OpenWRT Backfire + IPv6 Tunnelling with dynamic WAN address

By | June 19, 2013

Mission: The example below illustrates a dynamic tunnel configuration for the Hurricane Electric broker with dynamic IP update enabled. The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update.
Requirements: ipv6 tunnel, OpenWRT Backfire

Get your v6 tunnel
Go to and register. Once registered, click on “Create Regular Tunnel” link. Select your nearest v6 tunnel server and click create.


Based on above info we know that: is the remote IPv4 address (the other side of the tunnel)
2001:470:23:9c::1/64 is the remote IPv6 tunnel endpoint is the local IPv4 router address (assigned by ISP)
2001:470:23:9c::2/64 is the local IPv6 tunnel endpoint (labeled “Client IPv6 Address” on the Tunnel Details page in your HE account)
2001:470:24:9c::/64 is our allocated subnet/segment

Install required package and dependencies
opkg update
opkg install 6in4 ip ip6tables kmod-sit kmod-iptunnel6 radvd

Configure tunnel
uci set network.henet=interface
uci set network.henet.proto=6in4
uci set network.henet.peeraddr=
uci set network.henet.ip6addr='2001:470:23:9c::2/64'
uci set network.henet.tunnelid=210081
uci set network.henet.username='YOUR_HASHED_USERNAME'
uci set network.henet.password='YOUR_PASSWORD'
uci commit network

Set firewall zone
uci set [email protected][1].network='wan henet'
uci commit firewall

Bring up the interface
ifup henet
/etc/init.d/firewall restart

You can check new interface is created from LuCI2

To apply IPv6 firewall rules to the tunnel interface, add it to the “wan” zone in /etc/config/firewall:
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'masq' '1'
option 'mtu_fix' '1'
option 'forward' 'ACCEPT'
option 'network' 'wan henet'

To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration stanza:
config 'rule'
option 'target' 'ACCEPT'
option 'name' '6to4'
option 'src' 'wan'
option 'proto' '41'
option '_name' '6to4'

To enable routing of IPv6 traffic through the tunnel, add a static IPv6 address in a valid routed subnet to the local-facing interface (LAN). Edit /etc/config/network file and add the last option (‘ip6addr’).

config ‘interface’ ‘lan’
option ‘ifname’ ‘eth0.1’
option ‘type’ ‘bridge’
option ‘proto’ ‘static’
option ‘ipaddr’ ‘’
option ‘netmask’ ‘’
option ‘ip6addr’ ‘2001:470:24:9c:964:387b:8888:8888’

Enable Routing in Backfire
To forward packets between interfaces, a kernel-level setting must be enabled. To enable packet forwarding, edit /etc/sysctl.conf. Uncomment following line:
# net.ipv6.conf.all.forwarding=1 to

Restart sysctl to apply the new setting
/etc/init.d/sysctl restart

Clients that auto-configure using SLAAC (stateless address auto-configuration) will need to know our routed prefix. To broadcast the prefix to clients on the local network, we use radvd.


Verify your tunnel is working