DNSMasq: enabled
LocalDNS: enabled
No DNS Rebind: disabled
Query DNS in Strict Order: disabled
Add Requestor MAC to DNS Query: disabled
DNSMasq Options:
Code:
# -- HE IPv6 DNSMasq --
#
# Log the results of DNS queries with EXTRAs
log-queries=extra
# Best to store DNS Cache in file for viewing
log-facility=/tmp/DNSCache.log
# IPv6 DNS Crypt Resolver
server=::1#30
# Reject & Log addresses from upstream nameservers which are in the private IP ranges
stop-dns-rebind
# Increase local DNS queries
cache-size=5000
# IPv6 and RA configuration
enable-ra
# Listen to br0 with follow services
interface=br0
ra-param=br0,60,1800
dhcp-range=br0,::1000,::FFFF,constructor:br0,ra-stateless,ra-names,4h
dhcp-option=br0,option6:dns-server,[::]
dhcp-option=br0,option6:ntp-server,[2001:470:0:50::2]
# Dont fill syslog
quiet-ra
quiet-dhcp
#quiet-dhcp6
Startup Script:
Code:
insmod /lib/modules/`uname -r`/kernel/net/ipv6/sit.ko
sleep 5
HOST6RD=$(nslookup 6rd.comcast.net |grep "Address"|awk '{ print $3 }'|grep -v 192.168.1.1 -m1)
WANIP="$(ifconfig vlan2 | sed -n '/inet /{s/.*addr://;s/ .*;p}')"
if [ -n "$WANIP" ]
then
V6PREFIX=$(printf ' 2001:55c:%02x%02x:%02x%02x' $(echo $WANIP | tr . ' '))
ip tunnel add tun6rd mode sit ttl 255 remote any local $WANIP
ip link set tun6rd mtu 1280
ip link set tun6rd up
ip addr add $V6PREFIX:0::1/32 dev tun6rd
ip addr add $V6PREFIX:1::1/64 dev br0
ip -6 route add 2000::/3 via ::$HOST6RD dev tun6rd
kill -HUP $(cat /var/run/radvd.pid)
fi
echo "interface br0 { \
MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvLinkMTU 1280; AdvSendAdvert on; \
prefix $V6PREFIX::/64 { AdvOnLink on; AdvAutonomous on; AdvValidLifetime 86400; \
AdvPreferredLifetime 86400; }; };" \
> /tmp/radvd.conf
radvd -C /tmp/radvd.conf start
Firewall script:
Code:
# HE-IPv6 Firewall Script
#
# IPv6 GUI only sets up br0, Load missing brX routes
ip addr add 2001:470:CCCC:2::/64 dev br1
ip addr add 2001:470:CCCC:3::/64 dev br2
ip addr add 2001:470:CCCC:4::/64 dev br3
#
# Use OpenDNS IPv6 DNS Servers
echo "nameserver 2620:0:ccc::2" > /tmp/resolv.dnsmasq
echo "nameserver 2620:0:ccd::2" >> /tmp/resolv.dnsmasq
#
# Respond to HE Tunnel Server PING
iptables -I INPUT 2 -p icmp -s 66.220.2.74 -j ACCEPT
#
# More IPv6 Configuartion
ip6tables -I INPUT 5 -i br3 -j ACCEPT
ip6tables -I INPUT 5 -i br2 -j ACCEPT
ip6tables -I INPUT 5 -i br1 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 53 -j ACCEPT
ip6tables -I INPUT 2 -i br+ -p udp --dport 547 -j ACCEPT
#
# Force Users to use Encypt DNS by blocking port 53
ip6tables -I FORWARD -p tcp --dport 53 -j DROP
ip6tables -I FORWARD -p udp --dport 53 -j DROP
2601:cf:8200:1e88::/64 dev br0 proto kernel metric 256 expires 74561sec mtu 1492
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev vlan1 proto kernel metric 256
fe80::/64 dev br0 proto kernel metric 256 mtu 1492
fe80::/64 dev ath0 proto kernel metric 256
fe80::/64 dev ath1 proto kernel metric 256
fe80::/64 dev vlan2 proto kernel metric 256
default dev vlan2 metric 2048
unreachable default dev lo proto kernel metric -1 error -128
ff00::/8 dev eth0 metric 256
ff00::/8 dev vlan1 metric 256
ff00::/8 dev br0 metric 256 mtu 1492
ff00::/8 dev ath0 metric 256
ff00::/8 dev ath1 metric 256
ff00::/8 dev vlan2 metric 256
unreachable default dev lo proto kernel metric -1 error -128
radvdump:
Code:
#
# radvd configuration generated by radvdump 2.16
# based on Router Advertisement from fe80::201:5cff:fe7d:2446
# received by interface vlan2
#
interface vlan2
{
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag on;
AdvOtherConfigFlag on;
AdvReachableTime 3600000;
AdvRetransTimer 1000;
AdvCurHopLimit 0;
AdvDefaultLifetime 1800;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
prefix 2001:558:4011:6e::/64
{
AdvValidLifetime 604800;
AdvPreferredLifetime 302400;
AdvOnLink off;
AdvAutonomous off;
AdvRouterAddr off;
}; # End of prefix definition
prefix 2001:558:5001:50::/64
{
AdvValidLifetime 604800;
AdvPreferredLifetime 302400;
AdvOnLink off;
AdvAutonomous off;
AdvRouterAddr off;
}; # End of prefix definition
prefix 2001:558:6011:6e::/64
{
AdvValidLifetime 604800;
AdvPreferredLifetime 302400;
AdvOnLink off;
AdvAutonomous off;
AdvRouterAddr off;
}; # End of prefix definition
prefix 2001:558:8000:4c::/64
{
AdvValidLifetime 604800;
AdvPreferredLifetime 302400;
AdvOnLink off;
AdvAutonomous off;
AdvRouterAddr off;
}; # End of prefix definition
}; # End of interface definition
#
# radvd configuration generated by radvdump 2.16
# based on Router Advertisement from fe80::2ac6:8eff:fe9a:7c1e
# received by interface br0
#
interface br0
{
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag off;
AdvOtherConfigFlag off;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 30;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvLinkMTU 1280;
AdvSourceLLAddress on;
prefix 2601:cf:8200:1e88::/64
{
AdvValidLifetime 86400;
AdvPreferredLifetime 86400;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition
}; # End of interface definition
#
# radvd configuration generated by radvdump 2.16
# based on Router Advertisement from fe80::c2c1:c0ff:fe39:2acb
# received by interface br0
#
interface br0
{
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag off;
AdvOtherConfigFlag on;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 30;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvLinkMTU 1492;
AdvSourceLLAddress on;
prefix 2601:cf:8200:1e88::/64
{
AdvValidLifetime 86400;
AdvPreferredLifetime 14400;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
}; # End of prefix definition
RDNSS 2001:558:feed::1 2001:558:feed::2
{
AdvRDNSSLifetime 10;
}; # End of RDNSS definition
}; # End of interface definition
I have been obtaining code from a few threads and need assistance in aligning them. ...unsure where else to ask at the moment. The IPv4 works great, my goal is to enable the IPv6 to compliment the network. ...and feel free to point me another direction to research some more, if that is necessary.
Joined: 19 Nov 2008 Posts: 274 Location: Madison, CT, US
Posted: Tue Jul 18, 2017 14:07 Post subject:
I have netgear r7500v2 and have not been able to get ipv6 to work either. Some people mentioned adding ifconfig eth0 promisc to the command line, then it worked for them. It did not work for me.
I hesitated to add any more code to the startup or custom scripts because frankly I did not think they would help. _________________ Netgear R7800(2), R7500v2(2) WDS, Asus RT-AC68R (2)
2601:cf:8200:1e88::/64 dev br0 proto kernel metric 256 expires 72619sec mtu 1492
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev vlan1 proto kernel metric 256
fe80::/64 dev br0 proto kernel metric 256 mtu 1492
fe80::/64 dev ath0 proto kernel metric 256
fe80::/64 dev ath1 proto kernel metric 256
fe80::/64 dev vlan2 proto kernel metric 256
default via fe80::201:5cff:fe7d:2446 dev vlan2 proto ra metric 1024 expires 1797sec
unreachable default dev lo proto kernel metric -1 error -128
ff00::/8 dev eth0 metric 256
ff00::/8 dev vlan1 metric 256
ff00::/8 dev br0 metric 256 mtu 1492
ff00::/8 dev ath0 metric 256
ff00::/8 dev ath1 metric 256
ff00::/8 dev vlan2 metric 256
unreachable default dev lo proto kernel metric -1 error -128
ip route:
Code:
default via 24.125.192.1 dev vlan2
24.125.192.0/22 dev vlan2 proto kernel scope link src 24.125.194.91
127.0.0.0/8 dev lo scope link
169.254.0.0/16 dev br0 proto kernel scope link src 169.254.255.1
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
# check if exists
if [ -n "$WANIP" ]
then
V6PREFIX=$(printf $PREFIX':%02x%02x:%02x%02x' $(echo $WANIP | tr . ' '))
ip tunnel add tun6rd mode sit ttl 255 remote any local $WANIP
ip tunnel 6rd dev tun6rd 6rd-prefix $PREFIX::/32
ip link set tun6rd mtu 1476
ip link set tun6rd up
ip addr add $V6PREFIX:0::1/32 dev tun6rd
ip addr add $V6PREFIX:1::1/64 dev br0
ip route add ::/0 via ::$IP6RD dev tun6rd
#start radvd service
radvd -C /tmp/radvd.conf start
firewall script:
Code:
# HE-IPv6 Firewall Script (this is in work in progress)
#
# IPv6 GUI only sets up br0, Load missing brX routes
# ip addr add 2001:470:CCCC:2::/64 dev br1
# ip addr add 2001:470:CCCC:3::/64 dev br2
# ip addr add 2001:470:CCCC:4::/64 dev br3
#
# IPv6 DNS Servers - Google
echo "nameserver 2001:4860:4860::8888" > /tmp/resolv.dnsmasq
#echo "nameserver 2001:4860:4860::8844" >> /tmp/resolv.dnsmasq
#IPv4 Servers - Google
# echo "nameserver 8.8.8.8" >> /tmp/resolv.dnsmasq
# echo "nameserver 8.8.4.4" >> /tmp/resolv.dnsmasq
# Use Comcast IPv6 DNS Servers
echo "nameserver 2001:558:FEED::1" >> /tmp/resolv.dnsmasq
#echo "nameserver 2001:558:FEED::2" >> /tmp/resolv.dnsmasq
# Use Comcast IPv4 DNS Servers
# echo "nameserver 75.75.75.75" >> /tmp/resolv.dnsmasq
# echo "nameserver 75.75.76.76" >> /tmp/resolv.dnsmasq
# Use OpenDNS IPv6 DNS Servers
echo "nameserver 2620:0:ccc::2" >> /tmp/resolv.dnsmasq
echo "nameserver 2620:0:ccd::2" >> /tmp/resolv.dnsmasq
#
# Respond to HE Tunnel Server PING
# iptables -I INPUT 2 -p icmp -s 66.220.2.74 -j ACCEPT
#
# More IPv6 Configuration
# ip6tables -I INPUT 5 -i br3 -j ACCEPT
# ip6tables -I INPUT 5 -i br2 -j ACCEPT
# ip6tables -I INPUT 5 -i br1 -j ACCEPT
# ip6tables -I INPUT 2 -i br+ -p udp --dport 53 -j ACCEPT
# ip6tables -I INPUT 2 -i br+ -p udp --dport 547 -j ACCEPT
#
# Force Users to use Encypt DNS by blocking port 53
# ip6tables -I FORWARD -p tcp --dport 53 -j DROP
# ip6tables -I FORWARD -p udp --dport 53 -j DROP
DNSMasq script:
Code:
# -- BT IPv6 DNSMasq --
#
# Log the results of DNS queries with EXTRAs
log-queries=extra
# Best to store DNS Cache in file for viewing
log-facility=/tmp/DNSCache.log
# IPv6 DNS Servers - Google
server=2001:4860:4860::8888
server=2001:4860:4860::8844
#IPv4 Servers - Google
server=8.8.8.8
server=8.8.4.4
# IPv4 DNS Servers - Comcast
server=75.75.75.75
server=75.75.76.76
# IPv6 DNS Crypt Resolver
server=::1#30
# expand host names without domains or dots
expand-hosts
# Reject & Log addresses from upstream nameservers which are in the private IP ranges
stop-dns-rebind
# Increase local DNS queries
cache-size=5000
# IPv6 and RA configuration
enable-ra
# Listen to br0 with follow services
interface=br0
ra-param=br0,60,1800
dhcp-range=br0, ::1000, ::FFFF, constructor:br0 ,ra-stateless ,ra-names, 24h
dhcp-option=br0,option6:dns-server,[::]
dhcp-option=br0,option6:ntp-server,[2001:470:0:50::2]
dhcp-option=vendor:MSFT,2,1i
# Dont fill syslog
quiet-ra
quiet-dhcp
#quiet-dhcp6
Providing the following results:
Code:
C:\WINDOWS\system32>tracert -6 ipv6.google.com
Tracing route to ipv6.l.google.com [2607:f8b0:4002:806::200e]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 2601:cf:8200:1e88:2ac6:8eff:fe9a:7c1e
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
Any thoughts what's up? I know I'm really close as it is hitting the router that has an v6 IP address on it. It seems to me that there is an issue with the default gateway that is causing my problem. ...perception?
these rules are no longer needed:
ip6tables -I INPUT 3 -i br0 -j ACCEPT
ip6tables -I FORWARD 2 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
only diff is ddwrt default rules rate limits ping
Hi,
I'm new to ipV6 (and not an ipV4 expert).
Is ipV6 firewall now included in standard dd-wrt ?
If so does it block almost everything like a classic ipV4 firewall ?
Posted: Wed Jul 25, 2018 4:27 Post subject: Thank you, wub901 and JAMESMTL!
I know this is an old post, but after trying many sources for information on how to enable IPv6 in DD-WRT, this post worked for me. Setting up IPv6 is so easy in stock firmware - it would be nice for DD-WRT to include an easy mode, too, as so many of us (and I am guilty as charged) have been delinquent about familiarizing ourselves with IPv6. So thank you, very much! I had given up on IPv6 for DD-WRT until I saw this.
And in case anyone in my area and on my ISP is facing the same problem, the following line is for Google: