This assumes that you have a working router as per my older post . This can work behind a nat (though I ended up DMZing this router) in some circumstances. This distils grawity’s excellent post on superuser – in the context of this setup (which has a few quirks), and some broader context
You’ll need to start with getting an account with Hurricane Electric’s tunnel broker , creating a tunnel and setting up the tunnel to your router as per the example configuration.
auto he-ipv6
iface he-ipv6 inet6 v4tunnel
address 2001:470:AA:BBBB::2
netmask 64
endpoint 216.218.221.6
local 192.168.1.79
ttl 255
gateway 2001:470:AA:BBBB::1
Its a simple matter of adding what’s there to your /etc/network/interfaces
You’ll want to create the /48 as well – and we’ll be carving a /64 from that to add to br0
To note here – you have a routed /64 – this will *probably* work, but that’s not what we are using. You’ll have a routed /48 in the format of 2001:470:AB::.
You’ll want to add an additional block for br0 in /etc/networks/interfaces with
iface br0 inet6 static
address 2001:470:AB:1::1/64
gateway CLIENT IPv6 address
I’m not strictly sure if the client IPv6 address is necessary – I added it in during troubleshooting and its entirely possible that it works without that.
As for dnsmasq – you’ll need to add the following lines to /etc/dnsmasq,conf
enable-ra
dhcp-range = 2001:470:AB:1::, ra-stateless
Basically we’re telling it to give any IP address within the range that we’d set for the br0 interface.
Restart dnsmasq and networks with systemctl restart networking and systemctl restart dnsmasq
Finally, we’ll need to add firewall rules to firewalld
sudo firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i he-ipv6 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv6 filter FORWARD 0 -i br0 -o he-ipv6 -j ACCEPT
sudo firewall-cmd --runtime-to-permanent
Refresh your IP addresses, test with your favourite site and you’re good.