelbroker.com plattform
:global gtunnelid "?????"

# DO NOT CHANGE THIS SCRIPT BELOW THIS LINE !!!

# Grab the current IP address on that interface.
:global pubip [ /ip address get [/ip address find interface=$pubinterface ] address ]

# Trim public IP (assumes the subnetmask is larger than 9 bits)
:local tmp ([:len $pubip] - 3)
:set pubip [pick $pubip 0 $tmp]

# Remember last public IP (set at the end of this script, but remains in memory)
:global lastheip
:if ([ :typeof $lastheip ] = nil ) do={ :global lastheip "0" }

:if ($pubip != $lastheip) do={
   :log info "HE: Updating 6in4 tunnel ..."
   
# Update local endpoint IP address on remote site
   :global host "ipv4.tunnelbroker.net"
   :global url "http://ipv4.tunnelbroker.net/ipv4_end.php?ipv4b=$pubip&pass=$md5passwd&user_id=$userid&tunnel_id=$gtunnelid"
   
   /tool fetch url=$url host=$host
   
# Update local endpoint IP address in local configuration
   /interface 6to4 set sixbone disabled=yes
   /interface 6to4 set sixbone disabled=no local-address=[:toip $pubip] 
   
# Advertise IPv6 once more
   :local tmp2 [/ipv6 address find address="2001:470:9909:1:20c:42ff:fe52:941/64"]
   /ipv6 address set $tmp2 advertise=no
   /ipv6 address set $tmp2 advertise=yes

# Refresh default route
   /ipv6 route remove [/ipv6 route find dst-address="2000::/3"]
   /ipv6 route add comment="" disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:1f0a:9bc::1 scope=30 target-scope=10
   
   :log info "Update tunnel endpoint complete. $url"
   
   :set lastheip $pubip
} else={
   :log info "HE: No tunnel update needed."
}

It took me about 3 hours to put this script together, but it actually works!!! And yes, I am aware that it is not pretty. Two things I find especially annoying:
1.) I have to advertise my routable IPv6 network prefix again by disabling and re-enabling it on the interface linked to my PC. Otherwise my win7 box won’t notice the public IPv6 addresses on that link. (Auto-discovery)
2.) I have to delete and re-add the default IPv6 route again. Without this hack, I am not able to reach any IPv6 address besides my Mikrotik router.
Does anybody have a clue what I may be doing wrong here?

I would also like to hear about your encounters with the “new” internet protocoll. Does somebody here operate a larger IPv6 network?

Greetings from Germany,
Rabbit@Net

Now IPv6 enabled (sort of)

2

Nice. You may want to edit the script to make the connection parameters (username, password, hash, tunnel ID) local instead of global. There’s no benefit to them being global, and global variables can be seen by other scripts and users.

3

I’m having trouble with this. I’ve signed up for a tunnel with Hurricane Electric, and the instructions in the first post in this thread, the instructions HE’s tunnelbroker will autogenerate and those in the My First IPv6 Network in the wiki do seem to match. However, I can’t get past step one, i.e. get the tunnel up. Here’s what I have:

/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" disabled=no local-address=97.78.xxx.xxx mtu=1280 \
    name=sit1 remote-address=209.51.161.58
/ipv6 route
add comment=" " disabled=no distance=1 dst-address=2000::/3 gateway=2001:470:4:33f::1 scope=30 \
    target-scope=10
/ipv6 address
add address=2001:470:4:33f::2/64 advertise=yes comment="" disabled=no eui-64=no interface=sit1

I can ping the local IPv6 end of the tunnel, and I can ping the remote (209.51.161.58) end of the IPv4 tunnel. My endpoint/local address is correct, matching that on the HE tunnelbroker site. The tunnel however doesn’t appear to be up, and I can’t ping 2001:470:4:33f::1, the HE end of the tunnel. I’ve tried disabling the firewall, rebooted, but no joy. Since I’ve had the Mikrotik router for about six hours now, I’m stumped. It’s an RB750G, ROS 4.10, firmware 2.26.
(This may or may not be related to a separate issue, where I have assigned an IPv6 address to the LAN interface, but the machines on the LAN do not appear to receive RAs, and consequently never get addresses. An RA never making it over the tunnel either could conceivably be a problem?)

/ipv6 nd
add advertise-dns=no advertise-mac-address=yes disabled=no hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no ra-delay=3s ra-interval=\
    3m20s-10m ra-lifetime=30m reachable-time=unspecified retransmit-interval=unspecified

Any advice and troubleshooting steps would be appreciated!

4

There are some wiki examples for this. One is here:

http://wiki.mikrotik.com/wiki/Setting_up_an_IPv6_tunnel_via_a_tunnel_broker

That describes the basics that you need to get the tunnel up and running.

Kind regards

Andrew

5

Here is a script I wrote awhile back to do this also: http://wiki.mikrotik.com/wiki/Hurricane_Electric_IPv6_Tunnel_-_IPv4_Endpoint_updater

6

Hey man, I had a problem with this script on my mikrotik.

When I run this script i receive this error :


21:54:03 script,info -ERROR: This tunnel is already associated with this IP address. Please try to limit your updates to IP changes.


testing i see the problem is when I try to get the address of the endpoint on my system :

[admin@] /ipv6> /interface 6to4
[admin@] /interface 6to4> print 
Flags: X - disabled, R - running 
 #    NAME                                  MTU LOCAL-ADDRESS   REMOTE-ADDRESS 
 0  R ;;; Hurricane Electric IPv6 Tunnel Broker
      sit1                                 1280 XXX.XXX.XXX.XXX   XXX.XXX.XXX.XXX    
[admin@] /interface 6to4> get (sit1) local-address
[admin@] /interface 6to4> 
[admin@] /interface 6to4> get (sit1) LOCAL-ADDRESS
input does not match any value of value-name
[admin@] /interface 6to4>

Ps: solved today with a new creation of this script.

7

HE changed their update scheme to always use API key, so I’ve updated the original script.
Also, it uses https now !

Code quality: works for me :smiley:

Original: http://wiki.mikrotik.com/wiki/Hurricane_Electric_IPv6_Tunnel_-_IPv4_Endpoint_updater
Updated: https://gist.github.com/horzadome/8e5d99d84525ad8a8ccf
You can fetch it directly from https://gist.githubusercontent.com/horzadome/8e5d99d84525ad8a8ccf/raw/ed324786b5fc8f113edab6c7b1ed8e0347c4b244/gistfile1.txt

And here’s the source code:

# Update Hurricane Electric IPv6 Tunnel Client IPv4 address
# This is an upgrade to an existing script from
# http://wiki.mikrotik.com/wiki/Hurricane_Electric_IPv6_Tunnel_-_IPv4_Endpoint_updater
# API call format:
# https://#USERNAME:$API_KEY@ipv4.tunnelbroker.net/nic/update?username=$USERNAME&password=$API_KEY&hostname=$TUNNEL_ID
# ----------------------------------
# Modify the following to match your parameters
# ----------------------------------

# Router's WAN interface name
:local WANinterface "ppoe-1"

# Router's 6to4 interface name
:local HEtunnelinterface "sit1"

# Your username - you use it to log in at https://tunnelbroker.net
:local HEuserid "NAME"

# Tunnel ID (not name) as written in your tunnel's details at https://tunnelbroker.net
:local HEtunnelid "00000"

# Your Update Key for this tunnel, as written in the "Advanced" tab on tunnel details page
:local HEkey "AAAAAAAAAAAAAA"

# ----------------------------------
# STOP modifying here
# ----------------------------------
# Internal processing below...
# ----------------------------------
:local HEupdatehost "ipv4.tunnelbroker.net"
:local HEupdatepath "/nic/update?"
:local outputfile ("HE-" . $HEtunnelid . ".txt")
:local HEipv4addr

# Get WAN interface IP address
:set HEipv4addr [/ip address get [/ip address find interface=$WANinterface] address]
:set HEipv4addr [:pick [:tostr $HEipv4addr] 0 [:find [:tostr $HEipv4addr] "/"]]

:if ([:len $HEipv4addr] = 0) do={
   :log error ("Could not get IP for interface " . $WANinterface)
   :error ("Could not get IP for interface " . $WANinterface)
}

# Update the HEtunnelinterface with WAN IP
/interface 6to4 {
    :if ([get ($HEtunnelinterface) local-address] != $HEipv4addr) do={
        :log info ("Updating IPv6 Tunnel " . $HEtunnelid . " Client IPv4 address to new IP " . $HEipv4addr . "...")
        disable $HEtunnelinterface

        /tool fetch mode=https host=($HEupdatehost) url=("https://" . $HEuserid . ":" . $HEkey . "@" . $HEupdatehost . $HEupdatepath . "&username=" . $HEuserid . "&pass=" . $HEkey . "&hostname=" . $HEtunnelid) dst-path=($outputfile)

        # Change the client IPv4 address
        set ($HEtunnelinterface) local-address=$HEipv4addr

        # I like to make a little pause before enabling the interface
        /delay 3
        
        # Enable the IPv6 interface
        enable $HEtunnelinterface 

        # Append the file to log for review
        :log info ([/file get ($outputfile) contents])
        
        # Clean up after ourselves
        /file remove ($outputfile)
        
    } else={
        # If client's IPv4 didn't change at all, put it in the log so that we know the script is working
        :log info ("Updating " . $HEtunnelinterface . " No change, IP is still " . $HEipv4addr )
    }   
}
8

horza, I found your script not working under 6.31
script stops running at the /tool fetch command, and this command isn’t executed (there is no file HE-.txt created)

I’m reproduced this command by hand at the command prompt and found that the RouterOS blames about “?” sign in the url= parameter. I tried to escape “?” with "" sign - this takes no sence. There is only one way to run this command by the proper way - enclose the url= value in double quotes - e. g. url=“https://:…”

but my poor experience in scripting prevents me from update your script.