After playing around with the scripts for a while, I was able to get IPv6 running on the WRT54GS v1.1 I just got today. The 6to4 tunnelling works, just had to remember to change "vlan2" for "vlan1" which was the final piece of the puzzle. The wiki and posts in this thread were invaluable.
I'm still a little concerned something is missing though. Every step seems flawless - ipkg is there and has a config file to work from, 192.88.99.1 pings alright, typing http://[<IPv6 address] into a browser is fine, radvdump returns regular adverts, whatsmyipv6address.net will find both IPv4 and IPv6 addresses and ping them without trouble - but the final line of ip -6 route show is:
Code:
unreachable default dev lo proto none metric -1 error -128
Doesn't seem to affect the IPv6 abilities beyond my limited abilities to test them, but it does concern me.
Now that it seems my home network is IPv6 compliant... what exactly can I do with it? Apart from running searches with IPv6 Google, of course.
Joined: 01 May 2007 Posts: 77 Location: Oklahoma city USA
Posted: Sat Aug 21, 2010 15:17 Post subject:
Why does this have to be such a pain in the ass. My isp just roled out ipv6 (docis 3.0 test group) with system wide role out in october. Is there gona be a gui menu ect put in at some point so you dont have to do all this scripting stuff it be nice just to work out of the box with ipv6 dhcp or 6-4
# AICCU doesn't set up the tunnel properly but it will maintain the heartbeat for you
/usr/sbin/ntpclient -s -h pool.ntp.org
aiccu start /jffs/etc/config/aiccu
# For each subnet you are routing, add one of these lines:
ip -6 addr add 'Your Subnet'/64 dev br0
# Start IPv6 forwarding on the router
/bin/echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
radvd -C /tmp/radvd.conf
Posted: Sat Sep 04, 2010 12:57 Post subject: struggling with HOW the scripts work...
I have two WRT54gl-TM's, and have been trying to get IPv6 working with the Hurricane Electric tunnel account I have had for some time...
When I initially got the routers, they had DD-WRT on them, and they replaced my wrt54gl's,
Since now I have routers that should be able to take advantage of the service, I have spent the last couple of days trying to get it all set up...
One of the routers has the DD-WRT v24-sp2 (08/12/10) mega (SVN revision 14929) the other an older build...
(concentrating on this one, and will upgrade the other one once this one is working)
I am trying to figure out the radvd and startup scripts for the 2.26 kernel to get the HE IPv6 tunnel going,
I am not really wanting to set up the 6to4, and am kind of confused by the tutorials I see as to what needs to be done in which instance... I.E. is 6to4 needed for just the HE tunnel? is RADVD? (it is not posted on the Wiki entry in the HE section)
The script posted at the beginning of this thread shows that it is for SiXXs and HE, but while going through the script to reconfigure it for my HE info, it is not clear what is for SiXXs and what needs to be there for HE only... everything really looks like it is for SiXXs only... and I applied for that tunnel tonight...
Joined: 07 May 2010 Posts: 384 Location: Surgut, Western Siberia
Posted: Sun Sep 05, 2010 7:56 Post subject: Re: struggling with HOW the scripts work...
Same here. I'm trying to make working HE tunnel on 26 kernel.
HE tunnel is 6to4. Currently you have IPv4 address and to be able to surf IPv6 internet you need 6to4 tunnel. RADVD is needed for that thing. But I could be mistaken.
The script at the beginning is almost useless for HE except firewall rules. Don't use ip6tables rules, because there is no way to get ip6tables to work on k26. That means no firewall on IPv6 yet.
Here is my RADVD config:
change prefix to the value "Routed /64" on your HE account details.
And my startup config
Code:
insmod /lib/modules/`uname -r`/kernel/net/ipv6/sit.ko
sleep 5
radvd -C /tmp/radvd.conf start
sleep 5
WANIP=$(ip -4 addr show dev ppp0 | grep 'inet ' | awk '{print $2}' | cut -d/ -f1) # change if you're not pppoe user
if [ -n "$WANIP" ]
then
V6PREFIX=$(printf '2002:%02x%02x:%02x%02x' $(echo $WANIP | tr . ' '))
ip tunnel add he-ipv6 mode sit ttl 255 remote any local $WANIP
ip link set he-ipv6 mtu 1480
ip link set he-ipv6 up
ip addr add $V6PREFIX:0::1/16 dev he-ipv6 # not sure about that string
ip addr add $V6PREFIX:1::1/64 dev br0
ip -6 route add 2000::/3 via ::74.82.42.42 dev he-ipv6 # change to anycasted nameserver
kill -HUP $(cat /var/run/radvd.pid)
fi
sleep 10
radvd -C /tmp/radvd.conf start
sleep 5
MY_TUNNEL_ADDR="2001:470:1f08:de6::2" # change me to client IPv6 address
MY_ROUTED_ADDR="2001:470:1f09:de6::" # change me to Routed /64 w/o /64
echo "External IP:" $WANIP > /tmp/startup.debug
if [ -n $WANIP ]
then
echo "configuring tunnel" >> /tmp/startup.debug
# The following commands are straight from HE's website, linux-route2 config
ip tunnel add he-ipv6 mode sit remote 216.66.80.26 local $WANIP ttl 255
ip link set he-ipv6 up
ip addr add $MY_TUNNEL_ADDR/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
# These commands aren't on HE's website, but they're necessary for the tunnel to work
ip -6 addr add $MY_ROUTED_ADDR/64 dev he-ipv6
ip -6 addr add $MY_ROUTED_ADDR/64 dev br0
ip route add 2000::/3 dev he-ipv6
echo "starting radvd" >> /tmp/radvd.conf
radvd -C /tmp/radvd.conf &
fi
Posted: Tue Sep 14, 2010 1:16 Post subject: IPv6 on Client Mode
I been having a lot of problems implementing iv6 protocol. My router is currently a wireless client, and i want to assign an ip6 tunnel to the router itself, since i would like to be able to connect my router to ipv6 servers. Is there a simple method to assign ipv6 to my router that would work. So far none of the methods have work.
Posted: Tue Sep 14, 2010 19:44 Post subject: How to test ipv6 firewall
Hi,
I own a Netgear WNR3500L router and installed dd-wrt.v24-14896_NEWD-2_K2.6_std_usb_ftp.bin on it.
Since I couldn't find the ip6tables kernel modules I compiled them for 2.6.24.111. Additionally I installed the ip6tables_1.3.7-1_mipsel.ipk found in Kamikaze 7.09.
Now I'm able to use the startup script as found in this thread (modules ip6_tables, ip6table_filter and ip6t_rt are loaded and ip6tables shows what I expect to be there). But how can I test that the rules work?
It seems that ip6tables won't complain if there is no matching kernel module for a ip6tables module. $ ip6tables -m rt --help shows the help of the 'rt' module even if I unload this module. Is this the intended behavior of ip6tables?
Thanx and Cheers,
Thomas
--- output of 'ip6tables -L' ---
rroot@DD-WRN:~# ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all anywhere anywhere rt type:0
--- my startup script ---
# insmod ipv6
# insmod sit
insmod /jffs/lib/modules/2.6.24/ip6_tables.ko
insmod /jffs/lib/modules/2.6.24/ip6table_filter.ko
insmod /jffs/lib/modules/2.6.24/ip6t_rt.ko
# The IPv6 prefix (/64) of the tunnel initially assigned to you (including the :.
TUNNELPREFIX="2001:1620:XXXX:XXXX::"
# The IPv4 address of the PoP you're using
SIXXS4="213.XXX.148.XX"
# The Routed IPv6 Subnet (/48 or /64)
TUNNELSUBNET="2001:1620:XXXX::1/64"
# MTU - must match your SixXS tunnel settings and radvd's "AdvLinkMTU" value
MTU=1280
# Which interface are you using? sixxs or he-ipv6? You can keep it to something else but to stay consistent with other scripts, use one of those.
# INTERFACE="sixxs"
INTERFACE="tun0"
# Get the tunnel endpoint addresses
MYTUNNELIP="${TUNNELPREFIX}2"
SIXXSTUNNELIP="${TUNNELPREFIX}1"
# Create tunnel, fix MTU and bring up and configure endpoint
# ip tunnel add ${INTERFACE} mode sit remote ${SIXXS4} ttl 64
ip link set mtu ${MTU} dev ${INTERFACE}
ip link set ${INTERFACE} up
ip addr add ${MYTUNNELIP}/64 dev ${INTERFACE}
# Configure IPv6 endpoint on br0
if [ ! -z ${TUNNELSUBNET} ]; then
ip addr add ${TUNNELSUBNET} dev br0
# uncomment if you want to manually start radvd instance and not use web interface
/usr/sbin/radvd -C /jffs/etc/radvd.conf start
sleep 5
fi
# Add default routes
# ip route add default via ${SIXXSTUNNELIP} dev ${INTERFACE} metric 1
ip route add 2000::/3 via ${SIXXSTUNNELIP} dev ${INTERFACE} metric 1
# make sure to accept proto-41
iptables -I INPUT 2 -p ipv6 -i vlan2 -j ACCEPT
# uncomment if you are using repeater mode
# iptables -I INPUT 2 -p ipv6 -i eth0 -j ACCEPT
#make sure to not NAT proto-41
iptables -t nat -A POSTROUTING --proto ! 41 -o eth0 -j MASQUERADE
# uncomment if you are using repeater mode
# iptables -t nat -A POSTROUTING --proto ! 41 -o vlan1 -j MASQUERADE
# Set firewall directory and correct path
export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables
# PATH="$PATH":/jffs/usr/sbin
#flush tables
ip6tables -F
#drop invalid
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
#allow common ports
ip6tables -A FORWARD -p tcp -i ${INTERFACE} --syn -m multiport --dports ftp-data,ftp,http,https,ntp,domain -j ACCEPT
ip6tables -A FORWARD -p tcp -i ${INTERFACE} --syn -j DROP
ip6tables -A FORWARD -p udp -i ${INTERFACE} -m multiport --dports ntp,domain -j ACCEPT
ip6tables -A FORWARD -p udp -i ${INTERFACE} -j DROP
# set bash profile of user root
echo "export IP6TABLES_LIB_DIR=/jffs/usr/lib/iptables" >> /tmp/root/.profile
echo "alias ll='ls -l'" >> /tmp/root/.profile
Posted: Mon Sep 20, 2010 16:09 Post subject: Re: How to test ipv6 firewall
Hi lazytom,
can you post these modules here, so that all useres with that kernel can use them?
lazytom wrote:
Since I couldn't find the ip6tables kernel modules I compiled them for 2.6.24.111. Additionally I installed the ip6tables_1.3.7-1_mipsel.ipk found in Kamikaze 7.09.
By the way if you use a NEWD-Version with kernel 2.6.x and you are able to compile the kernel modules yourself, you should also compile the Connection tracking (conntrack) modules for IPv6. Then you can use stateful packet inspection, which makes more sense then the syn-stuff and also gives you more security.
> post the modules here ...?
Sure, I thought since nobody really asking for them, everybody got 'em. And compiling them was just following the wiki. Well, with the exception of nf_conntrack_ipv6 which was complaining about JHASH_GOLDEN_RATIO not beeing defined altough the jhash.h file was included (solved that the lazy way )
To be able to compile the modules yoursefl just follow the Wiki article 'Development', use the config file attached to this post (rename it to .config and copied it to rc/linux/brcm/linux-2.6.23) and make the following change in file
src/linux/brcm/linux-2.6.23/net/ipv6/netfilter/nf_conntrack_reasm.c, line 121:
from
Code:
a += JHASH_GOLDEN_RATIO;
to
Code:
#define JHASH_GOLDEN_RATIO 0x9e3779b9
a += JHASH_GOLDEN_RATIO;
That is of course a very ugly hack. JHASH_GOLDEN_RATIO is defined in <linux/jhash2.h> and nf_conntrack_reasm.c does include it. The question is why it doesn't find that definition.
I just tried loading nf_conntrack_ipv6 which went fine. Didn't manage to load the xfrm6... though (requirements?)
Of all them you probably won't need ipv6.ko and sit.ko since they are already included in the DD-WRT build. Or is there a reason to choose the above over the stock DD-WRT one?
And maybe someone can create a ipk file out of them? And upload them to an easier accessable place?
> Then you can use stateful packet inspection, which makes more sense
> then the syn-stuff and also gives you more security.
Can you explain that a bit? I'm a n00b at IPv6 (and IPv4, although I understand the principles). Which of the modules do you refer to with 'syn'?
Cheers,
Thomas
[update]add what to do with the kernel config file[/update]
Posted: Thu Sep 23, 2010 21:40 Post subject: Re: How to test ipv6 firewall
Hi lazytom,
thank you for posting the modules. I tested the ones I need and they work like charm.
So and now let's have a look at the firewall issue.
The mechanism behind syn-stuff I mentioned is called the TCP state. A connection to a remote host in tcp is initiated in a 3-way handshake first you send a SYN, then the remote hosts sends SYN/ACK (if it accepts your connection) and then you send a ACK to commit. The above is true for connection aware protocols like TCP, but what about the connection-less ones like UDP and IGMP?
At this point the connection tracking entered the game. It knows four states NEW,ESTABLISHED,RELATED and INVALID, with these four states it keeps track of the connections which go through it. To say it in other words it integrates the tcp-states to keep track of a connection (i.e. of a number of packets which belong together in a way). Beyond this it also recognizes other protocols like UDP.
With the rules you published in this thread your are kind of trapped in your configuration, because you only allow the following port destinations:
But what about a connection to the smtp port of your eMail provider or a ssh connection... Wouldn't it be better to allow NEW connection from your local net to all ports an a remote host in the IPv6 enabled net? And allow the RELATED,ESTABLISHED state to travel through your firewall back to your PC.
To give this thread a new direction and also refer to its name, I suggest a new firewall setup for IPv6 (with the help of your modules):
# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Prevent beeing a rh0 type host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP
# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o tun6to4 -s 2002::/16 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -d 2002::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -I FORWARD -i br0 -s 2002::/16 -j ACCEPT
ip6tables -I FORWARD -i tun6to4 -d 2002::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs
So that's it. I think this should be the updated firewall rules for kernel 2.6 and nf_conntrack_ipv6 enabled routers. By the way I use the 6to4 transition system (I thought about sixxs, but I did not want to install new software on my router).
So there is a question left:
lazytom wrote:
Of all them you probably won't need ipv6.ko and sit.ko since they are already included in the DD-WRT build. Or is there a reason to choose the above over the stock DD-WRT one?
No, I also use the ones included in DD-WRT.
I hope there will be a discussion about my suggestions.
I have a little Typo in the script I posted, in the FORWARD-section the rules should be appended and not inserted at the first position (because we should drop rh0 packets before we could accept them). So the correct code is:
Code:
# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2002::/16 -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -d 2002::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
And the modules which should be loaded are:
Code:
ipv6
sit
ip6_tables
ip6table_filter
nf_conntrack_ipv6
ip6t_rt
Am I missing something here? Just installed dd-wrt.v24_std_generic.bin (13064) on my wrt54g (the router database recommended it) and even though the wiki says radvd is included, it is not.
the version you are using is older then the wiki. I think you should think about updating with a newer one.
lv426
chuggo wrote:
Am I missing something here? Just installed dd-wrt.v24_std_generic.bin (13064) on my wrt54g (the router database recommended it) and even though the wiki says radvd is included, it is not.