Configuring Tunnel Broker BGP on Mikrotik

Hurricane Electric’s free service Tunnel Broker allows one to set-up 6to4 tunnels in order to get IPv6 connectivity to IPv4-only sites. In addition to “regular” tunnels, where they assign you a random prefix from their ranges, they also support BGP tunnels. Today I will show you how to set one up and configure it on a Mikrotik device.

Prerequisites

  • A Mikrotik router
    A device we are going to use as a tunnel endpoint and a BGP peer. Any Mikrotik device will do, you don’t need anything beefy.
  • Public v4 address
    In order for the tunnel to work you need to have a public IPv4 address on the endpoint.
  • ASN
    You have to have your own AS Number. Tunnel Broker doesn’t accept private ASNs!
  • IPv6 range
    The range we are going to announce. Longest globally routable IPv6 prefix is /48

 

Create a BGP tunnel

Go to tunnelbroker.net, create an account and click on “Create BGP Tunnel“.

Fill in the IPv4 address of your Mikrotik device, your ASN and what prefixes you want to announce. Then pick the closest tunneling server and click on “Create BGP Tunnel“.

You will receive an email shortly from Hurricane Electric support, asking for a LOA (Letter of Authorization). By sending them a LOA, you basically say “This is my IPv6 space and ASN and I want you, Hurricane Electric, to allow me to announce it using your network“. Here’s a sample LOA:

LETTER OF AUTHORIZATION

<Date>

To Whom It May Concern,

This letter serves as authorization for Hurricane Electric, AS6939 to 
announce the following netblocks:

<IPv6 range>, <ASN>

As an owner of the subnet and ASN, I hereby declare that I am authorized 
to represent and sign for this LOA.

Should you have questions about this request, email me at <contact email>

From,

<Name>

Reply to the email with the LOA attached and you should get a response within a day or so, informing you that everything is set up on their side.

 

Configuring the tunnel

Look into Tunnel Broker’s admin panel, select your tunnel and click on “Example Configurations“. This tab automatically generates commands for various operating systems for setting up the tunnel itself. Select “Mikrotik” from the list and copy those commands. Now, log in to your router, open Terminal and paste those commands.

Looking into “Interfaces” tab, you should now see a new interface called “sit1” with type “6to4 Tunnel“. The router should have IPv6 connectivity by now. Open “Tools” => “Ping“, enter some IPv6 address (e.g. 2001:470:20::2 – Hurricane Electric DNS) and hit “Start“. If everything works correctly, you should see replies filling your screen.

 

Configuring BGP

The fun part.

Filtering

At first, we need to set up some filtering, so we:

  1. Don’t announce anything we don’t want to.
  2. Don’t receive any routes.

Go to “Routing” => “Filters”. Add a new filter, call it “discard“, select “Action“: “discard” and hit “Apply“. This is going to be our import filter.

Go back to the Filters screen and add another one. This time, call it something like “to_tunnelbroker“, add your IPv6 prefix into the field “Prefix“, check “Invert Match” and select “Action“: “discard” and click “Apply“.

 

Setting up BGP session

With filters set up, we can proceed to BGP itself.

Go to “Routing” => “BGP“. Add a new instance, give it some name (let’s call it Our_router), enter your ASN to “AS” and your IPv4 as “Router ID“. Click “Apply“.

Now, go to “Peers” and a new one. Give it some name (e.g. HurricaneElectric) and select the instance you previously created. Enter:

  • Remote Address” – this is the “Server IPv6 Address” from Tunnel Broker’s dashboard.
  • Remote AS” – 6939
  • Address Families” – ipv6
  • In Filter” – discard
  • Out Filter” – to_tunnelbroker

Hit “Apply“. If everything is configured correctly, you should see “State: established” and the number “Updates Received” should grow. Congratulations, your BGP session is UP!

 

Announcing the IPv6 space

Now that the BGP session is established, we can begin to announce our IPv6 space. Click on “Networks” and add a new one. Enter your prefix to the “Network” field and hit “Apply“. By returning to “Peers” page and clicking on “HurricaneElectric you can verify that the prefix is getting announced – field “Updates Sent” shouldn’t be zero now.

 

Using the IPv6 space

You can use the announced space as you normally would. Give your router an address and create a space which will be advertised to clients.

 

Verifying everything is working

In the end, I would suggest using tools like route servers or RIPE BGPlay to ensure the announcement was successful.

6 Comments

Add yours

  1. Don’t forget to ask ipv6@he.net to set JUST default-route for you. Otherwise your router needs lots of memory to process global routing table.

  2. You don’t have to, you can just tell your router to drop all incoming routes with filters. Works for me.

  3. You should be adding static default route then? To the tunnel Server’s IPv6 address I would presume?

  4. Exactly, if you wanted to route all v6 connectivity through the tunnel you would need to add a static route:
    2000::/3 via <tunnel_broker_ip>

  5. Well that’s a good method, too. If receiving updates do not use considerable amount of bandwidth and/or resources.

  6. Great article! Love Hurricane’s Tunnel Services…

Leave a Reply...