How to get HE.net tunnel working with Pace 5268ac and pfSense
I've read a bunch of stuff online that seems to indicate that the Pace 5268ac will not pass protocol 41, thus making IPv6 tunnels impossible. I'm posting here to say - that is untrue. I have a Pace 5268ac, with a single public DHCP assigned address, working with a HE.net /48 routed subnet. I'm writing this to hopefully help out someone who may be in a similar situation.
My previous (working) setup was a NVG599, with pfSense handling the routing. IP Passthrough was enabled to pfSense and all firewall features were disabled on the NVG. Prior to 12/2016, I was terminating the ATT 6rd on pfSense to allow me to use the entire /60 network pool, but something happened in December 2016 and that stopped working and I could not get a resolution. I switched to a Hurricane Electric routed /48 and did not have any issues. Fast forward to last week, and NVG599 bit the dust. At first, I was not too upset since it was so crippled by the ATT firmware, I was thinking, maybe I would get something better. Instead, I received a Pace 5268ac, which to my astonishment was even more crippled than the NVG, although the NAT limit seems to be a little better
Initially, I configured the Pace for DMZ+ to my pfSense box and everything seemed ok, but the HE tunnel would not come up. I turned off every firewall feature and toggled anything I though might cause the problem. Reading online, I found that many people had issues with the unit passing protocol 41 - to the point I thought I may have to go back to IPv4 only. My last ditch effort was to perform a factory reset and hold the reset long enough to cause it to look for a FW update. This may be a bunch of bull feces about actually getting an update in this manner, but it didn't get one anyway. However, when my pfSense box reconnected to the 5268ac, it was given a private IPv4 address AND the IPv6 tunnel was up!?! I tested the tunnel and I could pass data through it, access sites, and get my full internet speed through it. Great, but I don't have my public v4 address on the pfSense box, which I would like for many reasons. As soon as I enabled DMZ+ again, the HE tunnel stopped working. In my mind, I'm thinking "what the..., I disable the firewall and it quits working".
In order to get the best of both worlds, I added another interface to the pfSense box and manually configured it for the private network of the Pace 5268ac (192.168.1.100/24). I then added a gateway of 192.168.1.254, and set the HE GIF parent interface to the new interface (OPT4 in my case). I configured the Pace for DMZ+ to the original pfSense WAN connection and everything is working. It is a bizarre workaround, but I'm back up and running.
This is a general overview of what I had to change to get this setup working with a Pace gateway. If needed/wanted, I can get some screen captures of pertinent configurations. My tunnel is built off of the instructions from the pfSense forums. My pfSense box is virtualized, so adding interface cards is not an issue for me. I would think pfSense supports virtual adapters and I know it supports VLANs, so there may be another method to get this to work.
I hope someone finds this helpful.