openwrt-ipv6

Please see →ipv6.theory for a load of links to IPv6 related documentation.

Obtain IPv6 support Follow ipv6.essentials to obtain full IPv6 support. Then come back and read about the configuration here:

There are two big, different steps:

1.Setup a working ipv6 connection on the OpenWrt router, either by tunneling (SixXs, TSP, 6to4) or natively

2.Propagate the IPv6 subnet to the LAN with RADVD or DHCPv6.

Native IPv6 access

For this, you need to obtain an IPv6 address from your ISP. Technically this could be a /128 prefix (exactly one IPv6 address), but according to regulation it needs to be at least a / prefix. You may also get bigger range, like /56 or /48. Within this range you may use all the IPv6 addresses to you liking without any NAT induced head aches. Some of the ISPs currently known to support IPv6 to the customer are listed here: ipv6.isp.

In the following example, the assigned prefix is 2001:123:456::/48. Within this prefix, I choose to affect the network 2001:123:456:7::/ to the internal LAN. The router has the fixed IP 2001:123:456:7::1 /etc/config/network :

When using PPPoEv6, enable ipv6. You may also further reduce the MTU from 1492 to 1452: Experience shows that it prevents many problems. You can try to increase this size, not bigger than 1492.

6in4 tunneling

6in4 is a method to encapsulate IPv6 traffic into an IPv4 tunnel. It is mostly used by tunnel brokers and requires manual configuration.

A very excellent forum topic on the topic of a static 6in4 tunnels is at https://forum.openwrt.org/viewtopic.php?pid=126285

Both resources assume a static prefix, and thus a manual configuration.

The ISP known to use this are:

1.Comcast (USA)

2.Free.fr (France)

The package 6in4 must be installed to use this protocol. This package is available in Backfire 10.3.1-rc4 and later.

Examples of 6in4 tunneling are also on the config/network page.

For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.

Static 6in4 tunneling /etc/config/network for static tunneling:

Dynamic 6in4 tunneling

The example below illustrates a dynamic tunnel configuration for the Hurricane Electric broker with dynamic IP update enabled. The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update. /etc/config/network for dynamic tunneling:

This guide is not yet complete, don't hesitate to ask for help on the IRC channel #openwrt. config interface lan

option ifname eth1 option type bridge option proto static

option ipaddr 192.168.1.1 option netmask 255.255.255.0 option ip6addr '2001:123:456:7::1/' config interface wan option ifname eth0 option proto pppoe option username '' option password '' option keepalive 5 option defaultroute 1 option peerdns 1 option ipv6 1 option mtu 1452

In this example configuration:

178.24.115.10 is the local IPv4 address (assigned by ISP)

216.66.80.30 is the remote IPv4 address (the other side of the tunnel)

2001:0db8:1f0a:1359::2/ is the local IPv6 tunnel endpoint (labeled "Client IPv6 Address" on the Tunnel Details page in your HE account).

tunnelid , username , and password are provided by the tunnel broker.

For Hurricane Electric tunnels, the username is NOT the username for tunnelbroker.net. The username is the user id listed on the main page of your

tunnelbroker.net account (called the "API Key" elsewhere). The password is the md5 hash of the tunnelbroker.net password. For details, see

https://ipv4.tunnelbroker.net/ipv4_end.php

Note that Hurricane Electric has changed their dynamic negotiation protocol, and the 6in4 package is not yet (August 2011) updated accordingly. See

discussion in ticket 10019. Based on the discussion HE users need to install the wget package to get HTTPS support in wget and possibly also modify the URL in 6in4 script.

This tunnel, like a VPN, creates a third network interface, called henet in this example. A default IPv6 route using this interface is automatically created when this interface connects successfully.

Firewalling

To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall :

To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration

stanza:

Routing

Routed Addresses

To enable routing of IPv6 traffic through the tunnel, add a static IPv6 address in a valid routed subnet to the local-facing interface.

For Hurricane Electric tunnels, the prefix for the routed subnet is specified in tunnel details page on tunnelbroker.net in the Routed IPv6 Prefixes section, and is formed by incrementing the last digit of the third quad in the tunneling prefix. For example, if the IP address 2001:0db8:1f0a :1359::2/ is the local IPv6 tunnel endpoint, the local interface would be assigned an address in 2001:0db8:1f0b :1359::/ subnet, typically

2001:0db8:1f0b:1359::1/

Clients that auto-configure using

SLAAC (stateless address auto-configuration) will need to know this routed prefix. To broadcast the prefix to clients on the local network, use radvd.

Packet Forwarding The router must be configured forward packets between the remote and local interfaces. See the Enable Routing section. The forwarding is enabled by default in trunk, but must be manually enabled in Backfire.

Enable Routing in Backfire

To forward packets between interfaces, a kernel-level setting must be enabled. To enable packet forwarding, edit /etc/sysctl.conf And uncomment the following line in /etc/sysctl.conf:

# net.ipv6.conf.all.forwarding=1 The line should look like this:

net.ipv6.conf.all.forwarding=1 Now restart sysctl to apply the new setting.

/etc/init.d/sysctl restart To verify the setting has been applied, issue the following command:

cat /proc/sys/net/ipv6/conf/all/forwarding option ip6addr '2001:0db8:1f0a:1359::2/' option tunnelid '12345' option username '14c4b06b824ec593239362517f538b29' option password '5f4dcc3b5aa765d61d8327deb882cf99'

Troubleshooting

Enable firewall logging

On the router, ping ipv6.google.com

On a local host, ping the public IP address of the router's local interface (2001:0db8:1f0b:1359::1 in the example configuration).

On a local host, ping ipv6.google.com

6to4, 6rd

6to4 is a translation mechanism to transform ipv6 packets into IPv4, and back, using specific relay servers.

6rd (rapid deployment) is similar to 6to4 with some restrictions for large ISP routing. However it is only supported in kernel superior or equal to 2.6.33 due to specific routing scheme.

In order for 6to4 to work, you need to install the package 6to4 and kmod-sit available from 10.03.1-rc4.

opkg install 6to4 kmod-sit

If, like me, you are working with 10.03, you can still install by downloading the package from the newer source.

opkg install http://downloads.openwrt.org/backfire/10.03.1-rc4/brcm47xx/packages/6to4_2-1_all.ipk Replace brcm47xx with the architecture you are working with.

For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.

An example of /etc/config/network for the ISP "Qfast.nl

Although there are many more options, most of those (like ipaddress and the advertising interface) are configured automatically by default. Just check

out /etc/config/network and search for the paragraph 6to4.

Even radvd and your lan interface is configured automatically by default by taking the lan interface and a / prefix of the external IP-range to be routed on. All you need to do is change the ignore 1 on the interface to ignore 0. Also remember to enable radvd (/etc/init.d/radvd enable) before doing ifup on the 6to4 interface. Otherwise the auto configuration of radvd will fail.

My /etc/config/radvd looks as follows:

To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall:

Add the following rules to your /etc/config/firewall to allow incoming encapsulated IPv6 packets:

This can also be done via the LuCI webinterface.

(note: option 'target' 'DROP' stealthed the tunnel; did this along along with dropping UDP and ICMP on the UCI firewall configuration)

TSP Tunneling

The Tunnel Setup Protocol is used by some tunnel brokers. Gogo6 (ex Freenet6) is one of the most popular and offers free service for individuals.

The package gw6c must be installed to use this protocol (e.g.: opkg update && opkg install gw6c).

gw6c is configured through a specific config file: /etc/config/gw6c.

First create a free account on freenet6 here then procede to fill gw6c configuration file on your router.

The example below assumes the user have an account, required to redistribute a prefix on a LAN. The userid/passwd fields must be filled with the above registration credentials.

When installed the program gw6c takes care of a lot of details itself, including radvd configuration : In this case, manual radvd configuration is not requiered: The /etc/config/radvd must be kept disabled.

Start Gateway6 client with the following command: /etc/init.d/gw6c start

Auto-start after Openwrt booted up: /etc/init.d/gw6c enable

Untested - Please correct as needed

NAT tunneling

The NAT is one technique to provide to the user a routable ipv6 while using a NAT technique to keep access top IPv4 websites (The client may NOT have a routable IPv4 anymore).

Some ISP are experimenting this: AAISP (UK) to be completed - please help ?

Propagate IPv6 subnet to LAN

Once IPv6 works on the router, it is necessary to spread it on the internal network. Multiple methods are possible, from static routing to auto-configuration. For the later, two options exists:

RADVD The router advertisement daemon (radvd) is fully supported by OpenWRT. Please consult the radvd UCI page, for a full complement of configuration options. To begin with, install RADVD with:

opkg update && opkg install radvd

The simplest case is static IPv6 affectation: /etc/config/radvd: config gw6c basic #Comment out next line to enable gw6c option disabled 0 #Leave empty if connecting anonymously option userid option passwd #For anonymous use anon.frenet6.net and #account holders should use broker.freenet6.net option server authenticated.freenet6.net #auth_method #Use anonymous with anonymous access and #any if you are account holder option auth_method any

config gw6c routing #host_type

option host_type router option prefixlen 56 option ifprefix br-lan

#DNS server list to which the reverse prefix

#will be delegated. Separate servers with : option dns_server

config gw6c advanced #Location where to store configuration file option gw6c_conf /tmp/gw6c.conf

option gw6c_dir /usr/share/gw6c option auto_retry yes option retry_delay 30

option keepalive yes #keepalive interval

option interval 30 #tunnel_mode option if_tunnel_mode v6anyv4

option if_v6v4 sit1 option if_v6udpv4 tun option if_v4v6 sit0

option client_v4 auto option client_v6 auto option template openwrt

option proxy_client no

config gw6c broker option broker_list /etc/config/gw6c-broker-list.txt option last_server /etc/config/gw6c-last-server.txt

# Always use last known working server? option always_same_serv no

config gw6c logging option log_console 0 option log_stderr 1

option log_file 0 option log_syslog 0

option log_filename /var/log/gw6c.log option log_rotation yes

#Max size when using log file rotation #possible values: 16|32|128|1024 option log_maxsize 32

# option syslog_facility USER

This configuration is sufficient to enable radvd on the router, and broadcast auto-configuration announces to the clients on LAN.

The MTU specified MUST be identical to the one set in the /etc/config/network section, if provided. If you're connecting through a tunnel, ensure that your MTU matches that of your tunnel. Otherwise, do not provide it.

Don't forget to enable radvd at boot. You can do this in the LuCI web interface at Administration → Services → Initscripts. Look for radvd and check whether it is enabled.

On the LAN side, note that by default the computers take the announced prefix, concatenate it with the MAC address on the interface and this becomes the routable IPv6 address of this computer.

Since this behavior has been controversial for privacy reasons, it may be changed on each computer independently. Doing this changes the IPv6 address of the station at each reboot, which is not suitable for a server.

To have a fixed IPv6 address for a computer, use a static assignment, or a DHCPv6 server (see below).

DHCPv6

This shows you how to set up DHCPv6 so that LAN clients have their IPv6 addresses from a pool, instead of concatenating random numbers, or some function of their MAC address, with your prefix. First, you need to install a DHCPv6 server

opkg update

opkg install wide-dhcpv6-server

Now enable the server in /etc/config/dhcp6s

Then create a config file /etc/dhcp6s.conf with something like:

This allocates addresses from a pool of 4096 with a lease time of 24 hours.

Finally, you need to change some radvd settings so that it tells clients to use DHCPv6 to get the rest of their settings:

Then restart the services and you're away (hopefully!)

DNS check and configuration

If you can do a succesful ping6 ipv6.google.com from the router, then obviously your DNSmasq succesfully queries the IPv6 address, and you have IPv6 connectivity.

Congratulations!!!

Though, if you can't do the ping6 above, though you can do a ping6 [2a00:1450:8002::93], then your DNSmasq (or the server from which it queries) does not succesfully query the IPv6 addresses, and you need to fix this problem.

(TBD)

IPv6 only access

(Using an intermediate machine to contact IPv4-only servers)

(TBD)

NAT config interface option interface 'lan' option AdvSendAdvert 1 option AdvManagedFlag 0 option AdvOtherConfigFlag 0 option AdvLinkMTU 1452 # Optional - only provide if it is also provided in /etc/config/network option ignore 0 config prefix option interface 'lan' # If not specified, a non-link-local prefix of the interface is used option prefix '2001:123:456:7::/' # Optional - only necessary if the lan interface has multiple global IP addresses ass option AdvOnLink 1

option AdvAutonomous 1 option AdvRouterAddr 0 option ignore 0

NAT-PT DSTM

Packet filter

→ to configure the UCI config file /etc/config/firewall see there. IPv6 rules can be set up with this alone.

→ to set up a firewall without UCI please read netfilter, especially ip6tables and ipv6

Back to top

doc/howto/ipv6.txt · Last modified: 2011/10/06 16:25 by orca

Warning No1: There is no NAT in IPv6. While NAT was never intended as a security feature, it did nonetheless serve as one, because unless you specified portforwardings the ports were una

Warning No2: IPv6 specs demand, that Path MTU Discovery is working correctly because a packet fragmentation is not being performed! So if you configure your packet filter like an imbecile and drop all ICMPv6 packets without distinguishing, you will break this functionality and funny things will occur! Cf. → RFC40 – ICMPv6 Filtering Recommendations

Note: firewall v1 (e.g. still in Backfire 10.03.1-rc4 and up to r25353) has no default rules at all and ip6tables configuration needs to be done from scratch. Insert the rules below to make ip6tables -A FORWARD -i br-lan -j ACCEPT

ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -j REJECT 页码，6/6(W)w 2011-10-12http://wiki.openwrt.org/doc/howto/ipv6