TODO
SSH to your UDM
ssh root@<udm ip address>
<enter the password you set when prompted>
Configure the IPv6 Tunnel - You get the addresses from the Tunnel Details page on TunnelBroker
ip tunnel add he-ipv6 mode sit remote <server ipv4 address> local <client ipv4 address> ttl 255
ip link set he-ipv6 up
ip addr add <client ipv6 address> dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr
Test Connectivity from UDM
ping 2600::
Setup Address Allocation
TODO
@DJBenson Glad you got it working!!
In your UDM/P/SE firewall, you should have some default "Internetv6 In" rules that allow traffic out, but only allow traffic in if it's a response to or related to the outbound traffic.
They should actually already be the default rules , so from top to bottom you'd have:
And then you'll see some other default rules for "Internetv6 Local" which should look similar but are specific to traffic with a 'final destination' of the gateway itself.
These rules should be there by default.
If you're finding that your local network devices are open to the internet (by doing a port scan for example) then you would want to make sure you're running a cron job as mentioned in my writeup as well.
Because the he-ipv6 interface and tunnel aren't really "recognized" by the UDM/P/SE, none of the out-of-the-box firewall rules will apply (since it only applies them to your WAN interfaces - usually
eth8
andeth9
) Running the cron job will take all ipv6 rules that are applied to the actual WAN interface, and apply them to the he-ipv6 tunnel instead. Any changes made to firewall settings in the Unifi Network app, will re-write the firewall rules to the UDMP's WAN interface, and then the cron job will need to detect that and re-apply them over to the he-ipv6 interface again. The writeup I made describes how to test that firewall rules have been applied to the he-ipv6 interface correctly by runningip6tables-save | grep he-ipv6
- if that results in no output, then no firewall rules have been applied to that interface.That was the whole reason I ended up creating the cron job, to ensure that you can create rules in the Unifi Network UI and they will be applied to the tunnel interface.
Once you've got the cron job setup, you should be able to change the rules or add new rules in the Unifi Network Firewall Rules UI (under Internetv6), and then those rules will be re-applied to the
he-ipv6
interface when the cron job runs next (I run mine every minute)(FYI I just made changes to configure-he-ipv6-chains.sh today which should work more completely on newer versions of the UDMP OS including UDMPSE)