Quick RouterOS script for hurricane electric 6to4 tunnel dynamic updating

If your ISP doesn’t offer IPv6 you may have set up an IPv6 6to4 tunnel using Hurricane Electric’s free ‘tunnelbroker.net‘ service.

To operate the tunnel, tunnelbroker.net requires that you configure an IPv4 endpoint/client IP in their tunnel configuration. Additionally, the Mikrotik RouterOS ‘6to4’ tunnel interface requires this same IPv4 address is (redundantly) entered as the 6to4 interface’s 'local-address' property value. If you are given a dynamic public IP address by your ISP, this is a bit messy!

Here is a quick script (I suggest running it periodically) which will:

Use Mikrotik’s Cloud IP service (which obviously must be enabled) to resolve your WAN IP,
Check that IP against the local-address value in your 6to4 interface (which is assumed to be the only interface, named ‘sit1’) and
If the IPs do not match, will update tunnelbroker.net with your new WAN IP (using their dyn-compatible GET request method) and
Update the ‘local-address’ of your 6to4 interface

You can obtain the necessary values (<USERNAME>, <PASSWORD> (which is hashed) and <TUNNELID>) by logging into the tunnelbroker.net website, opening your tunnel details, then clicking the ‘advanced’ tab.

# update tunnelbroker.net
# account with our automatically detected
# public ipv6 adddress
# (add "&myip=<IP-ADDRESS>" to end of URL to manually specify IP) eg.
# or leave this param out to let he.net auto-detect the IP
# as per https://forums.he.net/index.php?topic=1994.0
# your IPv4 IP must be ICMP pingable for tunnerbroker.net to accept it

/ip cloud force-update;
:local currentIP ""
:set currentIP [/ip cloud get public-address]

#check if the 6to4 interface is already set to the current public IP
:if (:put [/interface 6to4 get sit1 local-address] != $currentIP) do={

#set the local address of the 6to4 tunnel to our public IP:
/interface 6to4 set 0 local-address=$currentIP

#update tunnelbroker.net with our public IP:
/tool fetch url="https://<USERNAME>:<PASSWORD>@ipv4.tunnelbroker.net/nic/update?hostname=<TUNNELID>&myip=$currentIP"
:log info "HE tunnel updated with local-address: $currentIP"
};

# update tunnelbroker.net

# account with our automatically detected

# public ipv6 adddress

# (add "&myip=<IP-ADDRESS>" to end of URL to manually specify IP) eg.

# or leave this param out to let he.net auto-detect the IP

# as per https://forums.he.net/index.php?topic=1994.0

# your IPv4 IP must be ICMP pingable for tunnerbroker.net to accept it

/ip cloud force-update;

:local currentIP ""

:set currentIP [/ip cloud get public-address]

#check if the 6to4 interface is already set to the current public IP

:if (:put [/interface 6to4 get sit1 local-address] != $currentIP) do={

#set the local address of the 6to4 tunnel to our public IP:

/interface 6to4 set 0 local-address=$currentIP

#update tunnelbroker.net with our public IP:

/tool fetch url="https://<USERNAME>:<PASSWORD>@ipv4.tunnelbroker.net/nic/update?hostname=<TUNNELID>&myip=$currentIP"

:log info "HE tunnel updated with local-address: $currentIP"

};

Note that it might be unnecessary to force the cloud IP service to update – I believe it does this every minute anyway.

Something worth noting too is that the endpoint/client IP for the tunnelbroker.net tunnel (ie. your WAN IP) must respond to ICMP pings from tunnelbroker before it can be set up on the tunnelbroker.net website. If you’re blocking ICMP, configuring the tunnel endpoint on the tunnelbroker.net website will just mysteriously fail.

Send Slack messages from Mikrotik RouterOS

Netinstall for RouterOS in Virtualbox (on Mac OS)

Leave a Comment cancel reply