DD-WRT :: View topic - IPv6 on multiple interfaces

IPv6 on multiple interfaces

DD-WRT Forum Index -> Broadcom SoC based Hardware

View previous topic :: View next topic

Author

Message

SimulationMan32
DD-WRT User

Joined: 28 Aug 2014
Posts: 135
Location: Winnipeg, MB, Canada

Posted: Thu May 28, 2015 18:52 Post subject: IPv6 on multiple interfaces

I am still trying to figure out how IPv6 works and such. This is where I am at. I have been able to get a HE tunnel set up and connect through it on br0. I have mostly Windows machines. I have been using DNSMasq like this:

Code:

interface=br0,br1,br2
dhcp-range=::1000,::FFFF,constructor:br0,300
dhcp-range=::1000,::FFFF,constructor:br1,300
dhcp-range=::1000,::FFFF,constructor:br2,300
ra-param=*,10,300
enable-ra
quiet-ra
quiet-dhcp
quiet-dhcp6

but I cannot get an IPv6 address on br1/br2.

Also as a side note, I would (if possible) like to try radvd/dhcp6s.

The firewall is as follows:

Code:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br2 -m state --state NEW -j DROP
iptables -I INPUT -i br2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport https -j REJECT --reject-with tcp-reset
iptables -I INPUT 2 -s 66.220.2.74 -p icmp -j ACCEPT
ip6tables -I FORWARD 3 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -I INPUT 4 -i br0 -j ACCEPT
ip6tables -I INPUT 5 -i br1 -p udp --dport 53 -j ACCEPT
ip6tables -I INPUT 6 -i br1 -p udp --dport 547 -j ACCEPT
ip6tables -I INPUT 7 -i br2 -p udp --dport 53 -j ACCEPT
ip6tables -I INPUT 8 -i br2 -p udp --dport 547 -j ACCEPT

_________________
KONG Builds for R7000, AC68U
Brainslayer for everything else

Sponsor

KrypteX
DD-WRT Guru

Joined: 18 Jan 2014
Posts: 2411

Posted: Thu May 28, 2015 19:07 Post subject:
What build version are you testing ? Make sure you use latest build 27096. _________________ THERE ARE NO STRANGERS HERE; ONLY FRIENDS YOU HAVEN'T YET MET. ________________________________________________________________________________________________________ DD-WRT CHANGELOG \| DEVICES \| DD-WRT BUILDS \| KONG BUILDS \| UNOFFICIAL BUILDS \| DD-WRT in VIRTUALBOX

JAMESMTL
DD-WRT Guru

Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

Posted: Thu May 28, 2015 20:34 Post subject:

First off iptables is for IPv4. ip6tables is for IPv6.

The proper way to set this up would be to

1 . Get a /48 prefix from HE
2. Assign different /64s to br0, br1, br2

Ex. /48 from 2001:470:9999::/48

Assign
2001:470:9999:1::/64 to br0
2001:470:9999:2::/64 to br1
2001:470:9999:3::/64 to br2

Note I prefer assigning prefixes to routers ending in ::1 such as 2001:470:9999:1::1 but when the webif was set up the devs decided to use ::0 instead

To assign addresses to br1 & 2 you can add the following commands to admin->commands->firewall commands

ip -6 addr add 2001:470:9999:1::/64 dev br1
ip -6 addr add 2001:470:9999:2::/64 dev br2

Now make sure to set IPv6 MTU each IF to the appropriate value by also adding these commands to firewall commands. This is needed for dnsmasq to broadcast the appropriate value in its RAs

echo 1480 > /proc/sys/net/ipv6/conf/br0/mtu
echo 1480 > /proc/sys/net/ipv6/conf/br1/mtu
echo 1480 > /proc/sys/net/ipv6/conf/br2/mtu

MTU should be WAN MTU -20. Normally 1480 for cable (DHCP), 1472 for DSL (PPPOE)

You will need to add a few ip6tables rules for br1&br2. Add them to firewall commands as well.

ip6tables -I INPUT 2 -i br+ -p udp --dport 53 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 547 -j ACCEPT
ip6tables -I FORWARD 2 -p icmpv6 --icmpv6-type echo-request -j ACCEPT

If your devices get IPv6 addresses but are not able to access net please post the result from:

ip6tables -vnL

I would suggest sticking with dnsmasq rather than using radvd + dhcp6s especially if you want to reserve ip addresses since dnsmasq can work with device MAC addresses whereas dhcp6s only works with duids.

Personally I use a script but the above should get you up and running.

SimulationMan32
DD-WRT User

Joined: 28 Aug 2014
Posts: 135
Location: Winnipeg, MB, Canada

Posted: Fri May 29, 2015 0:15 Post subject:

KrypteX wrote:

What build version are you testing ? Make sure you use latest build 27096.

Sorry, outdated sig. I use Kong's Latest. It this point that is build 27085.

JAMESMTL wrote:

First off iptables is for IPv4. ip6tables is for IPv6.

Yep got that. Just thought I'd post everything that was going on as those access points are seperated.

I am in the process of setting it up. Quick question, what exactly goes under the prefix length and Assigned / Routed Prefix sections? Do I need to assign the router an Address?
_________________
KONG Builds for R7000, AC68U
Brainslayer for everything else

JAMESMTL
DD-WRT Guru

Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

Posted: Fri May 29, 2015 3:29 Post subject:
See http://www.dd-wrt.com/phpBB2/viewtopic.php?p=909299#909299 Unless you are setting everything up by script follow that layout. This is more if a precaution if you ever try radvd / dhcp6s via webif. Not really a problem for dnsmasq though.

SimulationMan32
DD-WRT User

Joined: 28 Aug 2014
Posts: 135
Location: Winnipeg, MB, Canada

Posted: Fri May 29, 2015 4:52 Post subject:

Okay, I think I have it figured out. One question, in windows it is showing an fe80:: address under IPv6 default gateway. Is this how it is supposed to be?

EDIT: A quick test still shows ICMP as filtered. I this was supposed to fix it?

Code:

ip6tables -I FORWARD 2 -p icmpv6 --icmpv6-type echo-request -j ACCEPT

_________________
KONG Builds for R7000, AC68U
Brainslayer for everything else

JAMESMTL
DD-WRT Guru

Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

Posted: Fri May 29, 2015 8:53 Post subject:
Yes the local link address is of the router's bridge IF is the proper gateway. And yes the ip6tables rule should have enabled ping. Please post result of ip6tables -vnL

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Broadcom SoC based Hardware

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

Log in

IPv6 on multiple interfaces

Quick Links

Log in