IPv6, 6in4 tunnel - GUI only

From DD-WRT Wiki

Jump to: navigation, search


[edit] Introduction

[edit] What is 6in4 tunnel?

login or register
login or register
Registration form
Registration form
Creating tunnel
Creating tunnel
Tunnel info on IP6 and MTU
Tunnel info on IP6 and MTU

6in4 is an Internet transition mechanism for migrating from Internet Protocol version 4 (IPv4) to IPv6. 6in4 uses tunneling to encapsulate IPv6 traffic over explicitly-configured IPv4 links as defined in RFC 4213 (obsoletes RFC 2893 and RFC 1933).

[edit] 6to4 is not equal 6in4?

No. 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6, a system that allows IPv6 packets to be transmitted over an IPv4 network (generally the IPv4 Internet) without the need to configure explicit tunnels. Special relay servers are also in place that allow 6to4 networks to communicate with native IPv6 networks.

In another words, if you only get IPv4 from your ISP, but you want to be able to reach IPv6 sites, 6in4 is one of your solutions. It is simple and free with a just few of clicks in ddwrt GUI:)

[edit] Setup

First thing you need to do, is to create your account at HE.net IPv6 Tunnel Broker After creating an account, return back to main page to create a tunnel. Choose your nearest location. Click on Host/Identifier: The DNS fully-qualified name of your tunnel, not the numeric Tunnel ID. This is of the form <user>-<index>.tunnel.<tunnel-server>.<datacenter>.ipv6.he.net.

You also need to accept ping (icmp protocol) from HE server to. So save this command as your firewall rule:

iptables -I INPUT 2 -s -p icmp -j ACCEPT

Now, setup your ddwrt and enable radvd as shown on screenshots. Pay attention on MTU (generally wanif MTU - 20). That's all. You are ready to go! You should be able to browse ipv6 sites now. Check your connection with links provided at the bottom of the page.

[edit] Custom settings using DNSMasq or radvd+dhcp6s

If you prefer you can use DNSMasq, for router advertisements, instead of Radvd (disable radvd, dhcp6c and dhcp6s on ipv6 tab). Just put these directives in Additional DNSMasq Options (Services tab of your ddwrt):



interface=br0 specifies interface(s) to DNSMasq to listen on (lan&wlan).

domain=ddwrt,,local Declares the domain "ddwrt" as the domain for all DHCP requests served locally. IP range intention is to constrain hostnames so that an untrusted host on the LAN cannot advertise its name.

enable-ra Enables dnsmasq's IPv6 Router Advertisement feature.

ra-param=br0,10,300 Sets non-default values for router advertisements sent via an interface (br0), interval between router advertisements and the lifetime of the route

dhcp-range=::150,::1EFF,constructor:br0,ra-names,5m Issues IPv6 addresses between ::150 and ::1EFF in response to DHCP requests. The clause, "constructor:br0" directs the configuration to use the network prefix of the ‘br0’ interface as the network prefix for the leased addresses. ra-names enables a mode which gives DNS names to dual-stack hosts.

dhcp-option=option6:dns-server,[::] This way, the relevant global address of the machine running dnsmasq is sent as recursive DNS server. If provided, the DHCPv6 option dns-server is used both for RDNSS and DNSSL in the DHCP reply. For IPv6, [::] means "the global address of the machine running dnsmasq", whilst [fd00::] is replaced with the ULA, if it exists, and [fe80::] with the link-local address. This will make windows machines happy (by default windows sends queries to DNS via ipv6) and router will use IPv4 DNS servers specified in /tmp/resolv.dnsmasq. Very handy if you do filtering via OpenDNS servers.

dhcp-option=option6:ntp-server,[2001:470:0:50::2] Hurricane Electric Public Stratum NTP Server

dhcp-option=option6:domain-search,ddwrt Sends ‘ddwrt’ as the assigned domain to all clients performing DHCP requests.

Setting ddwrt GUI
Setting ddwrt GUI

If you are ipv6 "explorer", and want to experiment with custom radvd and custom dhcp6s configuration to get stateful configuration (required for IPv6 Address Reservations) enable custom for both. This way router will use radvd for advertisements and dhcp6s for assigning leases. You must use both in conjuction. Pay attention not to put these directives below, to "Custom hosts" box. You have to enable Dhcp6s custom and Dhcp6s config box will appear.


option domain-name-servers 2620:0:ccc::2 2620:0:ccd::2;
option refreshtime 900;
interface br0 {
address-pool pool1 3600;
pool pool1 {
range 2001:470:6d:a91::1000 to 2001:470:6d:a91::2000;
# line above is Assigned/Routed Prefix ::1000 to ::2000


interface br0
AdvSendAdvert on;
AdvManagedFlag off;
AdvOtherConfigFlag on;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvSourceLLAddress on;
AdvDefaultLifetime 900;
AdvLinkMTU 1428; # MTU of WAN interface - 20
prefix  2001:470:6d:a91::/64 { #Assigned/Routed Prefix
AdvValidLifetime 86400;
AdvPreferredLifetime 14400;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;

[edit] Troubleshooting


About MTU you can read HERE and HERE Don't go under 1280 because it is the minimum IPv6 packet size.

If your ISP provides you with dynamic IP than you need announce every change on HE. You can use DNS-O-MATIC method or starting public build 28788 (unit with curl ONLY) you can do it from the ipv6 tab within your ddwrt. Just copy Update URL from Advanced tab of the he account and paste it like on the screenshot.

Now, if everything is ok, you should be able to ping ipv6.google from your PC (MS Win) command prompt:

ping -6 ipv6.google.com

If you have problem with your win machines read this

Check your connection:

http://test-ipv6.com http://ipv6-test.com http://test-ipv6.netiter.dk

special thx to JAMESMTL

[edit] If ipv6 only works on router

It seems that the routing is not correctly created when using 6in4.

If you log into the router and pinging ipv6.google.com works but not on other computers in LAN.

Then try run this commands to add routing:

 ip -6 addr add [Assigned / Routed Prefix] dev br0
 ip -6 ro add default via [Tunnel Client IPv6 Address] dev ip6tun

If it works now you can add those lines to startup script under Administration -> Save Firewall.