Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Tunnelbroker config for UniFi Security Gateway
{
"interfaces": {
"tunnel": {
"tun0": {
"address": [
"YOUR-ALLOCATED-IPV6-PREFIX-FROM-TUNNELBROKER"
],
"description": "Tunnelbroker IPv6 Tunnel",
"encapsulation": "sit",
"firewall": {
"in": {
"ipv6-name": "WANv6_IN"
},
"local": {
"ipv6-name": "WANv6_LOCAL"
},
"out": {
"ipv6-name": "WANv6_OUT"
}
},
"local-ip": "YOUR-ROUTER-PUBLIC-IPV4-ADDRESS",
"multicast": "disable",
"remote-ip": "YOUR-TUNNELBROKER-REMOTE-IPV4-ADDRESS",
"ttl": "255"
}
}
},
"protocols": {
"static": {
"interface-route6": {
"::/0": {
"next-hop-interface": {
"tun0": "''"
}
}
}
}
}
}

UniFi Tunnelbroker Configuration

This GitHub Gist details the manual configuration needed on a UniFi controller to enable IPv6 tunneling with Hurricane Electric's Tunnelbroker service.

Setup

This is what works for me personally. Stuff you'll need to do to adapt this to your ends:

  • Replace "local-ip" with your USG's public IPv4 address.
  • Replace "remote-ip" with the address of your Tunnelbroker tunnel server.
  • Replace "address" with the IPv6 address that your are allocated.

Installation

Follow these instructions and drop your config.gateway.json file in the correct location e.g. /usr/lib/unifi/data/sites/$NAME/.

@rekarc
Copy link

rekarc commented Feb 5, 2021

What version of the Controller did you get this working on?
Did you find that other firewall rules stopped working? (specifically those accepting ICMP packets)

@CHTJonas
Copy link
Author

CHTJonas commented Feb 7, 2021

What version of the Controller did you get this working on?

Goodness, I'm afraid this was so long ago that I can't remember! I no longer use this config anymore as it was far too fragile coding an address when my home IP was dynamic. I doubt Ubiquiti have changed the JSON config format though so I'd be surprised if this didn't still work with the latest version of the controller software.

Did you find that other firewall rules stopped working? (specifically those accepting ICMP packets)

I do remember that you have to add firewall rules to explicitly accept ICMP and ICMPv6 packets as the UniFi gateway products block them by default. I don't remember for sure whether the above config interferes with those rules but again I'd be surprised.

@Altycoder
Copy link

Altycoder commented Apr 1, 2021

@CHTJonas I realise that this is quite old now, but how exactly do you now use a tunnel with a USG if you have a dynamic ipv4 address? Do you have an alternative config that you could share?

I'm looking for a way around BT's dynamic /56 ipv6 which for me changes every 2-3 days and is causing a few problems with an android client and Microsoft's company portal app.

@CHTJonas
Copy link
Author

CHTJonas commented Apr 1, 2021

how exactly do you now use a tunnel with a USG if you have a dynamic ipv4 address?

It's a bit tricky. I had to update the config manually whenever my IPv4 address changed which was thankfully not that often. I imagine it would be possible to automate this (maybe a crontab running on the controller that does sed -i on the JSON file and then hits up the API URLs to force AP reprovisions?) but it would be a massive hack.

You also need to make sure the IP address is updated at the Tunnelbroker side which is easy enough to do using curl in a crontab.

@Altycoder
Copy link

Altycoder commented Apr 1, 2021

ok thanks, there's more to this than I thought, maybe a weekend project....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment