Posted: Sun Nov 15, 2009 9:05 Post subject: IPV6: V24-SP2 Eko Newd, Need Kernel 2.4.37 IPV6 Modules
Hello,
Been an avid reader for the past few days while struggling with this, haven't posted yet. So, hi!, and thanks for the great firmware, you've helped me reduce my network from 3 cisco appliances and a PBX to just 1 router and a usb harddrive - awesome!.
I've been struggling with getting IPV6 working for a week now and have come to the conclusion it is totally working, but I need to insert the kernel modules for NAT before it will "really work".
So, Does anyone have the modules, for IPV6 on this kernel?
I've tried all of the ones available in the openwrt repo's and none are compiled specifically for 2.4.37 only patch levels (.1,.2 etc). So, they fail to lose saying they are compiled for another kernel (I think I can force this somehow with insmod, but I don't think that's a very good idea).
I am so close to getting IPV6 working, all I need now is these modules. If there's a specific ip6tables for this kernel that'd be great too, but I've already gotten this working using an OPENWRT package.
I'd prefer not to have to reflash if I can avoid it as I have everything tweaked nicely and haven't had a chance to back it all up yet. Also don't really want to go about setting up a cross compiler environment since I figure a few of you guys already have this done and easy access to it.
Here's the setup info:
Router:
Asus WL-500W
Version:
DD-WRT v24-sp2 (09/30/09) big
(SVN revision 13000M NEWD Eko)
Joined: 24 Aug 2009 Posts: 2070 Location: South Florida
Posted: Sun Nov 15, 2009 9:53 Post subject:
Look at Openwrt's kernel 2.6 firmware for that router. It will provide you with the necessary working drivers...
These newer routers have the capability for kernel 2.6, but the Dev's probably will not implement the builds due to fact that 90% of the users on here have older Linksys routers and other models that will not support 2.6..
From what I have hypothesized, they want a "universal" build library that works with most all routers.. _________________ Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
Look at Openwrt's kernel 2.6 firmware for that router.
Hmm. I didn't really want to go to something without a GUI. I travel a lot and my roomate would be screwed if anything happened while I was away and I had to direct him through CLI commands :p
I just upgraded to the latest build of NEWD BIG but the modules still aren't in it, and the kernel is still at the same version so I can't just run with the modules from the openwrt repo :/
Joined: 24 Aug 2009 Posts: 2070 Location: South Florida
Posted: Sun Nov 15, 2009 11:03 Post subject:
You can configure a GUI with Openwrt..it's a bitch though...
Better method:
http://www.dd-wrt.com/wiki/index.php/Development _________________ Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
Cool, I have this setup already with ip6tables as an added package. I think it's broken though (read on..).
I've also tried forcing some modules for 2.4.37.5 that i found but I dont think they are working either.
Using the dev environment doesn't really give me what I need unless I go and build my own firmware - which I think is a little over kill? (judging from the instructions this seems super hard).
Basically I just need the modules package for ipv6, ip6tables, and ping6/tracert6 packages etc but built for 2.4.37 specifically. The closest I found in binary format was "kmod-ip6tables_2.4.37.5-1_brcm-2.4.ipk" but that doesn't work as it's .5 patchlevel.
I also notice that inserting the modules forcefully lets me run ip6tables, but then I get an error with it;
ip6tables v1.3.8: Unknown arg `--syn'
which then also gives me when removed
ip6tables v1.3.8: Couldn't load match `multiport':File not found
So I think some includes are messed up or something for the one I tried installing from openwrt - which isn't really a surprise, but I figured I should give it a shot anyway.
Is there a way to setup a super simple cross compiler environment so I can copy over this basic kernel config, add the IPV6 stuff I need along with ping6, tracert6, ip6tables et all and compile myself a firmware image? This still seems like a lot of work for probably 200k worth of binaries required.
I see there's lots of interest in ipv6, but not much in "how to make it work" properly amongst the various versions of dd-wrt so I suspect that it's pretty difficult to start creating your own firmware images - at least with what I expect from the community for this type of thing.
I'm also in need of an ip6_tables kernel module for version 2.4.37 (eko build 13577). I don't really want to download a complete SDK and source trees to compile just one module.
Ok... tried everything and it appears that the only way I can stop packets from going thru is to set de FORWARD policy to DROP or with a rule that drops everything comming in from ipv6.
Every time I try to use "-p tcp" it allows everything in.
Didn't try udp, but at least looks like "-p tcp" isn't filtering anything at all.
It's been a day and it still works ok so I'll just share my setup.
DD-WRT v24-sp2 (06/09/10) std-nokaid-nohot-nostore
(SVN revision 14583M NEWD Eko) on a WRT54gL v1.0
Installed some ipkg packages:
ip6tables_1.3.8-4.1_mipsel.ipk
iputils-ping6_20071127-1_mipsel.ipk
iputils-traceroute6_20071127-1_mipsel.ipk
and my own ip6tables modules compiled from source.
I have a script (ip6t.sh) that is called by the other scripts to setup same common variables.
Some stuff isn't really needed but I was testing different modules versions and it was easier this way:
Then I have 2 scripts that are called from rc_startup and rc_firewall and since I'm a bit paranoid the startup script actually calls the firewall script before enabling the ipv6 forwarding.
The "for" loop in the startup script loads all ip6tables modules. Most are probably not needed but since I'm not sure which ones I'm loading all of them:
ipv6_startup.sh:
Code:
#!/bin/sh
insmod ipv6
. /jffs/ip6t.sh
for i in `ls -1 /jffs/lib/modules/$IP6VER`
do
insmod /jffs/lib/modules/$IP6VER/$i
done
ip tunnel add he-ipv6 mode sit remote xxx.xxx.xxx.xxx local yyy.yyy.yyy.yyy ttl 64
ip link set he-ipv6 up
ip addr add 2001:470:zzzz:zzz::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip addr add 2001:470:wwww:www:200:00ff:fe00:0000/64 dev br0
/jffs/ipv6_firewall.sh
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
radvd -C /jffs/radvd.conf
The firewall script allows some ports I use for torrent and other stuff and then drop everything else:
ipv6_firewall.sh:
Code:
#!/bin/sh
. /jffs/ip6t.sh
# insmod already performed on startup
ip6tables -F
ip6tables -A FORWARD -p tcp -i he-ipv6 --syn -m multiport --dports aaaa,bbbb -j ACCEPT
ip6tables -A FORWARD -p tcp -i he-ipv6 --syn -j DROP
ip6tables -A FORWARD -p udp -i he-ipv6 -m multiport --dports aaaa,bbbb,domain,ntp -j ACCEPT
ip6tables -A FORWARD -p udp -i he-ipv6 -j DROP
Has anyone tried the latest kmod package? It targets kernel 2.4.37 (which is the same as the one in the EKO build), although it's at a different patch level (.9). The ip6table/iputils are newer too.
2. The following modules only appear in the new version of the package:
ip6table_raw.o - A port of the IPv4 raw table to IPv6
ip6t_REJECT.o - Packet rejection target for IPv6
3. The following module still exists in both the old and the new version, but is not compiled and included by default in the new version:
ip6t_ah.o - IPv6 IPsec-AH match
My impression is that the newest version of the IPV6 code underwent some big refactoring and the contents of many files were deleted and probably integrated in other files (along with bug fixes, maybe?)
I'm going to install the newest version of these packages sometime this week and write back on this thread with my findings.