Skip to content

Instantly share code, notes, and snippets.

@CHTJonas
Last active April 26, 2022 00:49
  • Star 16 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save CHTJonas/b58d267d189b97af4dd2a2fa6feb7594 to your computer and use it in GitHub Desktop.
Tunnelbroker config for UniFi Security Gateway
{
"interfaces": {
"tunnel": {
"tun0": {
"address": [
"YOUR-ALLOCATED-IPV6-PREFIX-FROM-TUNNELBROKER"
],
"description": "Tunnelbroker IPv6 Tunnel",
"encapsulation": "sit",
"firewall": {
"in": {
"ipv6-name": "WANv6_IN"
},
"local": {
"ipv6-name": "WANv6_LOCAL"
},
"out": {
"ipv6-name": "WANv6_OUT"
}
},
"local-ip": "YOUR-ROUTER-PUBLIC-IPV4-ADDRESS",
"multicast": "disable",
"remote-ip": "YOUR-TUNNELBROKER-REMOTE-IPV4-ADDRESS",
"ttl": "255"
}
}
},
"protocols": {
"static": {
"interface-route6": {
"::/0": {
"next-hop-interface": {
"tun0": "''"
}
}
}
}
}
}

UniFi Tunnelbroker Configuration

This GitHub Gist details the manual configuration needed on a UniFi controller to enable IPv6 tunneling with Hurricane Electric's Tunnelbroker service.

Setup

This is what works for me personally. Stuff you'll need to do to adapt this to your ends:

  • Replace "local-ip" with your USG's public IPv4 address.
  • Replace "remote-ip" with the address of your Tunnelbroker tunnel server.
  • Replace "address" with the IPv6 address that your are allocated.

Installation

Follow these instructions and drop your config.gateway.json file in the correct location e.g. /usr/lib/unifi/data/sites/$NAME/.

@rekarc
Copy link

rekarc commented Feb 5, 2021

What version of the Controller did you get this working on?
Did you find that other firewall rules stopped working? (specifically those accepting ICMP packets)

@CHTJonas
Copy link
Author

CHTJonas commented Feb 7, 2021

What version of the Controller did you get this working on?

Goodness, I'm afraid this was so long ago that I can't remember! I no longer use this config anymore as it was far too fragile coding an address when my home IP was dynamic. I doubt Ubiquiti have changed the JSON config format though so I'd be surprised if this didn't still work with the latest version of the controller software.

Did you find that other firewall rules stopped working? (specifically those accepting ICMP packets)

I do remember that you have to add firewall rules to explicitly accept ICMP and ICMPv6 packets as the UniFi gateway products block them by default. I don't remember for sure whether the above config interferes with those rules but again I'd be surprised.

@CHTJonas
Copy link
Author

CHTJonas commented Apr 1, 2021

how exactly do you now use a tunnel with a USG if you have a dynamic ipv4 address?

It's a bit tricky. I had to update the config manually whenever my IPv4 address changed which was thankfully not that often. I imagine it would be possible to automate this (maybe a crontab running on the controller that does sed -i on the JSON file and then hits up the API URLs to force AP reprovisions?) but it would be a massive hack.

You also need to make sure the IP address is updated at the Tunnelbroker side which is easy enough to do using curl in a crontab.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment