ip6tables Script for TunnelBroker.net

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Tue Jan 08, 2013 19:57    Post subject: Reply with quote
slobodan wrote:
Well, ipkg-opt update
ipkg-opt install iptables.

This is how I have installed iptables. It is from the ipkg.nlsu2-linux.org repository.

Thank you for that information. I have installed the optware version of iptables. I might throw a message to basmaf and see if it might include the install for it in his version of OTRW.

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Sponsor
Climax69
DD-WRT Novice


Joined: 15 Nov 2009
Posts: 38

PostPosted: Mon Mar 03, 2014 18:58    Post subject: Reply with quote
When can we expect version 1.4.0 loaded by default in the dd-wrt firmware?
gbonny
DD-WRT User


Joined: 12 Dec 2014
Posts: 71

PostPosted: Sun Jan 25, 2015 18:33    Post subject: Re: ip6tables Script for TunnelBroker.net Reply with quote
unknown26 wrote:
Here is my final ip6tables script (Note this is for Hurricane Electric Tunnelbroker

Code:

# Allows you to access port forwards to internal computers with ipv4 WAN IP
iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE

# flush tables
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD

# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP

# allow dhcp
ip6tables -A OUTPUT -o br0 -p udp --dport 547 -j ACCEPT
ip6tables -A INPUT  -i br0 -p udp --dport 546 -j ACCEPT

# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from local host to the IPv6-tunnel
#ip6tables -A OUTPUT -o he-ipv6 -s 2001::/16 -j ACCEPT
#ip6tables -A INPUT -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o tun6to4 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
#ip6tables -A FORWARD -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs

#Allow Specific Port on all ipv6 devices in network
#ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
#ip6tables -A FORWARD -p tcp --dport 21 -j ACCEPT

#Allow Specific Port on specific ipv6 address in network
#ip6tables -A FORWARD -p tcp -d 1111:222:3333:555:6666:7777:8888:9999 --dport 21 -j ACCEPT


This script will provide protection and block all traffic from having direct access to your devices. However devices from outside network will be able to ping as this script has icmpv6 enabled. By default your computer wont have any open ports so that's why I made a line that will open a port to your specific ipv6 address and a line that will open a specific port to all your devices.

1111:222:3333:555:6666:7777:8888:9999 - (This number being the ipv6 address of the computer)
--dport 21 - (21 Being the number of port to open)

Yes its all finished and complete

I see three times duplicate entries for both these interfaces:
- he-ipv6
- tun6to4

One is enough (it all depends on your interface name), right? So I've commented he-ipv6 out.

I've had issues with doing a DHCP renew, so thats why I've added accept dport 547 and 546 on br0. For the rest it looks great, thanks! TL-WDR4300 r25697

_________________
ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Sun Jan 25, 2015 20:36    Post subject: Reply with quote
Those rules seem a little wonky to me. There is no reason to filter OUTPUT chain. No reason to filter local br0 traffic. Definitely no reason to filter lo.

The ipv6 address space in use today is not limited to 2001::/16

for a simple ruleset, why not use the default webif iptables generated when you setup ipv6 and add forward echo requests and allow all traffic from br0 for INPUT
gbonny
DD-WRT User


Joined: 12 Dec 2014
Posts: 71

PostPosted: Mon Jan 26, 2015 22:35    Post subject: Reply with quote
JAMESMTL wrote:
Those rules seem a little wonky to me. There is no reason to filter OUTPUT chain. No reason to filter local br0 traffic. Definitely no reason to filter lo.

The ipv6 address space in use today is not limited to 2001::/16

for a simple ruleset, why not use the default webif iptables generated when you setup ipv6 and add forward echo requests and allow all traffic from br0 for INPUT

Thanks, essentially you mean the ipv6 firewall script is provided by DD-WRT currently? I've checked ip6tables -L and it indeed lists some entries by default. icmpv6 is filtered however when I test it.. 17 out of 20 score on ipv6-test.com or was it test-ipv6.com..


Code:
root@DD-WRT4300:~# ip6tables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0        anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     icmpv6    anywhere             anywhere
ACCEPT     0        fe80::/64            anywhere
ACCEPT     udp      anywhere             anywhere           udp dpt:546
DROP       0        anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp      anywhere             anywhere           tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     0        anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     0        anywhere             anywhere
DROP       0        anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

_________________
ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Mon Jan 26, 2015 23:31    Post subject: Reply with quote
Correct. Now you should be able to add a couple of rules from admin->commands->firewall

Now before going further when you list iptables rules please use -vnL option. This way you show the in/out interface names

Ex.
ip6tables -I FORWARD 3 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -I INPUT 4 -i br0 -j ACCEPT

The first rule should allow echo requests and fix your ipv6-test.com test.
The second rule would allow LAN -> router ipv6 connectivity. Ex allow ssh, etc from lan via ipv6

I would consider this as a proper minimum ipv6 firewall ruleset. (Others may have differing opinions). You can then expand your ruleset from here.

*** edit as an added benefit / hack, the basic ruleset has mss clamping which can be helpful with google / youtube due to a recurring PMTU issue which has affected some people since November.
gbonny
DD-WRT User


Joined: 12 Dec 2014
Posts: 71

PostPosted: Tue Jan 27, 2015 10:21    Post subject: Reply with quote
JAMESMTL wrote:
Correct. Now you should be able to add a couple of rules from admin->commands->firewall

Now before going further when you list iptables rules please use -vnL option. This way you show the in/out interface names

Ex.
ip6tables -I FORWARD 3 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -I INPUT 4 -i br0 -j ACCEPT

The first rule should allow echo requests and fix your ipv6-test.com test.
The second rule would allow LAN -> router ipv6 connectivity. Ex allow ssh, etc from lan via ipv6

I would consider this as a proper minimum ipv6 firewall ruleset. (Others may have differing opinions). You can then expand your ruleset from here.

*** edit as an added benefit / hack, the basic ruleset has mss clamping which can be helpful with google / youtube due to a recurring PMTU issue which has affected some people since November.

Thanks! icmpv6 is required for proper ipv6, right? Gonna test this tonight.
Like you say, it should be the base ruleset (meantime this would fix it).

Regarding "ip6tables -I INPUT 4 -i br0 -j ACCEPT" the other way around (ipv6 to ipv4) is in the base ipv4 ruleset incorporated normally?

A last question, when I want to open an IPv6 port in the fw for a device (insert before the drop rule; it works sequentially? INPUT and/or FORWARD chain?), I should open it for the whole routed IPv6 subnet or is there a feature/technology (UPNP-like) to open the port for a specific IPv6 address (ip address could change and I preferably don't want to administer this manually..)?

PS/edit, what do you mean with your last sentence regarding "mss clamping" is this enabled by default (which line is it in my config)? HE uses 1480 by default for as far as I know.

Google: A workaround used by some routers is to change the maximum segment size (MSS) of all TCP connections passing through links with MTU lower than the Ethernet default of 1500. This is known as MSS clamping.

_________________
ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Jan 27, 2015 16:11    Post subject: Reply with quote
gbonny wrote:
Regarding "ip6tables -I INPUT 4 -i br0 -j ACCEPT" the other way around (ipv6 to ipv4) is in the base ipv4 ruleset incorporated normally?


Not sure what your trying to say. The above says :
Ip6tables -I INPUT 4 (insert as rule 4 of the INPUT chain) -i br0 -j ACCEPT (ACCEPT all ipv6 traffic from the LAN & WLAN going to the router)

If your asking does the ipv4 ruleset allow all devices on LAN & WLAN to access the router then the answer is yes. If that's not your question then please rephrase it.

Quote:
A last question, when I want to open an IPv6 port in the fw for a device (insert before the drop rule; it works sequentially? INPUT and/or FORWARD chain?), I should open it for the whole routed IPv6 subnet or is there a feature/technology (UPNP-like) to open the port for a specific IPv6 address (ip address could change and I preferably don't want to administer this manually..)?


Can upnp work over ipv6? yes. Is it generally supported or specifically supported by ddwrt? I don't know
http://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1-AnnexA.pdf

iptables rules are processed sequentially. If you want to open a port for a specific device other than the router itself then you would add it to the FORWARD chain. Ex

ip6tables -A FORWARD -d 2001:db8::100 -p tcp --dport 80 -j ACCEPT

It would be bad practice to open a port for a full prefix. Always limit the rule to the specific device you want to access externally. For devices you want open an ipv6 port, either assign that device a fixed address using dhcpv6 (preferably dnsmasq but dhcp6s works perfectly well) or assign a static address directly on the device.

Personally I use a script that automates the process.

Quote:
PS/edit, what do you mean with your last sentence regarding "mss clamping" is this enabled by default (which line is it in my config)? HE uses 1480 by default for as far as I know.

Google: A workaround used by some routers is to change the maximum segment size (MSS) of all TCP connections passing through links with MTU lower than the Ethernet default of 1500. This is known as MSS clamping.


Yes it is enabled by default.

TCPMSS tcp anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
gbonny
DD-WRT User


Joined: 12 Dec 2014
Posts: 71

PostPosted: Tue Jan 27, 2015 17:10    Post subject: Reply with quote
Thank you very much, that was exactly my question regarding LAN+WLAN IPv4 to br0 (unnecessary/silly question..).

I share your opinion that its a bad idea to allow a port for a full prefix.

Gonna start with this in my FW Commands:
    # Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
    ip6tables -N AllowICMPs
    # Destination unreachable
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
    # Packet too big
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
    # Time exceeded
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
    # Parameter problem
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
    # Echo Request (protect against flood)
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
    # Echo Reply
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT

    # Link in tables INPUT and FORWARD (in Output we allow everything anyway)
    ip6tables -I FORWARD 3 -p icmpv6 -j AllowICMPs

    # Accept lan to router ipv6 connectivity
    ip6tables -I INPUT 4 -i br0 -j ACCEPT


Is there something more useful to add?

I wonder why this isn't default where you can optionally tick in the GUI ICMPv6 type 128 and 129 for the router (INPUT) or the prefix (FORWARD).

Gonna read the UPNP doc, thx!

_________________
ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
gbonny
DD-WRT User


Joined: 12 Dec 2014
Posts: 71

PostPosted: Tue Jan 27, 2015 18:01    Post subject: Reply with quote
gbonny wrote:
Thank you very much, that was exactly my question regarding LAN+WLAN IPv4 to br0 (unnecessary/silly question..).

I share your opinion that its a bad idea to allow a port for a full prefix.

Gonna start with this in my FW Commands:
    # Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
    ip6tables -N AllowICMPs
    # Destination unreachable
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
    # Packet too big
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
    # Time exceeded
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
    # Parameter problem
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
    # Echo Request (protect against flood)
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
    # Echo Reply
    ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT

    # Link in tables INPUT and FORWARD (in Output we allow everything anyway)
    ip6tables -I FORWARD 3 -p icmpv6 -j AllowICMPs

    # Accept lan to router ipv6 connectivity
    ip6tables -I INPUT 4 -i br0 -j ACCEPT


Is there something more useful to add?

I wonder why this isn't default where you can optionally tick in the GUI ICMPv6 type 128 and 129 for the router (INPUT) or the prefix (FORWARD).

Gonna read the UPNP doc, thx!

I'm able to ping6 my internal network from the Internet, however the score still shows up as 17 out of 20. SSH my router on IPv6 works also, great!

_________________
ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Jan 27, 2015 18:01    Post subject: Reply with quote
Looks good. Your icmpv6 chain is pretty close to the example highlighted in rfc4890

You are missing a DROP at the end though
ip6tables -A AllowICMPs -j DROP


Note in my previous post I used an example of

ip6tables -A FORWARD -d 2001:db8::100 -p tcp --dport 80 -j ACCEPT

Which should have been

ip6tables -I FORWARD xx -d 2001:db8::100 -p tcp --dport 80 -j ACCEPT

Where xx is a line number before the DROP rule. -A would append the rule after the DROP rule. That being said your two rules

ip6tables -A INPUT 4 -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD 3 -p icmpv6 -j AllowICMPs

would also use insert -I and not append -A.

Personally for the input ruleset I would not add
ip6tables -I INPUT 4 -p icmpv6 -j AllowICMPs
As that has the potential to interfere with basic icmpv6 functionality needed by the router such as RS/RA,NS/NA, etc. Just leave the existing default INPUT rule as is.

For your rule
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
I would just use
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -j ACCEPT

echo request are used ALOT with ipv6 and rate limiting especially with limits that low will most likely have unexpected consequences.
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Jan 27, 2015 18:08    Post subject: Reply with quote
Quote:
I'm able to ping6 my internal network from the Internet, however the score still shows up as 17 out of 20. SSH my router on IPv6 works also, great!


Try my previous post. You should get 19/20 if you don't please provided

ip6tables -vnL

And a screenshot of the test result (careful about image size or just provide a link to image)
gbonny
DD-WRT User


Joined: 12 Dec 2014
Posts: 71

PostPosted: Tue Jan 27, 2015 18:58    Post subject: Reply with quote
Quote:
root@DD-WRT4300:~# ip6tables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
129 10320 ACCEPT 0 * * ::/0 ::/0 state RELATED,ESTABLISHED
44 4128 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT 0 * * fe80::/64 ::/0
0 0 ACCEPT 0 br0 * ::/0 ::/0
0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:546
0 0 DROP 0 * * ::/0 ::/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
134 9688 TCPMSS tcp * * ::/0 ::/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
1064 270K ACCEPT 0 * * ::/0 ::/0 state RELATED,ESTABLISHED
7 704 AllowICMPs icmpv6 * * ::/0 ::/0
69 5008 ACCEPT 0 * ip6tun ::/0 ::/0
0 0 DROP 0 * * ::/0 ::/0

Chain OUTPUT (policy ACCEPT 184 packets, 15896 bytes)
pkts bytes target prot opt in out source destination

Chain AllowICMPs (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 1
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 2
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 3
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 4
7 704 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 128
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 129
0 0 DROP 0 * * ::/0 ::/0

I've added "ip6tables -A AllowICMPs -j DROP" at the end.

The -I; figured that one out already Wink
And indeed I left this one out: "ip6tables -A INPUT 4 -p icmpv6 -j AllowICMPs".


The 17 out of 20 is a browser/client thingy. Win[7,8.1] + latest Firefox gives 17 out of 20, Android 4.4 with std browser gives 19 out of 20, thanks for your assistance!

Config is now:
Quote:
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
#ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Drop the rest
ip6tables -A AllowICMPs -j DROP

# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -I FORWARD 3 -p icmpv6 -j AllowICMPs

# Accept wlan lan to router ipv6 connectivity
ip6tables -I INPUT 4 -i br0 -j ACCEPT

_________________
ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Jan 27, 2015 19:07    Post subject: Reply with quote
Without seeing the test result I would guess this is a ipv6 dns issue since windows does not use the radvd rDNS entry.

If you set dns entries in the ipv6 setup page all you need to do is click on enable dhcp6s and ipv6 dns will be pushed to your windows clients and they should get 19/20 as well.
gbonny
DD-WRT User


Joined: 12 Dec 2014
Posts: 71

PostPosted: Tue Jan 27, 2015 20:28    Post subject: Reply with quote
JAMESMTL wrote:
Without seeing the test result I would guess this is a ipv6 dns issue since windows does not use the radvd rDNS entry.

If you set dns entries in the ipv6 setup page all you need to do is click on enable dhcp6s and ipv6 dns will be pushed to your windows clients and they should get 19/20 as well.
Can dhcp6s co-exist with RADVD?
_________________
ATH TL-WDR4300 v1.3 41686 std K3.10 - router - JFFS2, DynDNS, DNSMasq (DHCP+DNS)
ATH WRT160NL v1.0 42132 std K3.10 - router
BRCM WRT160N v1.0 26635 vpn K2.4 - router
BRCM WRT320N v1.0 27858 mega K3.10 - access point
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 2 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum