MMy ISP is nice, but a bit slow and dense. It serves me with one single dynamic IPv4 address and doesn’t give a rat’s ass about IPv6 protocol. Their thinking is simple: if IPv4 was good-enough a decade ago (when we had 500 kbps links), why change it now, right? According to the technical support of my ISP behemoth, IPv6 is too new, not in demand and therefore not on their future roadmap at all.

MMy ISP很好，但是有点慢且密集。 它为我提供了一个单一的动态IPv4地址，却没有给我关于IPv6协议的麻烦。 他们的想法很简单：如果IPv4十年前(当我们有500 kbps链接时)就足够好了，为什么现在就更改它，对吧？ 根据我的ISP庞然大物的技术支持，IPv6太新了，没有需求，因此根本就不在他们的未来路线图上。

IPv6 standard is not new (it was formalized in 1998) and it definitely is in demand — according to the current IPv4 exhaustion report. Out of five registrars that coordinate allocation of addresses globally, only AFRINIC has few old IPv4 addresses left — and they will deplete them all this year, turning on a black market of IPv4 address reselling.

根据当前的IPv4耗尽报告， IPv6标准不是新的( 它于1998年正式确定 )，并且肯定是有需求的。 在全球范围内协调地址分配的五个注册服务商中，只有AFRINIC剩下的旧IPv4地址很少-它们将在今年全部耗尽，从而开启了IPv4地址转售的黑市。

I cannot put this more plainly: YOU NEED YOUR HOME IPv6 ALLOCATION ASAP.

我不能说得很清楚： 您需要尽快进行家庭IPv6分配 。

Luckily we don’t need to wait for ISPs and their mercy to get IPv6 networks allocated. We can route IPv6 traffic from home devices through an IPv4 networking tunnel to a nearest IPv6 tunnel broker and enable IPv6 independently of ISPs. Think about it as a VPN tunnel with an explicit purpose to enable routing and flow of IPv6 traffic.

幸运的是，我们无需等待ISP及其摆布就可以分配IPv6网络。 我们可以将IPv6流量从家庭设备通过IPv4网络隧道路由到最近的IPv6隧道代理，并独立于ISP启用IPv6。 可以将其视为VPN隧道，其明确目的是启用IPv6流量的路由和流。

Note: when you choose a VPN provider (if you need one), make sure to select the one that offers both IPv4 and IPv6 routing through VPN. Once you start investigating, you’ll be surprised how few VPN providers actually do that… Before you ask, I use Perfect Privacy VPN, because reasons.

注意：选择VPN提供商(如果需要)时，请确保选择同时通过VPN提供IPv4和IPv6路由的提供商。 一旦开始调查，您会惊讶的是，几乎没有VPN提供商真正做到这一点……在您问之前，由于种种原因 ，我使用Perfect Privacy VPN 。

There are many IPv6 tunnel brokers available, although they are slowly disappearing as more and more ISPs are adopting native IPv6. I am a faithful user of Hurricane Electric tunnel broker because they are free, offer beefy /48 network allocations, and they are awesome.

有许多可用的IPv6隧道代理 ，尽管随着越来越多的ISP采用本机IPv6，它们逐渐消失了。 我是Hurricane Electric隧道经纪人的忠实用户，因为它们是免费的，提供强大的/ 48网络分配，而且它们很棒。

使用HE Tunnel Broker和OPNSense建立IPv6-in-IPv4 (Establishing IPv6-in-IPv4 with HE Tunnel Broker and OPNSense)

Step 1: Your OPNSense firewall needs to be connected directly to the Internet. If your device is hidden behind ISP’s NAT, you will need to configure a firewall rule to allow IP protocol 41 (6in4) to enter your network and get to OPNSense. OPNSense (or whatever device faces the WAN) also needs to allow inbound ICMPv4 traffic from the WAN side. If you are paranoid and prefer to disable ICMPv4 (which is NOT a good idea), you can restrict the inbound ICMPv4 traffic to allow only ECHO_REQUEST messages originating from the assigned HE TunnelBroker Server IPv4 address.

步骤1：您的OPNSense防火墙需要直接连接到Internet。 如果您的设备隐藏在ISP的NAT之后，则需要配置防火墙规则，以允许IP协议41(6in4)进入您的网络并进入OPNSense。 OPNSense(或面向WAN的任何设备)还需要允许来自WAN端的入站ICMPv4通信。 如果您偏执狂并且希望禁用ICMPv4( 这不是一个好主意 )，则可以将入站ICMPv4流量限制为仅允许来自分配的HE TunnelBroker服务器IPv4地址的ECHO_REQUEST消息。

Step 2: Head to tunnelbroker.net, create an account and create a new IPv6 tunnel at the server that is the closest to your location. They have plenty of endpoint locations to choose from:

步骤2 ： 转到 tunnelbroker.net ，创建一个帐户，并在离您的位置最近的服务器上创建一个新的IPv6隧道。 他们有很多端点位置可供选择：

Once your tunnel is created, do not forget to request a /48 IPv6 prefix in the control panel of your new IPv6 tunnel. I know, I know, you think that the default /64 network is gigantic already, why would you ever need an even larger network space for your tiny home, right? Let me explain how IPv6 addressing works, and you will understand that /64 network is actually not that large.

创建隧道后，请不要忘记在新IPv6隧道的控制面板中请求/ 48 IPv6前缀。 我知道，我知道，您认为默认的/ 64网络已经是巨大的，为什么您还要为小房子需要更大的网络空间，对吗？ 让我解释一下IPv6寻址的工作原理，您将了解/ 64网络实际上并不大。

Global Unicast Addresses (GUA) have reserved the first 3 and last 64 bits. The remainder 61 bits in the middle are divided between global routing prefix and Subnet ID.

全球单播地址(GUA)保留了前3位和后64位。 中间的其余61位在全局路由前缀和子网ID之间分配。

SLAAC (Stateless Address Autoconfiguration) mechanism — which we will use to configure IP addresses — allows auto-assignment of unique IPv6 addresses to devices on the network — and it requires a full /64 network to work. So, if you ever want more than one SLAAC-enabled network at home, you need to request more than one /64 network. I have three interfaces on my OPNSense, so I need (at least) three /64 networks. Or one larger sub-dividable network. TunnelBroker is offering either /64 or /48 — no other alternatives.

SLAAC(无状态地址自动配置)机制(将用于配置IP地址)允许将唯一的IPv6地址自动分配给网络上的设备，并且它需要完整的/ 64网络才能工作。 因此，如果您在家中需要多个支持SLAAC的网络，则需要请求多个/ 64网络。 我的OPNSense上有三个接口，因此(至少)需要三个/ 64网络。 或一个更大的可细分网络。 TunnelBroker提供/ 64或/ 48-没有其他选择。

So, grab that /48 while you are at the Tunnel Details page — you will need it later.

因此，在“隧道详细信息”页面上获取/ 48即可-稍后将需要它。

There are five essential pieces of information that you should write down and remember while at the TunnelBroker console— we will need them in a jiffy:

在TunnelBroker控制台上，您应该写下并记住五个基本信息，我们会急切地需要它们：

Step 3: Add GIF tunnel to your OPNSense. This is not a common type of interface; it is hidden a bit, but you will find it if you dig into Interfaces — Other Types — GIF

第3步：将GIF隧道添加到您的OPNSense 。 这不是常见的接口类型。 它有点隐藏，但是如果您深入研究接口-其他类型-GIF ，就会发现它

Add a new GIF tunnel port with the following details:

添加具有以下详细信息的新GIF隧道端口：

Parent interface          WANGIF remote address        [assigned Server IPv4]GIF tunnel local address  [assigned Client IPv6]GIF tunnel remote address [assigned Server IPv6] /64Route Caching             disabledECN friendly behavior     disabled

Step 4: Assign the GIF tunnel port to a new interface. You will find assignments in Interfaces-Assignments. Select the GIF tunnel for a New Interface and hit the + sign next to it. A new network interface will appear under your Interfaces, probably named something like OPT4. Select it, enable it, and rename it to whatever your heart desires (I named it TUN for, you know, Tunnel). With that set, your OPNSense should have an active IPv6 connection to the world that terminates on OPNSense.

步骤4：将GIF隧道端口分配给新接口。 您可以在Interfaces-Assignments中找到分配 。 为新接口选择GIF隧道，然后点击它旁边的+号。 一个新的网络接口将出现在您的接口下，可能命名为OPT4。 选择它，启用它，然后将其重命名为您内心想要的任何东西(我将其命名为TUN表示为Tunnel)。 设置好此设置后，您的OPNSense应该与活动世界建立有效的IPv6连接，并终止于OPNSense。

Step 5: Set IPv6 firewall rules. I keep this one really simple with only three rules assigned to TUN interface:

步骤5：设置IPv6防火墙规则 。 我只将三个规则分配给TUN接口，使这一过程非常简单：

- Allow all inbound IPv6 ICMP traffic from any sources- Deny any outbound traffic to 2620:108:700f::/48- Deny any outbound traffic to 2a01:578:3::/48

The first rule is kinda obvious — IPv6 management relies heavily on ICMP controls and you should let ICMP flow, even if you are paranoid. (note to self: don’t be paranoid, IPv6 will work better if you are not)

第一条规则很明显-IPv6管理在很大程度上依赖于ICMP控件，即使您偏执，也应该让ICMP流动。 ( 请注意：不要偏执，否则，IPv6会更好地工作 )

The second and the third rule are not that obvious; they deny IPv6 flow to Netflix servers. Yes, Netflix. Netflix hates VPNs or proxy servers because… Reasons. Tunnel Broker uses exit endpoints that are registered as VPN exits and as Netflix hates VPNs, you won’t be able to Netflix through TunnelBroker. We have to block IPv6 traffic to Netflix, so streaming clients will downgrade to IPv4 and keep streaming.

第二和第三条规则不是那么明显。 他们拒绝IPv6流向Netflix服务器。 是的， Netflix 。 Netflix讨厌VPN或代理服务器，因为……原因。 Tunnel Broker使用的出口端点已注册为VPN出口，并且Netflix讨厌VPN，您将无法通过TunnelBroker进入Netflix。 我们必须阻止Netflix的IPv6流量，因此流客户端将降级到IPv4并继续流。

Step 6: Assign IPv6 to your LAN interfaces. What fun is it to have IPv6 on the WAN port of your router if the rest of your home networks can’t see it? Head to each of your LAN interfaces, set IPv6 Configuration type to Static IPv6, and assign them a static IPv6 address that is in the range of your routed /48 space (as given to you by TunnelBroker). I used IPv6 subnetting calculator to split my /48 into 4 networks — because I have three LAN interfaces:

步骤6：将IPv6分配给您的LAN接口。 如果您的其他家庭网络看不到IPv6，那么在路由器的WAN端口上使用IPv6有什么乐趣呢？ 转到每个LAN接口，将“ IPv6配置”类型设置为“ 静态IPv6”，然后为它们分配一个静态IPv6地址，该地址在您的路由/ 48空间的范围内(由TunnelBroker提供)。 我使用IPv6子网划分计算器将/ 48划分为4个网络-因为我具有三个LAN接口：

Each OPNSense LAN interface gets its own publicly routable IPv6 address — I typically assign the first address (::1) of each subnet to the LAN port. Repeat the below process for each of your LAN interfaces, save and apply changes as you go:

每个OPNSense LAN接口都有其自己的公共可路由IPv6地址-我通常将每个子网的第一个地址(:: 1)分配给LAN端口。 对您的每个LAN接口重复以下过程，随时保存并应用更改：

Step 7: Enable RA and SLAAC. How do IPv6 addresses get to clients on LAN networks? While DHCPv6 exists, it is very rarely used as IPv6 standard includes a much cooler way to assign addresses. As explained at the beginning, routers regularly advertise its IPv6 routes through RAs (Route Advertisements) on each LAN interface, so all IPv6-capable devices can hear RA messages. Devices then use SLAAC (StateLess Address AutoConfiguration) to generate its own IPv6 address — based on advertised route and its own HW MAC address. If you can, do avoid DHCPv6 and use RA and SLAAC instead.

步骤7：启用RA和SLAAC 。 IPv6地址如何到达LAN网络上的客户端？ 尽管存在DHCPv6，但很少使用它，因为IPv6标准包括一种更酷的分配地址的方法。 如开头所述，路由器会定期通过每个LAN接口上的RA( 路由公告)发布其IPv6路由，因此所有支持IPv6的设备都可以听到RA消息。 然后，设备使用SLAAC( StateLess地址自动配置 )来生成自己的IPv6地址-基于通告的路由和自己的硬件MAC地址。 如果可以，请避免使用DHCPv6，而应使用RA和SLAAC。

The RA configuration is under Services — Router Advertisements. I might be doing an overkill by advertising “all” routes (::) and OPNSense as a default DNS server, but this configuration works for me and I’m not touching it. Repeat the same RA assignment for each of your LANs:

RA配置位于“ 服务—路由器广告”下 。 通过将“所有”路由(：:)和OPNSense作为默认的DNS服务器进行广告，我可能做得太过分了，但是此配置对我有用，但我没有碰它。 对每个局域网重复相同的RA分配：

With this step applied, your devices should get IPv6 advertisements, create its own routable IPv6 addresses and start using IPv6. We are in business!

应用此步骤后，您的设备应获取IPv6广告，创建自己的可路由IPv6地址并开始使用IPv6。 我们在做生意！

ping6 2620:fe::fePING 2620:fe::fe(2620:fe::fe) 56 data bytes64 bytes from 2620:fe::fe: icmp_seq=1 ttl=60 time=7.05 ms64 bytes from 2620:fe::fe: icmp_seq=2 ttl=60 time=7.01 ms64 bytes from 2620:fe::fe: icmp_seq=3 ttl=60 time=7.19 ms64 bytes from 2620:fe::fe: icmp_seq=4 ttl=60 time=7.27 ms

Step 8: Define DDNS for Tunnel Broker. This step is required for all households that get dynamically-assigned IP addresses from ISPs. The moment when your ISP will change your public IP address, the TunnelBroker will stop working. So, we need to create the auto-fix.

步骤8：为Tunnel Broker定义DDNS 。 从ISP获得动态分配IP地址的所有家庭都需要执行此步骤。 当您的ISP更改您的公共IP地址时，TunnelBroker将停止工作。 因此，我们需要创建自动修复。

First, let’s head back to the TunnelBroker portal and grab three pieces of information:

首先，让我们回到TunnelBroker门户并获取三个信息：

• Tunnel name (you will find it on the home dashboard, looks something like this: tunnel123456.tunnel.tserv14.sea1.ipv6.he.net

  隧道名称 (您可以在主仪表板上找到它，看起来像这样： tunnel123456.tunnel.tserv14.sea1.ipv6.he.net

• Username (the one you created when you made the TunnelBroker account)

  用户名 (创建TunnelBroker帐户时创建的用户名 )

• Update key (found on the Advanced page of your tunnel settings) — will be used as password

  更新密钥 (位于隧道设置的“高级”页面上)—将用作密码

Now you can create the Dynamic DNS Sevice on OPNSense and allow automatic updating:

现在，您可以在OPNSense上创建动态DNS服务，并允许自动更新：

This is it! To recap, here are key steps to enable IPv6 using TunnelBroker on OPNSense:

就是这个！ 概括地说，以下是在OPNSense上使用TunnelBroker启用IPv6的关键步骤：

• Create your own /48 tunnel on tunnelbroker.net

  在tunnelbroker.net上创建自己的/ 48隧道

• Create and configure a GIF interface on OPNSense在OPNSense上创建和配置GIF接口
• Define IPv6 firewall rules定义IPv6防火墙规则
• Assign IPv6 addresses to LAN interfaces将IPv6地址分配给LAN接口
• Enable RA and SLAAC启用RA和SLAAC
• Configure Dynamic DDNS to allow the tunnel to work after public IPv4 change (if you are assigned a dynamic public IP by your ISP)配置动态DDNS，以使隧道在公共IPv4更改后可以工作(如果ISP为您分配了动态公共IP)