|This guide DOES not apply to Attitude Adjustment AFTER 12.09, Barrier Breaker or any other upcoming releases. See OpenWrt native IPv6-stack for new documentation.|
| Please make sure that ip6tables is installed and enabled before setting up ipv6 interfaces!
opkg update && opkg install ip6tables kmod-ip6tables && fw restart
Please also see →ipv6.theory for a load of links to IPv6 related documentation.
For this, you need to obtain an IPv6 address from your ISP. Technically this could be a /128 prefix (exactly one IPv6 address), but according to rfc6177 this should be a /64 prefix. You may also get bigger range, like /56 or /48. Within this range you may use all the IPv6 addresses to your liking without any NAT-induced headaches.
Some of the ISPs currently known to support IPv6 to the customer are listed here: ipv6.isp.
In the following example, the assigned prefix is 2001:123:456::/48. Within this prefix, I choose to affect the network 2001:123:456:789::/64 to the internal LAN. The router has the fixed IP 2001:123:456:789::1
When using PPPoEv6, enable ipv6. You may also further reduce the MTU from 1492 to 1452: Experience shows that it prevents many problems. You can try to increase this size, not bigger than 1492.
6in4 is a method to encapsulate IPv6 traffic into an IPv4 tunnel. It is mostly used by tunnel brokers and requires manual configuration.
A very excellent forum topic on the topic of a static 6in4 tunnels is at https://forum.openwrt.org/viewtopic.php?pid=126285
Both resources assume a static prefix, and thus a manual configuration.
The ISP known to use this are:
The package 6in4 must be installed to use this protocol. This package is available in Backfire 10.3.1-rc4 and later.
opkg update && opkg install 6in4
/etc/config/network for static tunneling:
Note: you may want to check that your public IP is matching the IP address on your WAN interface. Details in Static IPv6-in-IPv4 tunnel behind one-to-one NAT.
The example below illustrates a dynamic tunnel configuration for the Hurricane Electric broker with dynamic IP update enabled. The local IPv4 address is automatically determined and tunnelid, username and password are provided for IP update.
/etc/config/network for dynamic tunneling:
In this example configuration:
as of change set 41358
and the following no longer applies
For Hurricane Electric tunnels, the username is NOT the username for tunnelbroker.net. The username is the user id listed on the main page of your tunnelbroker.net account (called the "API Key" elsewhere). The password is the md5 hash of the tunnelbroker.net password. For details, see http://ipv4.tunnelbroker.net/ipv4_end.php
(from notes here protocol.dhcpv6) HE.net has introduced updatekey as default for new tunnels in February 2014.
(from notes here protocol.dhcpv6) although ip6prefix isn't required, sourcerouting, enabled by default, will prevent forwarding of packets unless ip6prefix is specified.
With Attitude Adjustment, once you have added the above interface definition you have to run /etc/init.d/network restart in order to have it effected.
This tunnel, like a VPN, creates a third network interface, called henet in this example. A default IPv6 route using this interface is automatically created when this interface connects successfully.
To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in
To allow 6in4 traffic to always reach your tunnel endpoint, it may be necessary to pass IPv4 protocol 41 traffic with the following firewall configuration stanza:
You will need the ip6tables package for these firewall rules to work. You can run the following command to install this package:
opkg update && opkg install ip6tables kmod-ip6tables
To enable routing of IPv6 traffic through the tunnel, add a static IPv6 address in a valid routed subnet to the local-facing interface.
For Hurricane Electric tunnels, the prefix for the routed subnet is specified in tunnel details page on tunnelbroker.net in the Routed IPv6 Prefixes section, and is formed by incrementing the last digit of the third quad in the tunneling prefix. For example, if the IP address
2001:0db8:1f0a:1359::2/64 is the local IPv6 tunnel endpoint, the local interface would be assigned an address in
2001:0db8:1f0b:1359::/64 subnet, typically
The router must be configured forward packets between the remote and local interfaces. See the Enable Routing section. The forwarding is enabled by default in trunk, but must be manually enabled in Backfire.
To forward packets between interfaces, a kernel-level setting must be enabled. To enable packet forwarding, edit /etc/sysctl.conf
And uncomment the following line in /etc/sysctl.conf:
The line should look like this:
Now restart sysctl to apply the new setting.
/etc/init.d/sysctl restartTo verify the setting has been applied, issue the following command:
cat /proc/sys/net/ipv6/conf/all/forwardingshould return
2001:0db8:1f0b:1359::1in the example configuration).
(Note: This section lack the 6rd example, so this is for 6to4)
6to4 is a translation mechanism to transform ipv6 packets into IPv4, and back, using specific relay servers.
6rd (rapid deployment) is similar to 6to4 with some restrictions for large ISP routing. However it is only supported in kernel superior or equal to 2.6.33 due to specific routing scheme.
In order for 6to4 to work, you need to install the package 6to4 and kmod-sit available from 10.03.1-rc4.
opkg install 6to4 kmod-sit
If, like me, you are working with 10.03, you can still install by downloading the package from the newer source.
Replace brcm47xx with the architecture you are working with.
For this connectivity mechanism, a third "interface" is created which will become the default outgoing interface for IPv6 packets.
An example of /etc/config/network for the ISP "Qfast.nl", or any ISP for that matter, may be:
Although there are many more options, most of those (like ipaddress and the advertising interface) are configured automatically by default. Just check out /etc/config/network and search for the paragraph 6to4.
radvd and your lan interface is configured automatically by default by taking the lan interface and a /64 prefix of the external IP-range to be routed on.
All you need to do is change the
ignore 1 on the interface to
ignore 0. Also remember to enable radvd (
/etc/init.d/radvd enable) before doing
ifup on the 6to4 interface. Otherwise the auto configuration of radvd will fail.
My /etc/config/radvd looks as follows:
To apply IPv6 firewall rules to the tunnel interface, add it to the "wan" zone in /etc/config/firewall:
Add the following rules to your /etc/config/firewall to allow incoming encapsulated IPv6 packets:
This can also be done via the LuCI webinterface.
(note: option 'target' 'DROP' stealthed the tunnel; did this along along with dropping UDP and ICMP on the UCI firewall configuration)
rem: In my configuration, lan interface did not obtain global ipv6 address automatically, while computers in lan did. Because of this ipv6 sites were available when accessing from router, but were inaccessible from lan. Manually adding global ipv6 address to lan interface solved this issue. For example:
ifconfig lan-br 2002:a5a6:2131:1::1/64for 2002:a5a6:2131::1/16 6rd address
hejnm1am: You need to install package 'ip' to fix this. See https://dev.openwrt.org/ticket/14420. Either install 'ip' package or change line 163 in /lib/netifd/proto/6to4.sh to use ifconfig.
The packages gw6c and kmod-sit must be installed to use this protocol (e.g.:
opkg update && opkg install gw6c kmod-sit).
gw6c is configured through a specific config file: /etc/config/gw6c.
First create a free account on freenet6 here then procede to fill gw6c configuration file on your router.
The example below assumes the user have an account, required to redistribute a prefix on a LAN. The userid/passwd fields must be filled with the above registration credentials.
When installed the program gw6c takes care of a lot of details itself, including radvd configuration : In this case, manual radvd configuration is not requiered: The /etc/config/radvd must be kept disabled.
Start Gateway6 client with the following command:
Auto-start after Openwrt booted up:
restart to load the latest config file.
Firewall (Barrier Breaker): ip6tables does not allow traffic to be forwarded from lan to wan by default (see this forum topic). To get around this, you can insert the following line into
/etc/firewall.user (or via Luci Firewall → Custom Rules)
ip6tables -I FORWARD -o sit1 -j ACCEPT
Untested - Please correct as needed
In newest ATTITUDE ADJUSTMENT dependencies might be broken. You might have to check manually if the Packet kmod-sit gets instaleld. If it is missing radvd startscript will fail: INTERFACE_SETUP_FAILED.
The NAT64 is one technique to provide to the user a routable ipv6 while using a NAT technique to keep access top IPv4 websites (The client may NOT have a routable IPv4 anymore).
Some ISP are experimenting this: AAISP (UK)
to be completed - please help ?
Some ISPs use so-called
'softwires' to provide IPv6 connectivity (e.g. SFR in France). It's basically L2TP + PPP on top of IPv4, see ipv6.softwire.
Once IPv6 works on the router, it is necessary to spread it on the internal network. Multiple methods are possible, from static routing to auto-configuration. For the latter, two options described below exist. Note that when using static WAN connection, you need to add lines
option accept_ra 1 option send_rs 0
config interface wan section of your /etc/config/network.
To begin with, install RADVD with:
opkg update && opkg install radvd
The simplest case is static IPv6 affectation:
This configuration is sufficient to enable radvd on the router, and broadcast auto-configuration announces (default routes and dns servers) to the clients on LAN.
The MTU specified MUST be identical to the one set in the
/etc/config/network section, if provided. If you're connecting through a tunnel, ensure that your MTU matches that of your tunnel. Otherwise, do not provide it.
Don't forget to enable radvd at boot. You can do this in the LuCI web interface at Administration → Services → Initscripts. Look for radvd and check whether it is enabled. To enable radvd at boot and to start radvd right now without rebooting, do
/etc/init.d/radvd enable /etc/init.d/radvd start
use logread to check for start up messages
This shows you how to set up DHCPv6 so that LAN clients have their IPv6 addresses from a pool, instead of concatenating random numbers, or some function of their MAC address, with your prefix.
First, you need to install a DHCPv6 server
opkg update && opkg install wide-dhcpv6-server
Now enable the server in /etc/config/dhcp6s
Then create a config file
/etc/dhcp6s.conf with something like:
This allocates addresses from a pool of 4096 with a lease time of 24 hours.
If you will need static IPv6 (::3000) assigned to host you can specify this with something like:
Where duid is DHCPv6 Client DUID (can be found in Windows at "ipconfig /all" for example).
Finally, you need to change some radvd settings so that it tells clients to use DHCPv6 to get the rest of their settings:
Then restart the services and you're away (hopefully!)
If ps does not show dhcp6s running then you can run it interactively:
|dhcp6s -s /etc/dhcp6s.conf -d -f -D br-lan|
(where br-lan is your local lan interface). Things to check include:
|This feature is new and not yet supported by UCI. You will need Attitude Adjustment to make this work.|
We can use DHCPv6 enabled version of
dnsmasq-dhcpv6 you will replace
wide-dhcpv6-server, depending on your current configuration.
opkg remove dnsmasq opkg update && opkg install dnsmasq-dhcpv6
Once we have
dnsmasq-dhcpv6 installed we need to enable router advertisement and choose in what mode we want to configure clients. For details on modes, see dnsmasq man page. The modes are:
Since there is not UCI support yet, we have to add the configuration manually to
/etc/dnsmasq.conf file. Configuration in this file is merged with the UCI generated config.
dhcp-range option defines IPv6 prefix used by clients and configuration mode, here
ra-names (SLAAC). Last line enables router advertisement.
2001:0db8:1f0b:1359:021d:baff:fe06:3764in case your client's MAC address is
2001:0db8:1f0b:1359::/64network. You need to make accept rule in the firewall. Note that despite you have no problem to
ping fe80::021d:baff:fe06:3764%br-lan, you still have to create the accept rule for the mentioned network.
To see if it works, follow these steps:
dnsmasqobtained the ping confirmation, and thus was able to add AAAA record to its DNS cache.
logread | grep "SLAAC-CONFIRM"
Jul 1 12:00:00 openwrt daemon.info dnsmasq-dhcp: SLAAC-CONFIRM(br-lan) 2001:0db8:1f0b:1359:021d:baff:fe06:3764 pc
It can help you, if your ISP give you /64 IPv6 address and radvd,dhcpv6 useless for you. Original idea by user (diway) from openwrt forum This method idea is: bridge wan and lan with filter ipv6 packets options, for direct resolve your adress from provider(ISP).
1. At first determine your WAN interface device name, and correct comands below(change eth0.1 to your WAN device name). Edit /etc/init.d/network, at end of start() section add thoose lines:
2. At /etc/config/network, make thoose:
Add this on the "config interface lan" section
Add this on the "config interface wan" section
3. At /etc/config/firewall, make thoose:
Add this to the "config defaults" section
4. At /etc/sysctl.conf, make thoose:
Add this at the end to enable firewalling on ipv6 even for bridged interfaces
5. If you need IPv6 firewalling ONLY! First install:
Then correct comands below(change eth0.1 to your WAN device name). At /etc/firewall.user, add thoose lines:
That's all, reboot your router. After check your LAN PCs and roters WAN ipv6 address.
If you can do a succesful
ping6 ipv6.google.com from the router, then obviously your DNSmasq succesfully queries the IPv6 address, and you have IPv6 connectivity.
Though, if you can't do the
ping6 above, though you can do a
ping6 [2a00:1450:8002::93], then your DNSmasq (or the server from which it queries) does not succesfully query the IPv6 addresses, and you need to fix this problem.
(Using an intermediate machine to contact IPv4-only servers)
TAYGA is an out-of-kernel stateless NAT64 implementation for Linux that uses the TUN driver to exchange IPv4 and IPv6 packets with the kernel.
First, install tayga:
opkg update && opkg install tayga
Now, create NAT64 interface:
where 192.0.2.0/24 is your dynamic pool, 64:ff9b::/96 is "unused /96 prefix" and 2001:db8:1::/64 is your IPv6 prefix used in LAN.
Don't forget to add this interface to LAN firewall zone.
ifup tayga && ping6 64:ff9b::18.104.22.168
DNS64 is a special mechanism, that returns AAAA records for hosts that only have A records. ATTENTION! This breaks DNSSEC!
ISC bind supports DNS64 since version 9.8.0.
opkg update && opkg install bind-server bind-host
Modify default configuration (/etc/bind/named.conf):
# /etc/init.d/bind restart
Point your resolver to 127.0.0.1 (or ::1) and try it:
Normal AAAA records are returned for hosts that have it and translated ones for those who don't.
Privacy extensions are enabled by default. Correct working of some services sometimes require disabling part or all privacy extensions.
With this settings the Windows client will obtain modified EUI-64 global unique address, while it will also generate global temporary IPv6 address. This is recommended setup, because you only make public your MAC address, but your privacy is retained (you won't be easily traceable by your IP).
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 show global store=active netsh interface ipv6 show global store=persistent
This settings disables all privacy extensions. Your global unique IPv6 address will be generated using modified EUI-64 method and your global temporary IPv6 address will be disabled. Your MAC address is made public and you will be easily traceable.
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 show privacy store=active netsh interface ipv6 show privacy store=persistent
| Warning No1: There is no NAT in IPv6. While NAT was never intended as a security feature, it did nonetheless serve as one, because unless you specified portforwardings the ports were unavailable. However, the same level of security can be achieved by setting the policies to DROP and inserting
|Warning No2: IPv6 specs demand, that Path MTU Discovery is working correctly because a packet fragmentation is not being performed! So if you configure your packet filter like an imbecile and drop all ICMPv6 packets without distinguishing, you will break this functionality and funny things will occur! Cf. → RFC4890 – ICMPv6 Filtering Recommendations|
ip6tables -A FORWARD -i br-lan -j ACCEPT ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -j REJECT