Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Mon Aug 18, 2014 1:57 Post subject:
@Rolfl
It should be fairly generic however I did remove the following from my ruleset
ip6tables -A INPUT -s ff00::/8 -j ACCEPT
Which does not hinder general home use but does not respect the fact that all routers should be listening to the all routers and all nodes, etc multicast addresses.
I have no idea if kong will implement this or not.
I do expect the ietf to revise their BCP (best current practices) at some point.
You only need to set this for the interfaces which for which you will be sending RAs. This needs to be done as there is no mtu setting in dnsmasq. Dnsmasq will read these values to set the RAs.
By the way - thanks everyone for filling in the gaps in my knowledge with the ipv6 firewalling.
I have an ipv6 request (for Kong, I guess):
I realize that ipv6 support in dd-wrt is still in the very early stages, but when using the web interface to set Access Restrictions, they are only applied with the normal "iptables." These rules are mostly useless when ipv6 is active, as it seems that ipv6 packets completely ignore the ipv4 iptables (even MAC address filters.) (...and in case anyone is interested, Android's YouTube app works perfectly when ipv4 is blocked, but ipv6 is enabled.)
So, for at least the most basic access restrictions (based on MAC address and a complete DENY), can the interface please also call ip6tables? I think the parameters would be identical for these very basic filters.
Also, related to the above query, but not quite on topic for this thread, why are ipv4 table MAC address filters always duplicated twice? (Add a simple MAC deny in access restrictions, run "iptables -L" and see that the MAC appears twice in the newly added chain.)
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Fri Aug 22, 2014 4:20 Post subject:
JAMESMTL Generic ipv6 tunnel script
2014-08-21A/B
- 6rd DHCP option 212, 6rd static ISP info, 6in4, and 6to4
- supports variable prefix sizes
- ipv6 on guest networks and vlans (auto or manual) - requires /63 + prefix size
- integrated ipv6 firewall
- dynamic radvd config
- option to not start radvd if using dnsmasq for ipv6
- sets mtu for all ipv6 interfaces (needed for ipv6 dnsmasq)
- keepalives for webif changes and wanip changes via cron (takes a minute to recover)
2014-08-21C
- Includes RADVD stopservice when RADVD disabled
2014-08-22A
- Added auto MTU (wan MTU - 20)
- Added support for dnsmasq ipv6 configuration (Requires DD-WRT v24865)
- Added dnsmasq ipv6 settings keepalives
2014-08-22C
- Reset default dnsmasq config every execution
2014-08-23A
- Added ipv6 firewall support for dynamic prefix hosts (protocol & port) for dnsmasq.
- Added support for custom dnsmasq host file
2014-08-24A
- Added basic ipv6 ddns
2014-08-27A
- Added force DDNS update after x days
2014-08-30A
- DDNS changes
2014-09-05A
--------------
- Fixed cron keepalives
- DDNS changes (see revised notes 2014-08-24)
- Use ON/OFF instead of YES/NO
- Allow use radvd for RAs and dnsmasq for DHCPv6
2014-09-17A
--------------
- Fix keepalive for pppoe users
2016-04-03A
--------------
- Add TCPMSS clamping via mangle table if module is available. Otherwise use filter table
- Permit IPv6 OpenVPN tunnel users to access router and LAN
- Fix DNSMASQ restart using DDWRT command line parameters
**** If using this script via admin->commands save startup, make sure you have at least 18K free nvram
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Fri Aug 22, 2014 19:38 Post subject:
drbrains wrote:
ICMP appears "filtered" on Win 7/8 laptops/tablets. ICMP tests perfect under OS X (10.9.4).
Same with DNSv6, perfect under OSX, not showing on WIN 7/8.
Based on the OSX findings, the script works perfect on 6TO4 (ziggo.nl).
The WAN doesn't get an IPv6 assigned. Not sure if this is 6to4 related or something missing in the setup?
(R7000 DD-WRT build 24865M)
Windows firewall blocks icmpv6 by default. To enable, modify incoming rules -> file and printer sharing (echo requests icmpv6-in)
All IPv6 tunnel traffic (6rd,6in4,6to4) passes via the tunnel interface (ip6tun) which become your ipv6 wan interface. Not vlan2 (or ppp0 for pppoe users)
Windows does not assign RA rdnss servers as the ipv6 dns server. To assign ipv6 dns server to windows configure dnsmasq ipv6 settings or enable dhcp6s.
If enabling dhcp6s you will need to set dns server on ipv6 page. Dhcp6s only supports br0 by default.
My preferred method is the ipv6 version of dnsmasq. To enable ipv6 dnsmasq settings set use radvd to NO in script and add the following to the dnsmasq options on the services page
- You may not need the interface option if you are not using the r7000 as a pptp server
- the dhcp-range command add support for the interface defined. If you are not using guest networks etc then just use br0
- if you want to assign ipv6 IPs via dhcpv6 then use
Thanks!! I added the DNSMasq settings etc. Works like a charm.
I was using PPTP and OpenVPN but have to reconfigure everything after a "clean" install after upgrading to the latest Build.
I found the ICMP settings, enabled them but they still test as "filtered". I have to read up on SLAAC. For now I keep them enabled but this also shows red on the test-site.
Since it still is a 6TO4 tunnel, I am not sure if I will have all the benefits such a being able to address any device directly from the internet. Eitherway I have lots of stuff the read and learn about the upcoming IPv6 and all the additional configurations.
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Fri Aug 22, 2014 21:42 Post subject:
drbrains wrote:
Thanks!! I added the DNSMasq settings etc. Works like a charm.
I was using PPTP and OpenVPN but have to reconfigure everything after a "clean" install after upgrading to the latest Build.
I found the ICMP settings, enabled them but they still test as "filtered". I have to read up on SLAAC. For now I keep them enabled but this also shows red on the test-site.
Since it still is a 6TO4 tunnel, I am not sure if I will have all the benefits such a being able to address any device directly from the internet. Eitherway I have lots of stuff the read and learn about the upcoming IPv6 and all the additional configurations.
Thanks a lot!
For firewall. Scope allow any remote ip (delete default range), advanced enable domain private public.
Which test site are you referring to. Remote testing for SLAAC (stateless addressing) is impossible unless the client uses an EUI-64 type of address. When using privacy extensions which is pretty much the norm today, there is no telltale FFFE in the address.
Yes you can address devices from the internet. It's a lot easier to do if your ipv4 wan address does not change all the time since your 6to4 is calculated based on that WANIP.
First you would want to assign a fixed ipv6 address to the device. This is done by adding the host to you dnsmasq options [::xxx] is the ipv6 address reservation.
Example.
If device is not given a static ipv4 address in webif
dhcp-host=d0:23:db:cc:bb:aa,id:*,TESTDEVICE,192.168.1.101,[::7500],2m
Otherwise if device already has ipv4 reserved address
dhcp-host=d0:23:db:cc:bb:aa,id:*,TESTDEVICE,[::7500],2m
you would then have to open the port you wanted in firewall section
Ex
ip6tables -A FORWARD -d 2002:XXXX:XXXX::7500 -p tcp --dport 80 -j ACCEPT
If your ipv4 address changes then your going to need some scripting for port control.
I am in the process of re-writing my scripts for dnsmasq & ipv6 firewall ports for dynamic prefixes. I'll probably release a revised script this weekend.
The last part of the puzzle is ddns for ipv6 but that's for another day.
*** edit
If you want to access device from wan why not open a tunnelbroker.net 6in4 account. You will get access to a static 6in4 tunnel and can request a /48 prefix. 6in4 is superior to 6to4 and accounts are free.
...snip...
Thanks! this saved me on my comcast network and WZR-1750DHP router.
This (at least in my experience) is no longer necessary, though, right? I just used the built-in stuff and everything comes up roses with Comcast Native-IPv6.
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Sat Aug 30, 2014 22:01 Post subject:
DaveTheNerd wrote:
lovewilliam wrote:
...snip...
Thanks! this saved me on my comcast network and WZR-1750DHP router.
This (at least in my experience) is no longer necessary, though, right? I just used the built-in stuff and everything comes up roses with Comcast Native-IPv6.
Pretty much.
Not to mention the instructions referenced were outdated and made mention that updated instructions were available. In the end though, all that matters is that it works.
Don't know if this thread is dead or not, but just thought that I'd add that IPv6 is now working for me on Comcast. This is using defaults on 25000M build.
Don't know what changed from 24865M, just happy to see this.
root@DD-WRT:~# ip6tables -t mangle -L -v
ip6tables v1.3.7: can't initialize ip6tables table `mangle': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
root@DD-WRT:~#
I'm concerned about this, since I need to have a mangle rule to deal with the "neighbour table overflow" messages that I get courtesy of Comcast.
I assume that there must be a later (or different) version of ip6tables out there that includes the "mangle" rules and table?
It would be nice to put in a later version of ip6tables to allow this.
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Sat Sep 13, 2014 22:54 Post subject:
MrDoh wrote:
Just ran into this:
root@DD-WRT:~# ip6tables -t mangle -L -v
ip6tables v1.3.7: can't initialize ip6tables table `mangle': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
root@DD-WRT:~#
I'm concerned about this, since I need to have a mangle rule to deal with the "neighbour table overflow" messages that I get courtesy of Comcast.
I assume that there must be a later (or different) version of ip6tables out there that includes the "mangle" rules and table?
It would be nice to put in a later version of ip6tables to allow this.
Thanks.
Are you getting those messages with ddwrt? If so, dropping NS/NA over vlan2 should probably clear things up since your using dhcpv6 to get your addressing anyways
root@DD-WRT:~# ip6tables -t mangle -L -v
ip6tables v1.3.7: can't initialize ip6tables table `mangle': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
root@DD-WRT:~#
I'm concerned about this, since I need to have a mangle rule to deal with the "neighbour table overflow" messages that I get courtesy of Comcast.
I assume that there must be a later (or different) version of ip6tables out there that includes the "mangle" rules and table?
It would be nice to put in a later version of ip6tables to allow this.
Thanks.
Are you getting those messages with ddwrt? If so, dropping NS/NA over vlan2 should probably clear things up since your using dhcpv6 to get your addressing anyways
I get those messages no matter what firmware I use, and have been able to dispose of them (until now) with any firmware that allows me to add ip6tables rules *smile*. This is the first firmware that I've run into that doesn't know about "mangle".
