Problems with IPv6 TunnelBroker on 10.12.4.

Post by majortom » Mon Apr 17, 2017 5:48 pm

I have a Mac running 10.12.4 on which I am trying to configure a tunnel.
The Mac's IP is

Server IPv4 Address:
Server IPv6 Address:2001:470:c:XXX::1/64
Client IPv4 Address:
Client IPv6 Address:2001:470:c:XXX::2/64

I have the following result from ifconfig gif1

gif1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 47.144.XXX.XXX -->
inet6 fe80::3ac9:86ff:XXXX:5da%gif1 prefixlen 64 scopeid 0x12
inet6 2001:470:c:XXX::2 --> 2001:470:c:XXX::1 prefixlen 128
nd6 options=201<PERFORMNUD,DAD>


ping6 2001:470:c:f52::2
PING6(56=40+8+8 bytes) 2001:470:c:XXX::2 --> 2001:470:c:XXX::2
--- 2001:470:c:XXX::2 ping6 statistics ---
13 packets transmitted, 0 packets received, 100.0% packet loss

I clearly have something configured incorrectly, but I am not sure what to check. On my working FreeBSD 11 box, that ping of the gif IPv6 address works fine.

Re: Problems with IPv6 TunnelBroker on 10.12.4.

Post by majortom » Mon Jun 19, 2017 3:29 pm

The problem I was having was that PF was blocking 6in4 traffic (protocol 41). I also discovered that I needed to enable the sysctl net.inet6.ip6.forwarding.

Having been through this now, I think I have all the items I need:

The sample configuration the tunnel broker suggests for Mac OS X is this:

ifconfig gif0 create
ifconfig gif0 inet6 CLIENT_IPv6_ADDRESS TUNNEL_SERVER_IPv6_ADDRESS prefixlen 128
route -n add -inet6 default TUNNEL_SERVER_IPv6_ADDRESS

These lines might need to be added to PF (it does not hurt to have them even if they might not be needed):

icmp6_types = "{ unreach, toobig, timex, paramprob, echoreq, echorep, neighbradv, neighbrsol, routeradv, routersol }"   
pass inet6 proto ipv6-frag   
pass in on EXT_INTERFACE proto 41 from TUNNEL_SERVER_IPv4_ADDRESS   
pass out on EXT_INTERFACE proto 41 to TUNNEL_SERVER_IPv4_ADDRESS   
pass in on gif0 inet6 proto icmp6 all icmp6-type $icmp6_types allow-opts   
Finally, if the machine is going to gateway IPv6 traffic:

sysctl net.inet6.ip6.forwading=1

